b5ffaa8ce4f37a9e38d9d99f90140b401066e83dd7fe4b7161a692ba8268d07b

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
06/06/2024, 05:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5ffaa8ce4f37a9e38d9d99f90140b401066e83dd7fe4b7161a692ba8268d07b.exe
Size

89KB
MD5

c3b6b8f73d1193fda400f7c9d557fe92
SHA1

1d17f4ac02cd999d3a0caa73db0aa6c1c83af1ae
SHA256

b5ffaa8ce4f37a9e38d9d99f90140b401066e83dd7fe4b7161a692ba8268d07b
SHA512

5eac84509b5adc34ec6a177da5268c1cc1bff7ec94f9d28539354bcc9552f76556c3891e33ac319f4b21d3b33456568f3635fc9332f4f7d1350ba37340b81a6c
SSDEEP

1536:p7u6cOLK7hNIMLrCiS4xUfXM3xvuoSB5qEftLhSnWQD+hpX71PvJdsJG5:1eOLK7hNIMLrCiS4+PwRjY5xhEAXVvx

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2952	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
2116	wgaugqp.exe
2564	wmtniuu.exe
1716	wsefwc.exe
1552	waxrct.exe
2008	wfxa.exe
1884	wkvb.exe
1284	wrg.exe
2980	wpjh.exe
2772	wrkql.exe
2528	wfquwom.exe
1724	wqryvld.exe
2836	wwcplra.exe
1368	whpdqo.exe
564	wwjlcb.exe
1704	whkoby.exe
836	wvgi.exe
560	wgrw.exe
1608	whobpdc.exe
1692	wajrkkvtq.exe
1924	wdk.exe
2116	welns.exe
1360	wxof.exe
3048	wemhwyv.exe
528	whmrn.exe
2476	wxsrpvhrh.exe
2120	wvkvi.exe
980	wyv.exe
1144	westbne.exe
2820	wptwak.exe
992	wkqt.exe
2612	wlnabaa.exe
1672	wsogig.exe
2928	wxmiel.exe
2728	wgmo.exe
1068	wpinyqrkd.exe
772	wxxmoov.exe
2020	wjwonm.exe
1100	wkvtsbqyg.exe
2684	wyf.exe
3068	wjq.exe
1848	wxmlaekn.exe
612	wvhx.exe
2408	wgsl.exe
564	wsyocri.exe
768	weascp.exe
2180	wsgwmgale.exe
2192	wmcnins.exe
1688	wamxfdwr.exe
2840	wtinakp.exe
1484	whehebfkv.exe
1260	wjvhfk.exe
2880	wxrcjbxj.exe
1080	widooyyj.exe
2940	woogdev.exe
564	wktewfdm.exe
2396	wrvjfk.exe
1948	wwibtrnrk.exe
1520	wisoan.exe
2788	woego.exe
2572	wdaask.exe
2492	wruuwbpfr.exe
2484	www.exe
612	wpdbhog.exe
3064	wbopmn.exe

Loads dropped DLL 64 IoCs

pid	Process
1720	b5ffaa8ce4f37a9e38d9d99f90140b401066e83dd7fe4b7161a692ba8268d07b.exe
1720	b5ffaa8ce4f37a9e38d9d99f90140b401066e83dd7fe4b7161a692ba8268d07b.exe
1720	b5ffaa8ce4f37a9e38d9d99f90140b401066e83dd7fe4b7161a692ba8268d07b.exe
1720	b5ffaa8ce4f37a9e38d9d99f90140b401066e83dd7fe4b7161a692ba8268d07b.exe
2116	wgaugqp.exe
2116	wgaugqp.exe
2116	wgaugqp.exe
2116	wgaugqp.exe
2116	wgaugqp.exe
2564	wmtniuu.exe
2564	wmtniuu.exe
2564	wmtniuu.exe
2564	wmtniuu.exe
2564	wmtniuu.exe
1716	wsefwc.exe
1716	wsefwc.exe
1716	wsefwc.exe
1716	wsefwc.exe
1716	wsefwc.exe
1552	waxrct.exe
1552	waxrct.exe
1552	waxrct.exe
1552	waxrct.exe
1552	waxrct.exe
2008	wfxa.exe
2008	wfxa.exe
2008	wfxa.exe
2008	wfxa.exe
2008	wfxa.exe
1884	wkvb.exe
1884	wkvb.exe
1884	wkvb.exe
1884	wkvb.exe
1884	wkvb.exe
1284	wrg.exe
1284	wrg.exe
1284	wrg.exe
1284	wrg.exe
1284	wrg.exe
2980	wpjh.exe
2980	wpjh.exe
2980	wpjh.exe
2980	wpjh.exe
2980	wpjh.exe
2772	wrkql.exe
2772	wrkql.exe
2772	wrkql.exe
2772	wrkql.exe
2772	wrkql.exe
2528	wfquwom.exe
2528	wfquwom.exe
2528	wfquwom.exe
2528	wfquwom.exe
2528	wfquwom.exe
1724	wqryvld.exe
1724	wqryvld.exe
1724	wqryvld.exe
1724	wqryvld.exe
1724	wqryvld.exe
2836	wwcplra.exe
2836	wwcplra.exe
2836	wwcplra.exe
2836	wwcplra.exe
2836	wwcplra.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\whehebfkv = "\"C:\\Windows\\SysWOW64\\whehebfkv.exe\""	whehebfkv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wyjxmdqpw = "\"C:\\Windows\\SysWOW64\\wyjxmdqpw.exe\""	wyjxmdqpw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqryvld = "\"C:\\Windows\\SysWOW64\\wqryvld.exe\""	wqryvld.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\whkoby = "\"C:\\Windows\\SysWOW64\\whkoby.exe\""	whkoby.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmshew = "\"C:\\Windows\\SysWOW64\\wmshew.exe\""	wmshew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wvgi = "\"C:\\Windows\\SysWOW64\\wvgi.exe\""	wvgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\whobpdc = "\"C:\\Windows\\SysWOW64\\whobpdc.exe\""	whobpdc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wlnabaa = "\"C:\\Windows\\SysWOW64\\wlnabaa.exe\""	wlnabaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgsl = "\"C:\\Windows\\SysWOW64\\wgsl.exe\""	wgsl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdaask = "\"C:\\Windows\\SysWOW64\\wdaask.exe\""	wdaask.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wwjlcb = "\"C:\\Windows\\SysWOW64\\wwjlcb.exe\""	wwjlcb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wjwonm = "\"C:\\Windows\\SysWOW64\\wjwonm.exe\""	wjwonm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wnqewq = "\"C:\\Windows\\SysWOW64\\wnqewq.exe\""	wnqewq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\whmrn = "\"C:\\Windows\\SysWOW64\\whmrn.exe\""	whmrn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wkqt = "\"C:\\Windows\\SysWOW64\\wkqt.exe\""	wkqt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\woogdev = "\"C:\\Windows\\SysWOW64\\woogdev.exe\""	woogdev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wjverb = "\"C:\\Windows\\SysWOW64\\wjverb.exe\""	wjverb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\waxrct = "\"C:\\Windows\\SysWOW64\\waxrct.exe\""	waxrct.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\whpdqo = "\"C:\\Windows\\SysWOW64\\whpdqo.exe\""	whpdqo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\welns = "\"C:\\Windows\\SysWOW64\\welns.exe\""	welns.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wsogig = "\"C:\\Windows\\SysWOW64\\wsogig.exe\""	wsogig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wxrcjbxj = "\"C:\\Windows\\SysWOW64\\wxrcjbxj.exe\""	wxrcjbxj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wwcplra = "\"C:\\Windows\\SysWOW64\\wwcplra.exe\""	wwcplra.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\woego = "\"C:\\Windows\\SysWOW64\\woego.exe\""	woego.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wruuwbpfr = "\"C:\\Windows\\SysWOW64\\wruuwbpfr.exe\""	wruuwbpfr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wjvprwb = "\"C:\\Windows\\SysWOW64\\wjvprwb.exe\""	wjvprwb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wxmiel = "\"C:\\Windows\\SysWOW64\\wxmiel.exe\""	wxmiel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtinakp = "\"C:\\Windows\\SysWOW64\\wtinakp.exe\""	wtinakp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfxa = "\"C:\\Windows\\SysWOW64\\wfxa.exe\""	wfxa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wjvhfk = "\"C:\\Windows\\SysWOW64\\wjvhfk.exe\""	wjvhfk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wwibtrnrk = "\"C:\\Windows\\SysWOW64\\wwibtrnrk.exe\""	wwibtrnrk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgaugqp = "\"C:\\Windows\\SysWOW64\\wgaugqp.exe\""	wgaugqp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmtniuu = "\"C:\\Windows\\SysWOW64\\wmtniuu.exe\""	wmtniuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wkvtsbqyg = "\"C:\\Windows\\SysWOW64\\wkvtsbqyg.exe\""	wkvtsbqyg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfoshlxt = "\"C:\\Windows\\SysWOW64\\wfoshlxt.exe\""	wfoshlxt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\widooyyj = "\"C:\\Windows\\SysWOW64\\widooyyj.exe\""	widooyyj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\whg = "\"C:\\Windows\\SysWOW64\\whg.exe\""	whg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wpjh = "\"C:\\Windows\\SysWOW64\\wpjh.exe\""	wpjh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wajrkkvtq = "\"C:\\Windows\\SysWOW64\\wajrkkvtq.exe\""	wajrkkvtq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wsyocri = "\"C:\\Windows\\SysWOW64\\wsyocri.exe\""	wsyocri.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wagsyc = "\"C:\\Windows\\SysWOW64\\wagsyc.exe\""	wagsyc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wudecnxv = "\"C:\\Windows\\SysWOW64\\wudecnxv.exe\""	wudecnxv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\b5ffaa8ce4f37a9e38d9d99f90140b401066e83dd7fe4b7161a692ba8268d07b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\b5ffaa8ce4f37a9e38d9d99f90140b401066e83dd7fe4b7161a692ba8268d07b.exe\""	b5ffaa8ce4f37a9e38d9d99f90140b401066e83dd7fe4b7161a692ba8268d07b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\www = "\"C:\\Windows\\SysWOW64\\www.exe\""	www.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wjq = "\"C:\\Windows\\SysWOW64\\wjq.exe\""	wjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wpdbhog = "\"C:\\Windows\\SysWOW64\\wpdbhog.exe\""	wpdbhog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmcnins = "\"C:\\Windows\\SysWOW64\\wmcnins.exe\""	wmcnins.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wylne = "\"C:\\Windows\\SysWOW64\\wylne.exe\""	wylne.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgrw = "\"C:\\Windows\\SysWOW64\\wgrw.exe\""	wgrw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wxsrpvhrh = "\"C:\\Windows\\SysWOW64\\wxsrpvhrh.exe\""	wxsrpvhrh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wiblvu = "\"C:\\Windows\\SysWOW64\\wiblvu.exe\""	wiblvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfquwom = "\"C:\\Windows\\SysWOW64\\wfquwom.exe\""	wfquwom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wvhx = "\"C:\\Windows\\SysWOW64\\wvhx.exe\""	wvhx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wktewfdm = "\"C:\\Windows\\SysWOW64\\wktewfdm.exe\""	wktewfdm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wkggppmh = "\"C:\\Windows\\SysWOW64\\wkggppmh.exe\""	wkggppmh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuktumsx = "\"C:\\Windows\\SysWOW64\\wuktumsx.exe\""	wuktumsx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wxogqvq = "\"C:\\Windows\\SysWOW64\\wxogqvq.exe\""	wxogqvq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wkneimc = "\"C:\\Windows\\SysWOW64\\wkneimc.exe\""	wkneimc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wamxfdwr = "\"C:\\Windows\\SysWOW64\\wamxfdwr.exe\""	wamxfdwr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wkvb = "\"C:\\Windows\\SysWOW64\\wkvb.exe\""	wkvb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmwpip = "\"C:\\Windows\\SysWOW64\\wmwpip.exe\""	wmwpip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wvgnots = "\"C:\\Windows\\SysWOW64\\wvgnots.exe\""	wvgnots.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdkadqec = "\"C:\\Windows\\SysWOW64\\wdkadqec.exe\""	wdkadqec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdk = "\"C:\\Windows\\SysWOW64\\wdk.exe\""	wdk.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wxmiel.exe	wsogig.exe
File created	C:\Windows\SysWOW64\wgmo.exe	wxmiel.exe
File created	C:\Windows\SysWOW64\wjverb.exe	wuktumsx.exe
File created	C:\Windows\SysWOW64\wptwak.exe	westbne.exe
File opened for modification	C:\Windows\SysWOW64\wxrcjbxj.exe	wjvhfk.exe
File opened for modification	C:\Windows\SysWOW64\wrvjfk.exe	wktewfdm.exe
File created	C:\Windows\SysWOW64\wuktumsx.exe	wgpyrv.exe
File opened for modification	C:\Windows\SysWOW64\wpyenkyss.exe	wfoshlxt.exe
File opened for modification	C:\Windows\SysWOW64\wiblvu.exe	wxivdx.exe
File opened for modification	C:\Windows\SysWOW64\wudotg.exe	wnhnxxo.exe
File opened for modification	C:\Windows\SysWOW64\wgcnkwh.exe	wjvprwb.exe
File created	C:\Windows\SysWOW64\wrg.exe	wkvb.exe
File opened for modification	C:\Windows\SysWOW64\wwjlcb.exe	whpdqo.exe
File opened for modification	C:\Windows\SysWOW64\whobpdc.exe	wgrw.exe
File created	C:\Windows\SysWOW64\wpinyqrkd.exe	wgmo.exe
File created	C:\Windows\SysWOW64\wkvtsbqyg.exe	wjwonm.exe
File created	C:\Windows\SysWOW64\woocpvj.exe	waessg.exe
File created	C:\Windows\SysWOW64\wjq.exe	wyf.exe
File opened for modification	C:\Windows\SysWOW64\wnqewq.exe	wagsyc.exe
File opened for modification	C:\Windows\SysWOW64\wylne.exe	wwargb.exe
File opened for modification	C:\Windows\SysWOW64\wrg.exe	wkvb.exe
File created	C:\Windows\SysWOW64\wgrw.exe	wvgi.exe
File opened for modification	C:\Windows\SysWOW64\whmrn.exe	wemhwyv.exe
File opened for modification	C:\Windows\SysWOW64\westbne.exe	wyv.exe
File opened for modification	C:\Windows\SysWOW64\wdxmnlo.exe	woocpvj.exe
File opened for modification	C:\Windows\SysWOW64\wgrw.exe	wvgi.exe
File opened for modification	C:\Windows\SysWOW64\wyf.exe	wkvtsbqyg.exe
File created	C:\Windows\SysWOW64\wvkvi.exe	wxsrpvhrh.exe
File opened for modification	C:\Windows\SysWOW64\wyv.exe	wvkvi.exe
File created	C:\Windows\SysWOW64\wsyocri.exe	wgsl.exe
File opened for modification	C:\Windows\SysWOW64\whg.exe	wvgnots.exe
File created	C:\Windows\SysWOW64\wyjxmdqpw.exe	wkneimc.exe
File created	C:\Windows\SysWOW64\wrvjfk.exe	wktewfdm.exe
File opened for modification	C:\Windows\SysWOW64\wxivdx.exe	wvk.exe
File opened for modification	C:\Windows\SysWOW64\wfxa.exe	waxrct.exe
File opened for modification	C:\Windows\SysWOW64\weascp.exe	wsyocri.exe
File created	C:\Windows\SysWOW64\wsgwmgale.exe	weascp.exe
File opened for modification	C:\Windows\SysWOW64\wrsgngntv.exe	wcjvpqj.exe
File opened for modification	C:\Windows\SysWOW64\wwargb.exe	wioijl.exe
File created	C:\Windows\SysWOW64\wrkql.exe	wpjh.exe
File created	C:\Windows\SysWOW64\welns.exe	wdk.exe
File opened for modification	C:\Windows\SysWOW64\wsogig.exe	wlnabaa.exe
File opened for modification	C:\Windows\SysWOW64\wkggppmh.exe	weupbjox.exe
File opened for modification	C:\Windows\SysWOW64\wklnals.exe	wbopmn.exe
File opened for modification	C:\Windows\SysWOW64\wqryvld.exe	wfquwom.exe
File created	C:\Windows\SysWOW64\wwibtrnrk.exe	wrvjfk.exe
File created	C:\Windows\SysWOW64\www.exe	wruuwbpfr.exe
File created	C:\Windows\SysWOW64\waxrct.exe	wsefwc.exe
File created	C:\Windows\SysWOW64\wxogqvq.exe	wmshew.exe
File opened for modification	C:\Windows\SysWOW64\wkneimc.exe	wdmxb.exe
File created	C:\Windows\SysWOW64\wxmlaekn.exe	wjq.exe
File opened for modification	C:\Windows\SysWOW64\wamxfdwr.exe	wmcnins.exe
File opened for modification	C:\Windows\SysWOW64\wonclc.exe	wiblvu.exe
File opened for modification	C:\Windows\SysWOW64\wmshew.exe	whg.exe
File created	C:\Windows\SysWOW64\wkvb.exe	wfxa.exe
File created	C:\Windows\SysWOW64\wlnabaa.exe	wkqt.exe
File opened for modification	C:\Windows\SysWOW64\www.exe	wruuwbpfr.exe
File opened for modification	C:\Windows\SysWOW64\wudecnxv.exe	wkggppmh.exe
File created	C:\Windows\SysWOW64\wdkadqec.exe	wlatoj.exe
File created	C:\Windows\SysWOW64\wdk.exe	wajrkkvtq.exe
File opened for modification	C:\Windows\SysWOW64\wpinyqrkd.exe	wgmo.exe
File opened for modification	C:\Windows\SysWOW64\wxmlaekn.exe	wjq.exe
File opened for modification	C:\Windows\SysWOW64\wrkql.exe	wpjh.exe
File created	C:\Windows\SysWOW64\wruuwbpfr.exe	wdaask.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2920	2492	WerFault.exe	211
2788	1004	WerFault.exe	263

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2116	1720	b5ffaa8ce4f37a9e38d9d99f90140b401066e83dd7fe4b7161a692ba8268d07b.exe	28
PID 1720 wrote to memory of 2116	1720	b5ffaa8ce4f37a9e38d9d99f90140b401066e83dd7fe4b7161a692ba8268d07b.exe	28
PID 1720 wrote to memory of 2116	1720	b5ffaa8ce4f37a9e38d9d99f90140b401066e83dd7fe4b7161a692ba8268d07b.exe	28
PID 1720 wrote to memory of 2116	1720	b5ffaa8ce4f37a9e38d9d99f90140b401066e83dd7fe4b7161a692ba8268d07b.exe	28
PID 1720 wrote to memory of 2952	1720	b5ffaa8ce4f37a9e38d9d99f90140b401066e83dd7fe4b7161a692ba8268d07b.exe	29
PID 1720 wrote to memory of 2952	1720	b5ffaa8ce4f37a9e38d9d99f90140b401066e83dd7fe4b7161a692ba8268d07b.exe	29
PID 1720 wrote to memory of 2952	1720	b5ffaa8ce4f37a9e38d9d99f90140b401066e83dd7fe4b7161a692ba8268d07b.exe	29
PID 1720 wrote to memory of 2952	1720	b5ffaa8ce4f37a9e38d9d99f90140b401066e83dd7fe4b7161a692ba8268d07b.exe	29
PID 2116 wrote to memory of 2564	2116	wgaugqp.exe	31
PID 2116 wrote to memory of 2564	2116	wgaugqp.exe	31
PID 2116 wrote to memory of 2564	2116	wgaugqp.exe	31
PID 2116 wrote to memory of 2564	2116	wgaugqp.exe	31
PID 2116 wrote to memory of 3028	2116	wgaugqp.exe	32
PID 2116 wrote to memory of 3028	2116	wgaugqp.exe	32
PID 2116 wrote to memory of 3028	2116	wgaugqp.exe	32
PID 2116 wrote to memory of 3028	2116	wgaugqp.exe	32
PID 2564 wrote to memory of 1716	2564	wmtniuu.exe	35
PID 2564 wrote to memory of 1716	2564	wmtniuu.exe	35
PID 2564 wrote to memory of 1716	2564	wmtniuu.exe	35
PID 2564 wrote to memory of 1716	2564	wmtniuu.exe	35
PID 2564 wrote to memory of 1652	2564	wmtniuu.exe	36
PID 2564 wrote to memory of 1652	2564	wmtniuu.exe	36
PID 2564 wrote to memory of 1652	2564	wmtniuu.exe	36
PID 2564 wrote to memory of 1652	2564	wmtniuu.exe	36
PID 1716 wrote to memory of 1552	1716	wsefwc.exe	38
PID 1716 wrote to memory of 1552	1716	wsefwc.exe	38
PID 1716 wrote to memory of 1552	1716	wsefwc.exe	38
PID 1716 wrote to memory of 1552	1716	wsefwc.exe	38
PID 1716 wrote to memory of 1436	1716	wsefwc.exe	39
PID 1716 wrote to memory of 1436	1716	wsefwc.exe	39
PID 1716 wrote to memory of 1436	1716	wsefwc.exe	39
PID 1716 wrote to memory of 1436	1716	wsefwc.exe	39
PID 1552 wrote to memory of 2008	1552	waxrct.exe	41
PID 1552 wrote to memory of 2008	1552	waxrct.exe	41
PID 1552 wrote to memory of 2008	1552	waxrct.exe	41
PID 1552 wrote to memory of 2008	1552	waxrct.exe	41
PID 1552 wrote to memory of 660	1552	waxrct.exe	42
PID 1552 wrote to memory of 660	1552	waxrct.exe	42
PID 1552 wrote to memory of 660	1552	waxrct.exe	42
PID 1552 wrote to memory of 660	1552	waxrct.exe	42
PID 2008 wrote to memory of 1884	2008	wfxa.exe	44
PID 2008 wrote to memory of 1884	2008	wfxa.exe	44
PID 2008 wrote to memory of 1884	2008	wfxa.exe	44
PID 2008 wrote to memory of 1884	2008	wfxa.exe	44
PID 2008 wrote to memory of 836	2008	wfxa.exe	45
PID 2008 wrote to memory of 836	2008	wfxa.exe	45
PID 2008 wrote to memory of 836	2008	wfxa.exe	45
PID 2008 wrote to memory of 836	2008	wfxa.exe	45
PID 1884 wrote to memory of 1284	1884	wkvb.exe	47
PID 1884 wrote to memory of 1284	1884	wkvb.exe	47
PID 1884 wrote to memory of 1284	1884	wkvb.exe	47
PID 1884 wrote to memory of 1284	1884	wkvb.exe	47
PID 1884 wrote to memory of 892	1884	wkvb.exe	48
PID 1884 wrote to memory of 892	1884	wkvb.exe	48
PID 1884 wrote to memory of 892	1884	wkvb.exe	48
PID 1884 wrote to memory of 892	1884	wkvb.exe	48
PID 1284 wrote to memory of 2980	1284	wrg.exe	50
PID 1284 wrote to memory of 2980	1284	wrg.exe	50
PID 1284 wrote to memory of 2980	1284	wrg.exe	50
PID 1284 wrote to memory of 2980	1284	wrg.exe	50
PID 1284 wrote to memory of 2064	1284	wrg.exe	51
PID 1284 wrote to memory of 2064	1284	wrg.exe	51
PID 1284 wrote to memory of 2064	1284	wrg.exe	51
PID 1284 wrote to memory of 2064	1284	wrg.exe	51

C:\Users\Admin\AppData\Local\Temp\b5ffaa8ce4f37a9e38d9d99f90140b401066e83dd7fe4b7161a692ba8268d07b.exe
"C:\Users\Admin\AppData\Local\Temp\b5ffaa8ce4f37a9e38d9d99f90140b401066e83dd7fe4b7161a692ba8268d07b.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\SysWOW64\wgaugqp.exe
  "C:\Windows\system32\wgaugqp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\SysWOW64\wmtniuu.exe
    "C:\Windows\system32\wmtniuu.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\SysWOW64\wsefwc.exe
      "C:\Windows\system32\wsefwc.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1716
    - - C:\Windows\SysWOW64\waxrct.exe
        
        "C:\Windows\system32\waxrct.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1552
      - C:\Windows\SysWOW64\wfxa.exe
        
        "C:\Windows\system32\wfxa.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\wkvb.exe
        
        "C:\Windows\system32\wkvb.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\wrg.exe
        
        "C:\Windows\system32\wrg.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\SysWOW64\wpjh.exe
        
        "C:\Windows\system32\wpjh.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2980
        
        C:\Windows\SysWOW64\wrkql.exe
        
        "C:\Windows\system32\wrkql.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2772
        
        C:\Windows\SysWOW64\wfquwom.exe
        
        "C:\Windows\system32\wfquwom.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2528
        
        C:\Windows\SysWOW64\wqryvld.exe
        
        "C:\Windows\system32\wqryvld.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1724
        
        C:\Windows\SysWOW64\wwcplra.exe
        
        "C:\Windows\system32\wwcplra.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2836
        
        C:\Windows\SysWOW64\whpdqo.exe
        
        "C:\Windows\system32\whpdqo.exe"
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1368
        
        C:\Windows\SysWOW64\wwjlcb.exe
        
        "C:\Windows\system32\wwjlcb.exe"
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:564
        
        C:\Windows\SysWOW64\whkoby.exe
        
        "C:\Windows\system32\whkoby.exe"
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1704
        
        C:\Windows\SysWOW64\wvgi.exe
        
        "C:\Windows\system32\wvgi.exe"
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:836
        
        C:\Windows\SysWOW64\wgrw.exe
        
        "C:\Windows\system32\wgrw.exe"
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:560
        
        C:\Windows\SysWOW64\whobpdc.exe
        
        "C:\Windows\system32\whobpdc.exe"
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1608
        
        C:\Windows\SysWOW64\wajrkkvtq.exe
        
        "C:\Windows\system32\wajrkkvtq.exe"
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1692
        
        C:\Windows\SysWOW64\wdk.exe
        
        "C:\Windows\system32\wdk.exe"
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1924
        
        C:\Windows\SysWOW64\welns.exe
        
        "C:\Windows\system32\welns.exe"
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2116
        
        C:\Windows\SysWOW64\wxof.exe
        
        "C:\Windows\system32\wxof.exe"
        23⤵
        Executes dropped EXE
        
        PID:1360
        
        C:\Windows\SysWOW64\wemhwyv.exe
        
        "C:\Windows\system32\wemhwyv.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3048
        
        C:\Windows\SysWOW64\whmrn.exe
        
        "C:\Windows\system32\whmrn.exe"
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:528
        
        C:\Windows\SysWOW64\wxsrpvhrh.exe
        
        "C:\Windows\system32\wxsrpvhrh.exe"
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2476
        
        C:\Windows\SysWOW64\wvkvi.exe
        
        "C:\Windows\system32\wvkvi.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2120
        
        C:\Windows\SysWOW64\wyv.exe
        
        "C:\Windows\system32\wyv.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:980
        
        C:\Windows\SysWOW64\westbne.exe
        
        "C:\Windows\system32\westbne.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1144
        
        C:\Windows\SysWOW64\wptwak.exe
        
        "C:\Windows\system32\wptwak.exe"
        30⤵
        Executes dropped EXE
        
        PID:2820
        
        C:\Windows\SysWOW64\wkqt.exe
        
        "C:\Windows\system32\wkqt.exe"
        31⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:992
        
        C:\Windows\SysWOW64\wlnabaa.exe
        
        "C:\Windows\system32\wlnabaa.exe"
        32⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2612
        
        C:\Windows\SysWOW64\wsogig.exe
        
        "C:\Windows\system32\wsogig.exe"
        33⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1672
        
        C:\Windows\SysWOW64\wxmiel.exe
        
        "C:\Windows\system32\wxmiel.exe"
        34⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2928
        
        C:\Windows\SysWOW64\wgmo.exe
        
        "C:\Windows\system32\wgmo.exe"
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2728
        
        C:\Windows\SysWOW64\wpinyqrkd.exe
        
        "C:\Windows\system32\wpinyqrkd.exe"
        36⤵
        Executes dropped EXE
        
        PID:1068
        
        C:\Windows\SysWOW64\wxxmoov.exe
        
        "C:\Windows\system32\wxxmoov.exe"
        37⤵
        Executes dropped EXE
        
        PID:772
        
        C:\Windows\SysWOW64\wjwonm.exe
        
        "C:\Windows\system32\wjwonm.exe"
        38⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2020
        
        C:\Windows\SysWOW64\wkvtsbqyg.exe
        
        "C:\Windows\system32\wkvtsbqyg.exe"
        39⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1100
        
        C:\Windows\SysWOW64\wyf.exe
        
        "C:\Windows\system32\wyf.exe"
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2684
        
        C:\Windows\SysWOW64\wjq.exe
        
        "C:\Windows\system32\wjq.exe"
        41⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3068
        
        C:\Windows\SysWOW64\wxmlaekn.exe
        
        "C:\Windows\system32\wxmlaekn.exe"
        42⤵
        Executes dropped EXE
        
        PID:1848
        
        C:\Windows\SysWOW64\wvhx.exe
        
        "C:\Windows\system32\wvhx.exe"
        43⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:612
        
        C:\Windows\SysWOW64\wgsl.exe
        
        "C:\Windows\system32\wgsl.exe"
        44⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2408
        
        C:\Windows\SysWOW64\wsyocri.exe
        
        "C:\Windows\system32\wsyocri.exe"
        45⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:564
        
        C:\Windows\SysWOW64\weascp.exe
        
        "C:\Windows\system32\weascp.exe"
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:768
        
        C:\Windows\SysWOW64\wsgwmgale.exe
        
        "C:\Windows\system32\wsgwmgale.exe"
        47⤵
        Executes dropped EXE
        
        PID:2180
        
        C:\Windows\SysWOW64\wmcnins.exe
        
        "C:\Windows\system32\wmcnins.exe"
        48⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2192
        
        C:\Windows\SysWOW64\wamxfdwr.exe
        
        "C:\Windows\system32\wamxfdwr.exe"
        49⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1688
        
        C:\Windows\SysWOW64\wtinakp.exe
        
        "C:\Windows\system32\wtinakp.exe"
        50⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2840
        
        C:\Windows\SysWOW64\whehebfkv.exe
        
        "C:\Windows\system32\whehebfkv.exe"
        51⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1484
        
        C:\Windows\SysWOW64\wjvhfk.exe
        
        "C:\Windows\system32\wjvhfk.exe"
        52⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1260
        
        C:\Windows\SysWOW64\wxrcjbxj.exe
        
        "C:\Windows\system32\wxrcjbxj.exe"
        53⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2880
        
        C:\Windows\SysWOW64\widooyyj.exe
        
        "C:\Windows\system32\widooyyj.exe"
        54⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1080
        
        C:\Windows\SysWOW64\woogdev.exe
        
        "C:\Windows\system32\woogdev.exe"
        55⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2940
        
        C:\Windows\SysWOW64\wktewfdm.exe
        
        "C:\Windows\system32\wktewfdm.exe"
        56⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:564
        
        C:\Windows\SysWOW64\wrvjfk.exe
        
        "C:\Windows\system32\wrvjfk.exe"
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2396
        
        C:\Windows\SysWOW64\wwibtrnrk.exe
        
        "C:\Windows\system32\wwibtrnrk.exe"
        58⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1948
        
        C:\Windows\SysWOW64\wisoan.exe
        
        "C:\Windows\system32\wisoan.exe"
        59⤵
        Executes dropped EXE
        
        PID:1520
        
        C:\Windows\SysWOW64\woego.exe
        
        "C:\Windows\system32\woego.exe"
        60⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2788
        
        C:\Windows\SysWOW64\wdaask.exe
        
        "C:\Windows\system32\wdaask.exe"
        61⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2572
        
        C:\Windows\SysWOW64\wruuwbpfr.exe
        
        "C:\Windows\system32\wruuwbpfr.exe"
        62⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2492
        
        C:\Windows\SysWOW64\www.exe
        
        "C:\Windows\system32\www.exe"
        63⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2484
        
        C:\Windows\SysWOW64\wpdbhog.exe
        
        "C:\Windows\system32\wpdbhog.exe"
        64⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:612
        
        C:\Windows\SysWOW64\wbopmn.exe
        
        "C:\Windows\system32\wbopmn.exe"
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3064
        
        C:\Windows\SysWOW64\wklnals.exe
        
        "C:\Windows\system32\wklnals.exe"
        66⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\wvk.exe
        
        "C:\Windows\system32\wvk.exe"
        67⤵
        Drops file in System32 directory
        
        PID:1956
        
        C:\Windows\SysWOW64\wxivdx.exe
        
        "C:\Windows\system32\wxivdx.exe"
        68⤵
        Drops file in System32 directory
        
        PID:2796
        
        C:\Windows\SysWOW64\wiblvu.exe
        
        "C:\Windows\system32\wiblvu.exe"
        69⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1512
        
        C:\Windows\SysWOW64\wonclc.exe
        
        "C:\Windows\system32\wonclc.exe"
        70⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\wcjvpqj.exe
        
        "C:\Windows\system32\wcjvpqj.exe"
        71⤵
        Drops file in System32 directory
        
        PID:2512
        
        C:\Windows\SysWOW64\wrsgngntv.exe
        
        "C:\Windows\system32\wrsgngntv.exe"
        72⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\wgpyrv.exe
        
        "C:\Windows\system32\wgpyrv.exe"
        73⤵
        Drops file in System32 directory
        
        PID:1400
        
        C:\Windows\SysWOW64\wuktumsx.exe
        
        "C:\Windows\system32\wuktumsx.exe"
        74⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2052
        
        C:\Windows\SysWOW64\wjverb.exe
        
        "C:\Windows\system32\wjverb.exe"
        75⤵
        Adds Run key to start application
        
        PID:1136
        
        C:\Windows\SysWOW64\wmwpip.exe
        
        "C:\Windows\system32\wmwpip.exe"
        76⤵
        Adds Run key to start application
        
        PID:1456
        
        C:\Windows\SysWOW64\waessg.exe
        
        "C:\Windows\system32\waessg.exe"
        77⤵
        Drops file in System32 directory
        
        PID:2664
        
        C:\Windows\SysWOW64\woocpvj.exe
        
        "C:\Windows\system32\woocpvj.exe"
        78⤵
        Drops file in System32 directory
        
        PID:1624
        
        C:\Windows\SysWOW64\wdxmnlo.exe
        
        "C:\Windows\system32\wdxmnlo.exe"
        79⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\wvgnots.exe
        
        "C:\Windows\system32\wvgnots.exe"
        80⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2668
        
        C:\Windows\SysWOW64\whg.exe
        
        "C:\Windows\system32\whg.exe"
        81⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:280
        
        C:\Windows\SysWOW64\wmshew.exe
        
        "C:\Windows\system32\wmshew.exe"
        82⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1848
        
        C:\Windows\SysWOW64\wxogqvq.exe
        
        "C:\Windows\system32\wxogqvq.exe"
        83⤵
        Adds Run key to start application
        
        PID:1236
        
        C:\Windows\SysWOW64\wpivmd.exe
        
        "C:\Windows\system32\wpivmd.exe"
        84⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\wagsyc.exe
        
        "C:\Windows\system32\wagsyc.exe"
        85⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2308
        
        C:\Windows\SysWOW64\wnqewq.exe
        
        "C:\Windows\system32\wnqewq.exe"
        86⤵
        Adds Run key to start application
        
        PID:1564
        
        C:\Windows\SysWOW64\wdmxb.exe
        
        "C:\Windows\system32\wdmxb.exe"
        87⤵
        Drops file in System32 directory
        
        PID:1960
        
        C:\Windows\SysWOW64\wkneimc.exe
        
        "C:\Windows\system32\wkneimc.exe"
        88⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2620
        
        C:\Windows\SysWOW64\wyjxmdqpw.exe
        
        "C:\Windows\system32\wyjxmdqpw.exe"
        89⤵
        Adds Run key to start application
        
        PID:1144
        
        C:\Windows\SysWOW64\weupbjox.exe
        
        "C:\Windows\system32\weupbjox.exe"
        90⤵
        Drops file in System32 directory
        
        PID:3008
        
        C:\Windows\SysWOW64\wkggppmh.exe
        
        "C:\Windows\system32\wkggppmh.exe"
        91⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2736
        
        C:\Windows\SysWOW64\wudecnxv.exe
        
        "C:\Windows\system32\wudecnxv.exe"
        92⤵
        Adds Run key to start application
        
        PID:2916
        
        C:\Windows\SysWOW64\wfoshlxt.exe
        
        "C:\Windows\system32\wfoshlxt.exe"
        93⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1912
        
        C:\Windows\SysWOW64\wpyenkyss.exe
        
        "C:\Windows\system32\wpyenkyss.exe"
        94⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\wavdbi.exe
        
        "C:\Windows\system32\wavdbi.exe"
        95⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\wnhnxxo.exe
        
        "C:\Windows\system32\wnhnxxo.exe"
        96⤵
        Drops file in System32 directory
        
        PID:1456
        
        C:\Windows\SysWOW64\wudotg.exe
        
        "C:\Windows\system32\wudotg.exe"
        97⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\wbofj.exe
        
        "C:\Windows\system32\wbofj.exe"
        98⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\wlatoj.exe
        
        "C:\Windows\system32\wlatoj.exe"
        99⤵
        Drops file in System32 directory
        
        PID:1716
        
        C:\Windows\SysWOW64\wdkadqec.exe
        
        "C:\Windows\system32\wdkadqec.exe"
        100⤵
        Adds Run key to start application
        
        PID:2688
        
        C:\Windows\SysWOW64\wjvprwb.exe
        
        "C:\Windows\system32\wjvprwb.exe"
        101⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2720
        
        C:\Windows\SysWOW64\wgcnkwh.exe
        
        "C:\Windows\system32\wgcnkwh.exe"
        102⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\wioijl.exe
        
        "C:\Windows\system32\wioijl.exe"
        103⤵
        Drops file in System32 directory
        
        PID:348
        
        C:\Windows\SysWOW64\wwargb.exe
        
        "C:\Windows\system32\wwargb.exe"
        104⤵
        Drops file in System32 directory
        
        PID:1536
        
        C:\Windows\SysWOW64\wylne.exe
        
        "C:\Windows\system32\wylne.exe"
        105⤵
        Adds Run key to start application
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwargb.exe"
        105⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wioijl.exe"
        104⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgcnkwh.exe"
        103⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjvprwb.exe"
        102⤵
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdkadqec.exe"
        101⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlatoj.exe"
        100⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbofj.exe"
        99⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wudotg.exe"
        98⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnhnxxo.exe"
        97⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wavdbi.exe"
        96⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpyenkyss.exe"
        95⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfoshlxt.exe"
        94⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wudecnxv.exe"
        93⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkggppmh.exe"
        92⤵
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weupbjox.exe"
        91⤵
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyjxmdqpw.exe"
        90⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkneimc.exe"
        89⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdmxb.exe"
        88⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnqewq.exe"
        87⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wagsyc.exe"
        86⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpivmd.exe"
        85⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxogqvq.exe"
        84⤵
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmshew.exe"
        83⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whg.exe"
        82⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvgnots.exe"
        81⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdxmnlo.exe"
        80⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 808
        80⤵
        Program crash
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woocpvj.exe"
        79⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waessg.exe"
        78⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmwpip.exe"
        77⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjverb.exe"
        76⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuktumsx.exe"
        75⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgpyrv.exe"
        74⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrsgngntv.exe"
        73⤵
        
        PID:792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcjvpqj.exe"
        72⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wonclc.exe"
        71⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiblvu.exe"
        70⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxivdx.exe"
        69⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvk.exe"
        68⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wklnals.exe"
        67⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbopmn.exe"
        66⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpdbhog.exe"
        65⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\www.exe"
        64⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wruuwbpfr.exe"
        63⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 180
        63⤵
        Program crash
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdaask.exe"
        62⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woego.exe"
        61⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wisoan.exe"
        60⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwibtrnrk.exe"
        59⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrvjfk.exe"
        58⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wktewfdm.exe"
        57⤵
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woogdev.exe"
        56⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\widooyyj.exe"
        55⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxrcjbxj.exe"
        54⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjvhfk.exe"
        53⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whehebfkv.exe"
        52⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtinakp.exe"
        51⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wamxfdwr.exe"
        50⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmcnins.exe"
        49⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsgwmgale.exe"
        48⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weascp.exe"
        47⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsyocri.exe"
        46⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgsl.exe"
        45⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvhx.exe"
        44⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxmlaekn.exe"
        43⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjq.exe"
        42⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyf.exe"
        41⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkvtsbqyg.exe"
        40⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjwonm.exe"
        39⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxxmoov.exe"
        38⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpinyqrkd.exe"
        37⤵
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgmo.exe"
        36⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxmiel.exe"
        35⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsogig.exe"
        34⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlnabaa.exe"
        33⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkqt.exe"
        32⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wptwak.exe"
        31⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\westbne.exe"
        30⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyv.exe"
        29⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvkvi.exe"
        28⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxsrpvhrh.exe"
        27⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whmrn.exe"
        26⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wemhwyv.exe"
        25⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxof.exe"
        24⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\welns.exe"
        23⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdk.exe"
        22⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wajrkkvtq.exe"
        21⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whobpdc.exe"
        20⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgrw.exe"
        19⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvgi.exe"
        18⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whkoby.exe"
        17⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwjlcb.exe"
        16⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whpdqo.exe"
        15⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwcplra.exe"
        14⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqryvld.exe"
        13⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfquwom.exe"
        12⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrkql.exe"
        11⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpjh.exe"
        10⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrg.exe"
        9⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkvb.exe"
        8⤵
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfxa.exe"
        7⤵
        
        PID:836
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waxrct.exe"
        6⤵
        
        PID:660
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsefwc.exe"
        5⤵
        
        PID:1436
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmtniuu.exe"
      4⤵
      PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgaugqp.exe"
    3⤵
    PID:3028
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\b5ffaa8ce4f37a9e38d9d99f90140b401066e83dd7fe4b7161a692ba8268d07b.exe"
  2⤵
  - Deletes itself
  PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Z61CSWG9.txt

Filesize
98B

MD5
1da0f4a84dde774a6dcddb2f7ec1125a

SHA1
fb4ff5322bf9996526be315dd24727186f10ab49

SHA256
94fde3480ba0dc9f24eb0b23d8623ee0e77773032e8193ee160c5bae1b6d02b2

SHA512
cf3fd0a47b02ac96c3a2a3d920e1a35c012145e245d4264c65153e0022a609dadadc38c3d5d2a5f15a9762062585e904f0298e837cd8d25d68444e70b94821b2

Download Submit
\Windows\SysWOW64\waxrct.exe

Filesize
89KB

MD5
8f83fbb48538be7127edc546f94633bb

SHA1
258a74128fae895cacf71bc9abdca62a0512d404

SHA256
ed8836d48cd1d5f671f86e4367e37a79396b05b62089e761c7cd0650d13fe039

SHA512
25a1ff4d56879e9f0549c949d7d117d4e41f4ae9e7870d9aa2a86a4dd3bf3830896cf10d67dea4a98fb5c09d7e3c23a847a7a4d2ffc1fd1a8efbc73388ae585b

Download Submit
\Windows\SysWOW64\wfquwom.exe

Filesize
90KB

MD5
76daefe3691cc8939b85615407e2b36c

SHA1
8b006c259d90b7a9c66b92dd2518a7d4885b6895

SHA256
e60803d2ef97cb40e72d47fc23fc8ec40eda0b8fa160065c674a99202e4d3c13

SHA512
9e80de85a106edddede91755afe1cec2cb395cb3ea852275b996500c1870df1fbc41ee81c737e9cb921b550605ae400c6beb470d46b19190009ecd53bfa51aec

Download Submit
\Windows\SysWOW64\wfxa.exe

Filesize
89KB

MD5
9a61e59e20f0e5ae2d7062a6532f13a7

SHA1
792b59e2fc10f45057ac6601ba1298c5cd8be41b

SHA256
73deaee944e3b7ceeb546d4107c18812e5d4a5bc4806c3719d4d3a42fd843e46

SHA512
315ed05af74c267d9c70d5f21628d062e907c4fc14a799fd262ede9bedc53522b854a9debb65e65d0c8aa3fd549242e914331d0051b1837862ea6a89fd2d5f1d

Download Submit
\Windows\SysWOW64\wgaugqp.exe

Filesize
89KB

MD5
53fdbb5eaeeff517653c4129bb238d5d

SHA1
c41d64e260a26bf9612a425d0ef7adfad61e4dfb

SHA256
ec057f8d0148776a3e07040d45f57c527c1d8b8d7a4dc42ffa674f0754fefb53

SHA512
299b1bceacc9ad64185701120211b4a0cc1c6980c0bc4c92afc7bbfca42a0cc1df350a1ba488a1d06ec6a31ac76aaa161e2f0930492787af39c583a0782e141a

Download Submit
\Windows\SysWOW64\wkvb.exe

Filesize
90KB

MD5
e8b42f4bff940ebec75db2f78f7f9665

SHA1
d1a73f6e534a2f9b7d2874eee734686d229b85d1

SHA256
937c78e33a349ad6d90fae9e2d82b3038490b50e0d1687d33a2327282bb2a074

SHA512
693abb8cfd4163e1c796b9e5e37a36fbb8f3df654e2c1bb1e900de0c19767ae3a82baad25526b494c1ad28fb932ba8422b575f8626b600e5990e35f91b165870

Download Submit
\Windows\SysWOW64\wmtniuu.exe

Filesize
89KB

MD5
5f18f88896ada5695a384d053194eb71

SHA1
a753618e05d48f66ac0661b4e6171c73d0365a61

SHA256
9939d5b8dcfffddab4b9e09e9f6c02085d93c1f3ec3e29782799ad11ce5ceb7f

SHA512
b5e746fad8e53ab641194e0ba8327da7660e58826a0e522f430b03b3b3af8e5f836164dcccff55ebdfbbd5e461fda1a559a39927ca4fe879ae290329fb1202df

Download Submit
\Windows\SysWOW64\wpjh.exe

Filesize
90KB

MD5
c8c5000f826746ea604e0f26c80bca3a

SHA1
a1e44b21e90ba9abcf518af4e910d7c62cf660ee

SHA256
17d110bae7e8d8d1f794a2bcf212d64243a124440613324503e2cc2e12d58802

SHA512
f7dce6748badd65a2b3c64efda09ba72ffc5a2e7b0bfad2e67bcd32d6eef0de9727e6145358f869584bbe6268fe452e9b5fb3d39107f88877a1ca66ddd3ac59d

Download Submit
\Windows\SysWOW64\wrg.exe

Filesize
90KB

MD5
3e3eedbc60b498184afc61875740ac84

SHA1
f0a103981af93d3e5d6091f8fe50e43dc4349b9d

SHA256
7f02f175c0a0405b37eccede129de35aa4b02603afc0cfa267263922105d4f81

SHA512
ac505a25c04ea5b06509a86531d93cd7f695ff49080bc41cd2fa9ccc27002c77fbde6a414f75e26ab34bc508c4873f853b2da8aa3b7cbde915b83d9a29787127

Download Submit
\Windows\SysWOW64\wrkql.exe

Filesize
90KB

MD5
5823326dc0ba25a9b86ea0a940fbd40e

SHA1
653a8e7e58e4df00d7345217bc368820ab1bfb7c

SHA256
086b1b44cf8be4e1c761613662721e462c6ac361b46fb377a0e3ba62ebf48372

SHA512
b92c3ac873c1b59eef66362d086b37c2b44794e4688994ae08a1958e3bd0f4e4f24f968bb2885ccfdb51a0afaaa31d840437770bbdda797a5dcfdb45eeeec22f

Download Submit
\Windows\SysWOW64\wsefwc.exe

Filesize
89KB

MD5
569e3a5e1d6dfaabdceb33aa2e7bbeb3

SHA1
a94d61f7f3be05b6bd8d51d786c082ba48eb77bc

SHA256
279aa984a6850fefb9cc07742e3969fe471224a6be5763d8f4340c294b17e4fe

SHA512
e434e0fc8e117481ef03d55697152ff7c14dfaa3c37a4dea5e12248c2de375fcb9748f18a0ee2995081638343731b68098cc7e81be4f355c9d9690e9582e23e6

Download Submit
memory/560-338-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/560-337-0x0000000003630000-0x0000000003648000-memory.dmp

Filesize
96KB

Download
memory/560-321-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/560-336-0x0000000003620000-0x0000000003638000-memory.dmp

Filesize
96KB

Download
memory/560-335-0x0000000003620000-0x0000000003638000-memory.dmp

Filesize
96KB

Download
memory/564-293-0x0000000003E30000-0x0000000003E40000-memory.dmp

Filesize
64KB

Download
memory/564-287-0x0000000003E20000-0x0000000003E38000-memory.dmp

Filesize
96KB

Download
memory/564-276-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/564-292-0x0000000004030000-0x0000000004048000-memory.dmp

Filesize
96KB

Download
memory/564-288-0x0000000003E20000-0x0000000003E38000-memory.dmp

Filesize
96KB

Download
memory/564-294-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/836-323-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/836-320-0x0000000002420000-0x0000000002438000-memory.dmp

Filesize
96KB

Download
memory/836-322-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/836-308-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1284-181-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1284-178-0x00000000021B0000-0x00000000021C8000-memory.dmp

Filesize
96KB

Download
memory/1284-159-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1360-400-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1360-413-0x00000000024C0000-0x00000000024D8000-memory.dmp

Filesize
96KB

Download
memory/1360-412-0x00000000024C0000-0x00000000024D8000-memory.dmp

Filesize
96KB

Download
memory/1368-275-0x00000000025A0000-0x00000000025B8000-memory.dmp

Filesize
96KB

Download
memory/1368-277-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/1368-263-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1368-278-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1552-92-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1552-109-0x00000000032E0000-0x00000000032F8000-memory.dmp

Filesize
96KB

Download
memory/1552-110-0x0000000004150000-0x0000000004168000-memory.dmp

Filesize
96KB

Download
memory/1552-114-0x00000000032F0000-0x0000000003300000-memory.dmp

Filesize
64KB

Download
memory/1552-115-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1608-353-0x0000000003500000-0x0000000003518000-memory.dmp

Filesize
96KB

Download
memory/1608-355-0x0000000002380000-0x0000000002390000-memory.dmp

Filesize
64KB

Download
memory/1608-351-0x0000000003500000-0x0000000003518000-memory.dmp

Filesize
96KB

Download
memory/1608-352-0x0000000003500000-0x0000000003518000-memory.dmp

Filesize
96KB

Download
memory/1608-356-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1608-339-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1692-354-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1692-369-0x0000000003470000-0x0000000003488000-memory.dmp

Filesize
96KB

Download
memory/1692-368-0x0000000003470000-0x0000000003488000-memory.dmp

Filesize
96KB

Download
memory/1692-370-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1704-307-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1704-303-0x0000000002270000-0x0000000002288000-memory.dmp

Filesize
96KB

Download
memory/1716-88-0x00000000040A0000-0x00000000040B8000-memory.dmp

Filesize
96KB

Download
memory/1716-67-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1716-91-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1716-87-0x00000000040A0000-0x00000000040B8000-memory.dmp

Filesize
96KB

Download
memory/1720-22-0x0000000004020000-0x0000000004030000-memory.dmp

Filesize
64KB

Download
memory/1720-23-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1720-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1720-18-0x0000000004020000-0x0000000004038000-memory.dmp

Filesize
96KB

Download
memory/1720-19-0x0000000004020000-0x0000000004038000-memory.dmp

Filesize
96KB

Download
memory/1720-6-0x0000000004010000-0x0000000004028000-memory.dmp

Filesize
96KB

Download
memory/1724-233-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1724-247-0x0000000003B30000-0x0000000003B48000-memory.dmp

Filesize
96KB

Download
memory/1724-246-0x0000000003B30000-0x0000000003B48000-memory.dmp

Filesize
96KB

Download
memory/1724-248-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1884-160-0x0000000003F70000-0x0000000003F80000-memory.dmp

Filesize
64KB

Download
memory/1884-155-0x0000000003F60000-0x0000000003F78000-memory.dmp

Filesize
96KB

Download
memory/1884-156-0x0000000003F70000-0x0000000003F88000-memory.dmp

Filesize
96KB

Download
memory/1884-162-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1884-138-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1924-371-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1924-383-0x0000000003E70000-0x0000000003E88000-memory.dmp

Filesize
96KB

Download
memory/1924-384-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2008-133-0x0000000004050000-0x0000000004068000-memory.dmp

Filesize
96KB

Download
memory/2008-132-0x0000000003420000-0x0000000003438000-memory.dmp

Filesize
96KB

Download
memory/2008-113-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2008-134-0x0000000004050000-0x0000000004068000-memory.dmp

Filesize
96KB

Download
memory/2008-137-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2116-41-0x0000000003BC0000-0x0000000003BD8000-memory.dmp

Filesize
96KB

Download
memory/2116-385-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2116-42-0x0000000003BD0000-0x0000000003BE8000-memory.dmp

Filesize
96KB

Download
memory/2116-43-0x0000000003BD0000-0x0000000003BE8000-memory.dmp

Filesize
96KB

Download
memory/2116-397-0x00000000033F0000-0x0000000003408000-memory.dmp

Filesize
96KB

Download
memory/2116-398-0x00000000033F0000-0x0000000003408000-memory.dmp

Filesize
96KB

Download
memory/2116-49-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2116-21-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2116-399-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2116-47-0x0000000003BD0000-0x0000000003BE0000-memory.dmp

Filesize
64KB

Download
memory/2528-234-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2528-221-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2564-69-0x0000000003BF0000-0x0000000003C00000-memory.dmp

Filesize
64KB

Download
memory/2564-70-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2564-66-0x0000000003DB0000-0x0000000003DC8000-memory.dmp

Filesize
96KB

Download
memory/2564-46-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2772-204-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2772-220-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2772-219-0x00000000034E0000-0x00000000034F8000-memory.dmp

Filesize
96KB

Download
memory/2836-261-0x0000000003490000-0x00000000034A8000-memory.dmp

Filesize
96KB

Download
memory/2836-249-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2836-262-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2980-182-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2980-206-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2980-200-0x0000000003560000-0x0000000003578000-memory.dmp

Filesize
96KB

Download
memory/2980-201-0x0000000003560000-0x0000000003578000-memory.dmp

Filesize
96KB

Download
memory/2980-199-0x0000000003560000-0x0000000003578000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads