Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
31/10/2024, 03:11
Static task
static1
Behavioral task
behavioral1
Sample
124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe
Resource
win10v2004-20241007-en
General
-
Target
124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe
-
Size
97KB
-
MD5
12552efed1e955111926e48b1d277910
-
SHA1
4ffe01b76370a5d571ac7f1e14a44c738a3b1b50
-
SHA256
124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43
-
SHA512
99f58d14120100bbf0a155c7dfb6cf316a2bdeaac33dc4fb0a8008aef4ff21a2f817f5f4087e6fe7e44dc2201b28285d6ea31940bec62bd1a15ca3b52006a346
-
SSDEEP
1536:p7u6cOLK7hNIMLrCiS4xUfXM3xvuoSB5qEftLhSnWQD+hpX71qCi7w:1eOLK7hNIMLrCiS4+PwRjY5xhEAXQC3
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2828 cmd.exe -
Executes dropped EXE 64 IoCs
pid Process 2884 wro.exe 2264 woq.exe 1732 wyulxrq.exe 2840 wdekseifi.exe 2388 wipman.exe 2500 wdce.exe 2116 wpqiqp.exe 880 wcjibkb.exe 2080 wwioaqyl.exe 1760 wpltaa.exe 976 wti.exe 1380 wmps.exe 2068 wywjn.exe 1132 wlfyqlekn.exe 1716 wucj.exe 2280 wrjrip.exe 3036 wqlrana.exe 2656 wvjfowh.exe 2700 wnqqjj.exe 1848 wwnanmsc.exe 2028 wnjd.exe 2156 wwrwoaf.exe 600 wfaqad.exe 660 wwhdvod.exe 2144 wnuewcl.exe 3064 wevo.exe 2672 wnryjr.exe 2612 wedswhut.exe 2716 wqljbbs.exe 3008 wnyf.exe 1608 wuiygjbl.exe 2304 wdcqr.exe 3068 wpg.exe 2944 wopvrj.exe 1512 woakogyxa.exe 1892 wxwt.exe 2640 wbhc.exe 2836 woptmsxh.exe 2612 wrwdahmf.exe 2716 wphqxfy.exe 2700 wdogayx.exe 976 wydd.exe 1592 wxn.exe 2516 wlvhrwv.exe 1132 wgunqdtd.exe 996 wwuxyqmr.exe 2120 wcslmb.exe 2652 wobcqv.exe 2580 wbpfb.exe 1292 wijvmxb.exe 2960 wvg.exe 1772 wepuvu.exe 2140 weny.exe 1208 wlhoxy.exe 1512 wxpfb.exe 2432 wec.exe 2860 wuju.exe 1324 wipliklb.exe 612 wihaqggs.exe 2300 wupovbeb.exe 2004 wpovt.exe 2816 wyxdym.exe 2648 wfrsjtaq.exe 2272 wkevrdvsj.exe -
Loads dropped DLL 64 IoCs
pid Process 1404 124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe 1404 124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe 1404 124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe 1404 124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe 2884 wro.exe 2884 wro.exe 2884 wro.exe 2884 wro.exe 2264 woq.exe 2264 woq.exe 2264 woq.exe 2264 woq.exe 1732 wyulxrq.exe 1732 wyulxrq.exe 1732 wyulxrq.exe 1732 wyulxrq.exe 2840 wdekseifi.exe 2840 wdekseifi.exe 2840 wdekseifi.exe 2840 wdekseifi.exe 2388 wipman.exe 2388 wipman.exe 2388 wipman.exe 2388 wipman.exe 2500 wdce.exe 2500 wdce.exe 2500 wdce.exe 2500 wdce.exe 2116 wpqiqp.exe 2116 wpqiqp.exe 2116 wpqiqp.exe 2116 wpqiqp.exe 880 wcjibkb.exe 880 wcjibkb.exe 880 wcjibkb.exe 880 wcjibkb.exe 2080 wwioaqyl.exe 2080 wwioaqyl.exe 2080 wwioaqyl.exe 2080 wwioaqyl.exe 1760 wpltaa.exe 1760 wpltaa.exe 1760 wpltaa.exe 1760 wpltaa.exe 976 wti.exe 976 wti.exe 976 wti.exe 976 wti.exe 1380 wmps.exe 1380 wmps.exe 1380 wmps.exe 1380 wmps.exe 2068 wywjn.exe 2068 wywjn.exe 2068 wywjn.exe 2068 wywjn.exe 1132 wlfyqlekn.exe 1132 wlfyqlekn.exe 1132 wlfyqlekn.exe 1132 wlfyqlekn.exe 1716 wucj.exe 1716 wucj.exe 1716 wucj.exe 1716 wucj.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wvjfowh = "\"C:\\Windows\\SysWOW64\\wvjfowh.exe\"" wvjfowh.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woakogyxa = "\"C:\\Windows\\SysWOW64\\woakogyxa.exe\"" woakogyxa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wbhc = "\"C:\\Windows\\SysWOW64\\wbhc.exe\"" wbhc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wvg = "\"C:\\Windows\\SysWOW64\\wvg.exe\"" wvg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wvibnag = "\"C:\\Windows\\SysWOW64\\wvibnag.exe\"" wvibnag.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\whkowxabh = "\"C:\\Windows\\SysWOW64\\whkowxabh.exe\"" whkowxabh.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wovinvmq = "\"C:\\Windows\\SysWOW64\\wovinvmq.exe\"" wovinvmq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wcjibkb = "\"C:\\Windows\\SysWOW64\\wcjibkb.exe\"" wcjibkb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wnjd = "\"C:\\Windows\\SysWOW64\\wnjd.exe\"" wnjd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\weny = "\"C:\\Windows\\SysWOW64\\weny.exe\"" weny.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wyxdym = "\"C:\\Windows\\SysWOW64\\wyxdym.exe\"" wyxdym.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wopmimjs = "\"C:\\Windows\\SysWOW64\\wopmimjs.exe\"" wopmimjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wlvdf = "\"C:\\Windows\\SysWOW64\\wlvdf.exe\"" wlvdf.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\weupbjox = "\"C:\\Windows\\SysWOW64\\weupbjox.exe\"" weupbjox.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfpivqo = "\"C:\\Windows\\SysWOW64\\wfpivqo.exe\"" wfpivqo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wcwgulng = "\"C:\\Windows\\SysWOW64\\wcwgulng.exe\"" wcwgulng.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wipman = "\"C:\\Windows\\SysWOW64\\wipman.exe\"" wipman.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuiygjbl = "\"C:\\Windows\\SysWOW64\\wuiygjbl.exe\"" wuiygjbl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wipliklb = "\"C:\\Windows\\SysWOW64\\wipliklb.exe\"" wipliklb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wkvfl = "\"C:\\Windows\\SysWOW64\\wkvfl.exe\"" wkvfl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wymitof = "\"C:\\Windows\\SysWOW64\\wymitof.exe\"" wymitof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wkpsyyk = "\"C:\\Windows\\SysWOW64\\wkpsyyk.exe\"" wkpsyyk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wxpfb = "\"C:\\Windows\\SysWOW64\\wxpfb.exe\"" wxpfb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wyulxrq = "\"C:\\Windows\\SysWOW64\\wyulxrq.exe\"" wyulxrq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wlfyqlekn = "\"C:\\Windows\\SysWOW64\\wlfyqlekn.exe\"" wlfyqlekn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wucj = "\"C:\\Windows\\SysWOW64\\wucj.exe\"" wucj.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wwrwoaf = "\"C:\\Windows\\SysWOW64\\wwrwoaf.exe\"" wwrwoaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wnuewcl = "\"C:\\Windows\\SysWOW64\\wnuewcl.exe\"" wnuewcl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wxn = "\"C:\\Windows\\SysWOW64\\wxn.exe\"" wxn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wijvmxb = "\"C:\\Windows\\SysWOW64\\wijvmxb.exe\"" wijvmxb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\whg = "\"C:\\Windows\\SysWOW64\\whg.exe\"" whg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wkbldlc = "\"C:\\Windows\\SysWOW64\\wkbldlc.exe\"" wkbldlc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wglxbbnp = "\"C:\\Windows\\SysWOW64\\wglxbbnp.exe\"" wglxbbnp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wywjn = "\"C:\\Windows\\SysWOW64\\wywjn.exe\"" wywjn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqljbbs = "\"C:\\Windows\\SysWOW64\\wqljbbs.exe\"" wqljbbs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wec = "\"C:\\Windows\\SysWOW64\\wec.exe\"" wec.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wcvsuqh = "\"C:\\Windows\\SysWOW64\\wcvsuqh.exe\"" wcvsuqh.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtxqalr = "\"C:\\Windows\\SysWOW64\\wtxqalr.exe\"" wtxqalr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wudhxfph = "\"C:\\Windows\\SysWOW64\\wudhxfph.exe\"" wudhxfph.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmps = "\"C:\\Windows\\SysWOW64\\wmps.exe\"" wmps.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfaqad = "\"C:\\Windows\\SysWOW64\\wfaqad.exe\"" wfaqad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wopvrj = "\"C:\\Windows\\SysWOW64\\wopvrj.exe\"" wopvrj.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdogayx = "\"C:\\Windows\\SysWOW64\\wdogayx.exe\"" wdogayx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wihaqggs = "\"C:\\Windows\\SysWOW64\\wihaqggs.exe\"" wihaqggs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wupovbeb = "\"C:\\Windows\\SysWOW64\\wupovbeb.exe\"" wupovbeb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuywvyhx = "\"C:\\Windows\\SysWOW64\\wuywvyhx.exe\"" wuywvyhx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wrjrip = "\"C:\\Windows\\SysWOW64\\wrjrip.exe\"" wrjrip.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wphqxfy = "\"C:\\Windows\\SysWOW64\\wphqxfy.exe\"" wphqxfy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wydd = "\"C:\\Windows\\SysWOW64\\wydd.exe\"" wydd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wcslmb = "\"C:\\Windows\\SysWOW64\\wcslmb.exe\"" wcslmb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuju = "\"C:\\Windows\\SysWOW64\\wuju.exe\"" wuju.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wbucou = "\"C:\\Windows\\SysWOW64\\wbucou.exe\"" wbucou.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdce = "\"C:\\Windows\\SysWOW64\\wdce.exe\"" wdce.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wlvhrwv = "\"C:\\Windows\\SysWOW64\\wlvhrwv.exe\"" wlvhrwv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wobcqv = "\"C:\\Windows\\SysWOW64\\wobcqv.exe\"" wobcqv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wlhoxy = "\"C:\\Windows\\SysWOW64\\wlhoxy.exe\"" wlhoxy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wioaxn = "\"C:\\Windows\\SysWOW64\\wioaxn.exe\"" wioaxn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wryrisn = "\"C:\\Windows\\SysWOW64\\wryrisn.exe\"" wryrisn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wevo = "\"C:\\Windows\\SysWOW64\\wevo.exe\"" wevo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wicydhh = "\"C:\\Windows\\SysWOW64\\wicydhh.exe\"" wicydhh.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wwnanmsc = "\"C:\\Windows\\SysWOW64\\wwnanmsc.exe\"" wwnanmsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wnyf = "\"C:\\Windows\\SysWOW64\\wnyf.exe\"" wnyf.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wpg = "\"C:\\Windows\\SysWOW64\\wpg.exe\"" wpg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wbpfb = "\"C:\\Windows\\SysWOW64\\wbpfb.exe\"" wbpfb.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\wqlrana.exe wrjrip.exe File opened for modification C:\Windows\SysWOW64\wwhdvod.exe wfaqad.exe File created C:\Windows\SysWOW64\woakogyxa.exe wopvrj.exe File created C:\Windows\SysWOW64\wydd.exe wdogayx.exe File opened for modification C:\Windows\SysWOW64\wgunqdtd.exe wlvhrwv.exe File created C:\Windows\SysWOW64\wbpfb.exe wobcqv.exe File opened for modification C:\Windows\SysWOW64\wec.exe wxpfb.exe File created C:\Windows\SysWOW64\wcvsuqh.exe wkevrdvsj.exe File opened for modification C:\Windows\SysWOW64\wkvfl.exe whblrqoq.exe File opened for modification C:\Windows\SysWOW64\wbqgoh.exe wcvjkj.exe File opened for modification C:\Windows\SysWOW64\wyulxrq.exe woq.exe File created C:\Windows\SysWOW64\wwhdvod.exe wfaqad.exe File created C:\Windows\SysWOW64\wnryjr.exe wevo.exe File opened for modification C:\Windows\SysWOW64\wdogayx.exe wphqxfy.exe File opened for modification C:\Windows\SysWOW64\wbchobsd.exe whkowxabh.exe File opened for modification C:\Windows\SysWOW64\wwhltqseu.exe wfljf.exe File created C:\Windows\SysWOW64\wioaxn.exe wicydhh.exe File opened for modification C:\Windows\SysWOW64\wcwgulng.exe wkpsyyk.exe File created C:\Windows\SysWOW64\wmps.exe wti.exe File created C:\Windows\SysWOW64\wevo.exe wnuewcl.exe File opened for modification C:\Windows\SysWOW64\wnryjr.exe wevo.exe File opened for modification C:\Windows\SysWOW64\wedswhut.exe wnryjr.exe File created C:\Windows\SysWOW64\wlvhrwv.exe wxn.exe File opened for modification C:\Windows\SysWOW64\wtxqalr.exe whg.exe File created C:\Windows\SysWOW64\wtvcoqo.exe wyllik.exe File opened for modification C:\Windows\SysWOW64\wnuewcl.exe wwhdvod.exe File opened for modification C:\Windows\SysWOW64\wbhc.exe wxwt.exe File created C:\Windows\SysWOW64\woptmsxh.exe wbhc.exe File opened for modification C:\Windows\SysWOW64\wvg.exe wijvmxb.exe File opened for modification C:\Windows\SysWOW64\wlvdf.exe wbchobsd.exe File opened for modification C:\Windows\SysWOW64\wovinvmq.exe wtvcoqo.exe File opened for modification C:\Windows\SysWOW64\wwnanmsc.exe wnqqjj.exe File opened for modification C:\Windows\SysWOW64\woakogyxa.exe wopvrj.exe File opened for modification C:\Windows\SysWOW64\wphqxfy.exe wrwdahmf.exe File created C:\Windows\SysWOW64\wobcqv.exe wcslmb.exe File opened for modification C:\Windows\SysWOW64\wkevrdvsj.exe wfrsjtaq.exe File opened for modification C:\Windows\SysWOW64\wfullm.exe wkvfl.exe File opened for modification C:\Windows\SysWOW64\wudhxfph.exe wydayb.exe File opened for modification C:\Windows\SysWOW64\wipman.exe wdekseifi.exe File created C:\Windows\SysWOW64\wdce.exe wipman.exe File created C:\Windows\SysWOW64\wwioaqyl.exe wcjibkb.exe File opened for modification C:\Windows\SysWOW64\wpg.exe wdcqr.exe File created C:\Windows\SysWOW64\wepuvu.exe wvg.exe File opened for modification C:\Windows\SysWOW64\wxpfb.exe wlhoxy.exe File created C:\Windows\SysWOW64\wuywvyhx.exe wcvsuqh.exe File opened for modification C:\Windows\SysWOW64\wyllik.exe wymitof.exe File created C:\Windows\SysWOW64\wsetb.exe wovinvmq.exe File opened for modification C:\Windows\SysWOW64\wfpivqo.exe wkbldlc.exe File opened for modification C:\Windows\SysWOW64\wti.exe wpltaa.exe File created C:\Windows\SysWOW64\wvjfowh.exe wqlrana.exe File created C:\Windows\SysWOW64\wnqqjj.exe wvjfowh.exe File opened for modification C:\Windows\SysWOW64\wopvrj.exe wpg.exe File opened for modification C:\Windows\SysWOW64\whg.exe wpqond.exe File opened for modification C:\Windows\SysWOW64\wvibnag.exe wtxqalr.exe File created C:\Windows\SysWOW64\wovinvmq.exe wtvcoqo.exe File opened for modification C:\Windows\SysWOW64\wfljf.exe wsetb.exe File created C:\Windows\SysWOW64\wbqgoh.exe wcvjkj.exe File created C:\Windows\SysWOW64\wglxbbnp.exe wudhxfph.exe File opened for modification C:\Windows\SysWOW64\wro.exe 124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe File created C:\Windows\SysWOW64\wpltaa.exe wwioaqyl.exe File opened for modification C:\Windows\SysWOW64\wrjrip.exe wucj.exe File created C:\Windows\SysWOW64\wwnanmsc.exe wnqqjj.exe File created C:\Windows\SysWOW64\wfaqad.exe wwrwoaf.exe File created C:\Windows\SysWOW64\wcslmb.exe wwuxyqmr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 3008 2580 WerFault.exe 175 1560 2272 WerFault.exe 222 2428 2404 WerFault.exe 229 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wgunqdtd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language whg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wwrwoaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wfaqad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wbhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language woptmsxh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wymitof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcvjkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wvjfowh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wbucou.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wuywvyhx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language weupbjox.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wwhdvod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wihaqggs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpovt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wglxbbnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wwuxyqmr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wijvmxb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wkpsyyk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wryrisn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wtvcoqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnqqjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language woakogyxa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpqiqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wxn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wioaxn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wuju.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wkevrdvsj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wlvdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wfrsjtaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wyllik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wwnanmsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wbpfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2580 wbpfb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1404 wrote to memory of 2884 1404 124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe 31 PID 1404 wrote to memory of 2884 1404 124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe 31 PID 1404 wrote to memory of 2884 1404 124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe 31 PID 1404 wrote to memory of 2884 1404 124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe 31 PID 1404 wrote to memory of 2828 1404 124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe 32 PID 1404 wrote to memory of 2828 1404 124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe 32 PID 1404 wrote to memory of 2828 1404 124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe 32 PID 1404 wrote to memory of 2828 1404 124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe 32 PID 2884 wrote to memory of 2264 2884 wro.exe 34 PID 2884 wrote to memory of 2264 2884 wro.exe 34 PID 2884 wrote to memory of 2264 2884 wro.exe 34 PID 2884 wrote to memory of 2264 2884 wro.exe 34 PID 2884 wrote to memory of 1292 2884 wro.exe 35 PID 2884 wrote to memory of 1292 2884 wro.exe 35 PID 2884 wrote to memory of 1292 2884 wro.exe 35 PID 2884 wrote to memory of 1292 2884 wro.exe 35 PID 2264 wrote to memory of 1732 2264 woq.exe 37 PID 2264 wrote to memory of 1732 2264 woq.exe 37 PID 2264 wrote to memory of 1732 2264 woq.exe 37 PID 2264 wrote to memory of 1732 2264 woq.exe 37 PID 2264 wrote to memory of 1840 2264 woq.exe 38 PID 2264 wrote to memory of 1840 2264 woq.exe 38 PID 2264 wrote to memory of 1840 2264 woq.exe 38 PID 2264 wrote to memory of 1840 2264 woq.exe 38 PID 1732 wrote to memory of 2840 1732 wyulxrq.exe 40 PID 1732 wrote to memory of 2840 1732 wyulxrq.exe 40 PID 1732 wrote to memory of 2840 1732 wyulxrq.exe 40 PID 1732 wrote to memory of 2840 1732 wyulxrq.exe 40 PID 1732 wrote to memory of 300 1732 wyulxrq.exe 41 PID 1732 wrote to memory of 300 1732 wyulxrq.exe 41 PID 1732 wrote to memory of 300 1732 wyulxrq.exe 41 PID 1732 wrote to memory of 300 1732 wyulxrq.exe 41 PID 2840 wrote to memory of 2388 2840 wdekseifi.exe 43 PID 2840 wrote to memory of 2388 2840 wdekseifi.exe 43 PID 2840 wrote to memory of 2388 2840 wdekseifi.exe 43 PID 2840 wrote to memory of 2388 2840 wdekseifi.exe 43 PID 2840 wrote to memory of 2224 2840 wdekseifi.exe 44 PID 2840 wrote to memory of 2224 2840 wdekseifi.exe 44 PID 2840 wrote to memory of 2224 2840 wdekseifi.exe 44 PID 2840 wrote to memory of 2224 2840 wdekseifi.exe 44 PID 2388 wrote to memory of 2500 2388 wipman.exe 46 PID 2388 wrote to memory of 2500 2388 wipman.exe 46 PID 2388 wrote to memory of 2500 2388 wipman.exe 46 PID 2388 wrote to memory of 2500 2388 wipman.exe 46 PID 2388 wrote to memory of 2372 2388 wipman.exe 47 PID 2388 wrote to memory of 2372 2388 wipman.exe 47 PID 2388 wrote to memory of 2372 2388 wipman.exe 47 PID 2388 wrote to memory of 2372 2388 wipman.exe 47 PID 2500 wrote to memory of 2116 2500 wdce.exe 49 PID 2500 wrote to memory of 2116 2500 wdce.exe 49 PID 2500 wrote to memory of 2116 2500 wdce.exe 49 PID 2500 wrote to memory of 2116 2500 wdce.exe 49 PID 2500 wrote to memory of 2992 2500 wdce.exe 50 PID 2500 wrote to memory of 2992 2500 wdce.exe 50 PID 2500 wrote to memory of 2992 2500 wdce.exe 50 PID 2500 wrote to memory of 2992 2500 wdce.exe 50 PID 2116 wrote to memory of 880 2116 wpqiqp.exe 52 PID 2116 wrote to memory of 880 2116 wpqiqp.exe 52 PID 2116 wrote to memory of 880 2116 wpqiqp.exe 52 PID 2116 wrote to memory of 880 2116 wpqiqp.exe 52 PID 2116 wrote to memory of 2356 2116 wpqiqp.exe 53 PID 2116 wrote to memory of 2356 2116 wpqiqp.exe 53 PID 2116 wrote to memory of 2356 2116 wpqiqp.exe 53 PID 2116 wrote to memory of 2356 2116 wpqiqp.exe 53
Processes
-
C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe"C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\wro.exe"C:\Windows\system32\wro.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\woq.exe"C:\Windows\system32\woq.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\wyulxrq.exe"C:\Windows\system32\wyulxrq.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\wdekseifi.exe"C:\Windows\system32\wdekseifi.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\wipman.exe"C:\Windows\system32\wipman.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\wdce.exe"C:\Windows\system32\wdce.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\wpqiqp.exe"C:\Windows\system32\wpqiqp.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\wcjibkb.exe"C:\Windows\system32\wcjibkb.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:880 -
C:\Windows\SysWOW64\wwioaqyl.exe"C:\Windows\system32\wwioaqyl.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2080 -
C:\Windows\SysWOW64\wpltaa.exe"C:\Windows\system32\wpltaa.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1760 -
C:\Windows\SysWOW64\wti.exe"C:\Windows\system32\wti.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:976 -
C:\Windows\SysWOW64\wmps.exe"C:\Windows\system32\wmps.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1380 -
C:\Windows\SysWOW64\wywjn.exe"C:\Windows\system32\wywjn.exe"14⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2068 -
C:\Windows\SysWOW64\wlfyqlekn.exe"C:\Windows\system32\wlfyqlekn.exe"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1132 -
C:\Windows\SysWOW64\wucj.exe"C:\Windows\system32\wucj.exe"16⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\wrjrip.exe"C:\Windows\system32\wrjrip.exe"17⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\wqlrana.exe"C:\Windows\system32\wqlrana.exe"18⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\wvjfowh.exe"C:\Windows\system32\wvjfowh.exe"19⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2656 -
C:\Windows\SysWOW64\wnqqjj.exe"C:\Windows\system32\wnqqjj.exe"20⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2700 -
C:\Windows\SysWOW64\wwnanmsc.exe"C:\Windows\system32\wwnanmsc.exe"21⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1848 -
C:\Windows\SysWOW64\wnjd.exe"C:\Windows\system32\wnjd.exe"22⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2028 -
C:\Windows\SysWOW64\wwrwoaf.exe"C:\Windows\system32\wwrwoaf.exe"23⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2156 -
C:\Windows\SysWOW64\wfaqad.exe"C:\Windows\system32\wfaqad.exe"24⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:600 -
C:\Windows\SysWOW64\wwhdvod.exe"C:\Windows\system32\wwhdvod.exe"25⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:660 -
C:\Windows\SysWOW64\wnuewcl.exe"C:\Windows\system32\wnuewcl.exe"26⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2144 -
C:\Windows\SysWOW64\wevo.exe"C:\Windows\system32\wevo.exe"27⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3064 -
C:\Windows\SysWOW64\wnryjr.exe"C:\Windows\system32\wnryjr.exe"28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\wedswhut.exe"C:\Windows\system32\wedswhut.exe"29⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\wqljbbs.exe"C:\Windows\system32\wqljbbs.exe"30⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2716 -
C:\Windows\SysWOW64\wnyf.exe"C:\Windows\system32\wnyf.exe"31⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3008 -
C:\Windows\SysWOW64\wuiygjbl.exe"C:\Windows\system32\wuiygjbl.exe"32⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1608 -
C:\Windows\SysWOW64\wdcqr.exe"C:\Windows\system32\wdcqr.exe"33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2304 -
C:\Windows\SysWOW64\wpg.exe"C:\Windows\system32\wpg.exe"34⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3068 -
C:\Windows\SysWOW64\wopvrj.exe"C:\Windows\system32\wopvrj.exe"35⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2944 -
C:\Windows\SysWOW64\woakogyxa.exe"C:\Windows\system32\woakogyxa.exe"36⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1512 -
C:\Windows\SysWOW64\wxwt.exe"C:\Windows\system32\wxwt.exe"37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1892 -
C:\Windows\SysWOW64\wbhc.exe"C:\Windows\system32\wbhc.exe"38⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2640 -
C:\Windows\SysWOW64\woptmsxh.exe"C:\Windows\system32\woptmsxh.exe"39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2836 -
C:\Windows\SysWOW64\wrwdahmf.exe"C:\Windows\system32\wrwdahmf.exe"40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\wphqxfy.exe"C:\Windows\system32\wphqxfy.exe"41⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\wdogayx.exe"C:\Windows\system32\wdogayx.exe"42⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\wydd.exe"C:\Windows\system32\wydd.exe"43⤵
- Executes dropped EXE
- Adds Run key to start application
PID:976 -
C:\Windows\SysWOW64\wxn.exe"C:\Windows\system32\wxn.exe"44⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1592 -
C:\Windows\SysWOW64\wlvhrwv.exe"C:\Windows\system32\wlvhrwv.exe"45⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2516 -
C:\Windows\SysWOW64\wgunqdtd.exe"C:\Windows\system32\wgunqdtd.exe"46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1132 -
C:\Windows\SysWOW64\wwuxyqmr.exe"C:\Windows\system32\wwuxyqmr.exe"47⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:996 -
C:\Windows\SysWOW64\wcslmb.exe"C:\Windows\system32\wcslmb.exe"48⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2120 -
C:\Windows\SysWOW64\wobcqv.exe"C:\Windows\system32\wobcqv.exe"49⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\wbpfb.exe"C:\Windows\system32\wbpfb.exe"50⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:2580 -
C:\Windows\SysWOW64\wijvmxb.exe"C:\Windows\system32\wijvmxb.exe"51⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1292 -
C:\Windows\SysWOW64\wvg.exe"C:\Windows\system32\wvg.exe"52⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2960 -
C:\Windows\SysWOW64\wepuvu.exe"C:\Windows\system32\wepuvu.exe"53⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\weny.exe"C:\Windows\system32\weny.exe"54⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2140 -
C:\Windows\SysWOW64\wlhoxy.exe"C:\Windows\system32\wlhoxy.exe"55⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1208 -
C:\Windows\SysWOW64\wxpfb.exe"C:\Windows\system32\wxpfb.exe"56⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1512 -
C:\Windows\SysWOW64\wec.exe"C:\Windows\system32\wec.exe"57⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2432 -
C:\Windows\SysWOW64\wuju.exe"C:\Windows\system32\wuju.exe"58⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Windows\SysWOW64\wipliklb.exe"C:\Windows\system32\wipliklb.exe"59⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1324 -
C:\Windows\SysWOW64\wihaqggs.exe"C:\Windows\system32\wihaqggs.exe"60⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:612 -
C:\Windows\SysWOW64\wupovbeb.exe"C:\Windows\system32\wupovbeb.exe"61⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2300 -
C:\Windows\SysWOW64\wpovt.exe"C:\Windows\system32\wpovt.exe"62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2004 -
C:\Windows\SysWOW64\wyxdym.exe"C:\Windows\system32\wyxdym.exe"63⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2816 -
C:\Windows\SysWOW64\wfrsjtaq.exe"C:\Windows\system32\wfrsjtaq.exe"64⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Windows\SysWOW64\wkevrdvsj.exe"C:\Windows\system32\wkevrdvsj.exe"65⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2272 -
C:\Windows\SysWOW64\wcvsuqh.exe"C:\Windows\system32\wcvsuqh.exe"66⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\wuywvyhx.exe"C:\Windows\system32\wuywvyhx.exe"67⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2404 -
C:\Windows\SysWOW64\wpqond.exe"C:\Windows\system32\wpqond.exe"68⤵
- Drops file in System32 directory
PID:1944 -
C:\Windows\SysWOW64\whg.exe"C:\Windows\system32\whg.exe"69⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2964 -
C:\Windows\SysWOW64\wtxqalr.exe"C:\Windows\system32\wtxqalr.exe"70⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\wvibnag.exe"C:\Windows\system32\wvibnag.exe"71⤵
- Adds Run key to start application
PID:2328 -
C:\Windows\SysWOW64\wopmimjs.exe"C:\Windows\system32\wopmimjs.exe"72⤵
- Adds Run key to start application
PID:752 -
C:\Windows\SysWOW64\whkowxabh.exe"C:\Windows\system32\whkowxabh.exe"73⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:1660 -
C:\Windows\SysWOW64\wbchobsd.exe"C:\Windows\system32\wbchobsd.exe"74⤵
- Drops file in System32 directory
PID:2276 -
C:\Windows\SysWOW64\wlvdf.exe"C:\Windows\system32\wlvdf.exe"75⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2268 -
C:\Windows\SysWOW64\whblrqoq.exe"C:\Windows\system32\whblrqoq.exe"76⤵
- Drops file in System32 directory
PID:2020 -
C:\Windows\SysWOW64\wkvfl.exe"C:\Windows\system32\wkvfl.exe"77⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\wfullm.exe"C:\Windows\system32\wfullm.exe"78⤵PID:2056
-
C:\Windows\SysWOW64\weupbjox.exe"C:\Windows\system32\weupbjox.exe"79⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:300 -
C:\Windows\SysWOW64\wymitof.exe"C:\Windows\system32\wymitof.exe"80⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1336 -
C:\Windows\SysWOW64\wyllik.exe"C:\Windows\system32\wyllik.exe"81⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1992 -
C:\Windows\SysWOW64\wtvcoqo.exe"C:\Windows\system32\wtvcoqo.exe"82⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3032 -
C:\Windows\SysWOW64\wovinvmq.exe"C:\Windows\system32\wovinvmq.exe"83⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:760 -
C:\Windows\SysWOW64\wsetb.exe"C:\Windows\system32\wsetb.exe"84⤵
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\wfljf.exe"C:\Windows\system32\wfljf.exe"85⤵
- Drops file in System32 directory
PID:1048 -
C:\Windows\SysWOW64\wwhltqseu.exe"C:\Windows\system32\wwhltqseu.exe"86⤵PID:1576
-
C:\Windows\SysWOW64\wkbldlc.exe"C:\Windows\system32\wkbldlc.exe"87⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:1132 -
C:\Windows\SysWOW64\wfpivqo.exe"C:\Windows\system32\wfpivqo.exe"88⤵
- Adds Run key to start application
PID:2148 -
C:\Windows\SysWOW64\wicydhh.exe"C:\Windows\system32\wicydhh.exe"89⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\wioaxn.exe"C:\Windows\system32\wioaxn.exe"90⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1332 -
C:\Windows\SysWOW64\wydayb.exe"C:\Windows\system32\wydayb.exe"91⤵
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\wudhxfph.exe"C:\Windows\system32\wudhxfph.exe"92⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2520 -
C:\Windows\SysWOW64\wglxbbnp.exe"C:\Windows\system32\wglxbbnp.exe"93⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1628 -
C:\Windows\SysWOW64\wkpsyyk.exe"C:\Windows\system32\wkpsyyk.exe"94⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1580 -
C:\Windows\SysWOW64\wcwgulng.exe"C:\Windows\system32\wcwgulng.exe"95⤵
- Adds Run key to start application
PID:2272 -
C:\Windows\SysWOW64\wcvjkj.exe"C:\Windows\system32\wcvjkj.exe"96⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1624 -
C:\Windows\SysWOW64\wbqgoh.exe"C:\Windows\system32\wbqgoh.exe"97⤵PID:2808
-
C:\Windows\SysWOW64\wryrisn.exe"C:\Windows\system32\wryrisn.exe"98⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\wbucou.exe"C:\Windows\system32\wbucou.exe"99⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2440
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wryrisn.exe"99⤵PID:2964
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbqgoh.exe"98⤵
- System Location Discovery: System Language Discovery
PID:2152
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcvjkj.exe"97⤵PID:2576
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcwgulng.exe"96⤵PID:2316
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkpsyyk.exe"95⤵
- System Location Discovery: System Language Discovery
PID:1472
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wglxbbnp.exe"94⤵PID:832
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wudhxfph.exe"93⤵
- System Location Discovery: System Language Discovery
PID:1028
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wydayb.exe"92⤵PID:2080
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wioaxn.exe"91⤵PID:1940
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wicydhh.exe"90⤵PID:1140
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfpivqo.exe"89⤵PID:1124
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkbldlc.exe"88⤵PID:1416
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwhltqseu.exe"87⤵
- System Location Discovery: System Language Discovery
PID:1512
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfljf.exe"86⤵PID:2556
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsetb.exe"85⤵PID:2464
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wovinvmq.exe"84⤵
- System Location Discovery: System Language Discovery
PID:1592
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtvcoqo.exe"83⤵PID:952
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyllik.exe"82⤵
- System Location Discovery: System Language Discovery
PID:1944
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wymitof.exe"81⤵PID:1940
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weupbjox.exe"80⤵PID:2912
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfullm.exe"79⤵
- System Location Discovery: System Language Discovery
PID:1808
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkvfl.exe"78⤵PID:1836
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whblrqoq.exe"77⤵PID:836
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlvdf.exe"76⤵
- System Location Discovery: System Language Discovery
PID:2556
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbchobsd.exe"75⤵
- System Location Discovery: System Language Discovery
PID:2464
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whkowxabh.exe"74⤵PID:1592
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wopmimjs.exe"73⤵PID:2384
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvibnag.exe"72⤵
- System Location Discovery: System Language Discovery
PID:2156
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtxqalr.exe"71⤵
- System Location Discovery: System Language Discovery
PID:868
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\whg.exe"70⤵
- System Location Discovery: System Language Discovery
PID:1784
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpqond.exe"69⤵PID:2976
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuywvyhx.exe"68⤵PID:2080
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 4868⤵
- Program crash
PID:2428
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcvsuqh.exe"67⤵
- System Location Discovery: System Language Discovery
PID:2100
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkevrdvsj.exe"66⤵PID:2868
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 18066⤵
- Program crash
PID:1560
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfrsjtaq.exe"65⤵PID:2456
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyxdym.exe"64⤵PID:2116
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpovt.exe"63⤵
- System Location Discovery: System Language Discovery
PID:1708
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wupovbeb.exe"62⤵PID:1280
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wihaqggs.exe"61⤵PID:2984
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wipliklb.exe"60⤵PID:1668
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuju.exe"59⤵PID:2620
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wec.exe"58⤵PID:1908
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxpfb.exe"57⤵
- System Location Discovery: System Language Discovery
PID:2088
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlhoxy.exe"56⤵PID:1248
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weny.exe"55⤵
- System Location Discovery: System Language Discovery
PID:2272
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wepuvu.exe"54⤵PID:2648
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvg.exe"53⤵PID:2520
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wijvmxb.exe"52⤵PID:2972
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbpfb.exe"51⤵
- System Location Discovery: System Language Discovery
PID:1256
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 20851⤵
- Program crash
PID:3008
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wobcqv.exe"50⤵PID:1740
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcslmb.exe"49⤵
- System Location Discovery: System Language Discovery
PID:2732
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwuxyqmr.exe"48⤵
- System Location Discovery: System Language Discovery
PID:2556
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgunqdtd.exe"47⤵PID:848
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlvhrwv.exe"46⤵PID:1576
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxn.exe"45⤵PID:2308
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wydd.exe"44⤵PID:2496
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdogayx.exe"43⤵PID:2904
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wphqxfy.exe"42⤵PID:2960
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrwdahmf.exe"41⤵PID:1600
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woptmsxh.exe"40⤵
- System Location Discovery: System Language Discovery
PID:2008
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbhc.exe"39⤵
- System Location Discovery: System Language Discovery
PID:2812
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxwt.exe"38⤵PID:2556
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woakogyxa.exe"37⤵PID:848
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wopvrj.exe"36⤵PID:1752
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpg.exe"35⤵PID:2416
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdcqr.exe"34⤵
- System Location Discovery: System Language Discovery
PID:2412
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuiygjbl.exe"33⤵PID:1672
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnyf.exe"32⤵
- System Location Discovery: System Language Discovery
PID:2056
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqljbbs.exe"31⤵PID:2776
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wedswhut.exe"30⤵PID:2624
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnryjr.exe"29⤵PID:2660
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wevo.exe"28⤵PID:2460
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnuewcl.exe"27⤵PID:1928
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwhdvod.exe"26⤵PID:2272
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfaqad.exe"25⤵PID:2032
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwrwoaf.exe"24⤵
- System Location Discovery: System Language Discovery
PID:2908
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnjd.exe"23⤵
- System Location Discovery: System Language Discovery
PID:928
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwnanmsc.exe"22⤵
- System Location Discovery: System Language Discovery
PID:2148
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnqqjj.exe"21⤵PID:2008
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvjfowh.exe"20⤵PID:2576
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqlrana.exe"19⤵PID:2244
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrjrip.exe"18⤵PID:1536
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wucj.exe"17⤵PID:2200
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlfyqlekn.exe"16⤵PID:1076
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wywjn.exe"15⤵PID:2240
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmps.exe"14⤵PID:1772
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wti.exe"13⤵PID:2876
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpltaa.exe"12⤵PID:2592
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwioaqyl.exe"11⤵
- System Location Discovery: System Language Discovery
PID:2664
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcjibkb.exe"10⤵PID:1404
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpqiqp.exe"9⤵PID:2356
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdce.exe"8⤵PID:2992
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wipman.exe"7⤵PID:2372
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdekseifi.exe"6⤵PID:2224
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyulxrq.exe"5⤵
- System Location Discovery: System Language Discovery
PID:300
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woq.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1840
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wro.exe"3⤵PID:1292
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\124a68814ec01da2fea5781e9590b623cebc608e02ecd34d6d535c4f7ba33c43N.exe"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2828
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCATT3E5\install[2].htm
Filesize7KB
MD59463ba07743e8a9aca3b55373121b7c5
SHA14fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f
SHA256d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d
SHA5126a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7
-
Filesize
132B
MD58c620919aeb945aed291c24a1bf7b76e
SHA1cadcbaeec0d9b8a99f465d3b6dc17eb5e93f03a5
SHA25696a87f879cb20da3829cd9476dfe326819623ae81cd9ebe9339a0e4e126af01d
SHA5128621a529e4925882e064144c5642b70de52a2dc61618f83eb18fffd09e8c5bc606b331cd287a61de0d2326f3b20fab3aae90e02774dea338585e33ce0e99fd94
-
Filesize
132B
MD5499720e469342b1fccf72fd961cee678
SHA1022ca149e965f4a4d2d8dd2eb19c80fe1d340e8f
SHA256dd228adc7f05a8eb611b117e3d097b9a57c8da92b719e00ed191673904788394
SHA512e44f9e5160e7cdc635c1b9648d36514f0f2daa4bcf3f747b270e036c64679fe7bf10d9bb60018251c70fa28f3472bf959879640442a49503d49a239b48238ce7
-
Filesize
99B
MD542756a6363efab710496a7a47bfc8cf9
SHA15dc309bfde7f6805e15bf956bd6c6232c6befc83
SHA256e5d3f6e8bb0abf6df4a3d47d90d80bc37034ae66d58f40a81161f649a4b6e594
SHA512c30d2e5169d003d54ab639048475b1ba1c4bd8d944930d51263815c48e3dfca7af8755e0342359cfa31e4f71d3ea1d3075bbede5231432111bb6fe078c91aad8
-
Filesize
97KB
MD500a971c8a6adc1f4b04ac2e25b13e819
SHA1c20289cbae9685cd8cd01eb35432d1308b3c8637
SHA25609c8f8771cf84ab833c454225ced4c4e67d97388b0842beb8c181c538cae6578
SHA512746b881554975952650bb7d328f2624c24c39e7f8921ec44fa5f0b942d4786354679990855bf535bd25bcd30d0995054f6aac84ff8d4f9ec96d659437986a6f7
-
Filesize
97KB
MD584c021ae712b9dc13033726724751875
SHA1b015467bed00fa41931b7cf62633abf7e18cc9f5
SHA2568949eba300afdb3844386fd18f3e1f4a0768f48478d64f8ef7e725935045fc0f
SHA5128b10010627bc6d910edc2256e3f2ff3a81ea271ba3b06504ebf57563a8440910db1d83f4f74366eb5f9315ba4d25e588593b56771f0ec1fbbb4d3de5854bd797
-
Filesize
97KB
MD543e7f7b35e44173fb6993341acd79fc0
SHA16aec7c858b2b5dbb88c78ec03430110739a24204
SHA2567794847153a01ddb2edce6060b527e141edf2f82d8e33dae904c100995643811
SHA512230d2e249c5a0d584e226c1c75bc4cf4a6afd5af261a5831f1bea69e82db882008c1aedd190cc24f5bb12079bcd1b6e2e2492db042894998f7933402dda9c635
-
Filesize
97KB
MD5575fbdf385d21f23a0fa379a88e270cf
SHA1879938a842c665e089636791a392f3548d727c6f
SHA25690d8d133e69aaa68c11f697bf16161e4c4f3da24fd715da9203682493478fbb4
SHA512671327c8bbd20b8c1f954d638730bc981e7015d708e7e0ba52acce31ddc826f27ccf8a7f03e25bd3a920052d5148336788080d8928cd0b84856dcd31d6e34dd1
-
Filesize
97KB
MD5f426ed9bcd755d2371536eb616af4eb0
SHA14a4e4d3f0f8e7ecfdb1a10962eb68ff701130194
SHA25615ac1816e2997a360e05dc2ffe7f8d5afbb36a482d0902adaf3e8dfa70f419e5
SHA5122dc926fdcc1fabd4a3ab7bb10becd61271392b3b7f3881743b650f70fc1d66105fdd78f392bb604dd282aef0e0d7ded9e730c5db37ec04fa1810e040fbd8081a
-
Filesize
97KB
MD5ba81cc925ebe0e5d039848d64dbf832b
SHA1a63a1d557dac0ed8381c4bd0a7f7f819fc092c87
SHA256c6fba61c2cbe5adb02221a5a3c391c7b9fc8667f1654a08510911202ca1309ec
SHA5124d23df437741f715c5b7501f6500765c9e3382553dfb3d159a4ef716e65888819e30d38a345e0d1dd05184e8a71c7dabd1659db6cf0ad0e3358c3c27acc9a058
-
Filesize
97KB
MD5ecb8d9cea6e2776a27645f94149a95d3
SHA1f742c7d666d98ba2c6594ed6f82f3d16ff1efad1
SHA256a61d92cce30bbcd55e65d4462cd973830d6d83192f501b5308c690f858440ca9
SHA512815e933e2b786b8963867c7a53b92bcd0495fa92d7a5f28bde2fc5625f80c6371251a76746c339d7ff1d687ea467dc1337413e9d8927a295d7a8466352df5119
-
Filesize
97KB
MD5a99badf2b3d09cf319e78c4d7ed611dc
SHA1db646cb56a8ad0369f7ff48ac2b35a328cd7eee2
SHA256bda05b78f6371d9396e2a7f7aef4c059f15a0563783a5fa236807aa9d421c729
SHA512d8536edc67faf83b1d3bc454c957865d35d69df52eeb5f400a517ea6f5b9b975492dcb8dcd192760cdcddad4c9f3b320959df52bee7acb397bbc9e44270d3b91
-
Filesize
97KB
MD5ca316de5eb712fd5f9927becb0678c99
SHA176f8dece8b7c869e9ca57ca7832ad74040fc04d3
SHA256a9b92850dbc7dd05045eea831db22216a14c2bc00b7fcdd5f9fc53daac2109b8
SHA512e241a1b0f489aa68703a63ac3bdd561be67eeb179703854a318d0606eda82d76bd95edb43c97f3e47fda67ad5506616e2ddaccfdddcd0bea3852abde911ce2dd
-
Filesize
97KB
MD5e9749afc5c94c926cfc74709484813f2
SHA1ba78a1ea99daa589214da71a4bb6e161767b9047
SHA2565612f3a02a0425180ee40abb02aee7872ef27fc862fad9aaeac6d77629fd4d88
SHA5126e85ac95e6ae77836ebd2f3d2970074242cb30f96cc92bf294f201000a216b47eb3864511810ab36895833adc942cf23d3fb8dbfc752cf0d4591af6f99549213
-
Filesize
97KB
MD52934b058c6f8c2a3b98d9189a08bc31b
SHA1a86211b1f20974e2a7fb128a5f12c5bbd2b9deef
SHA256e3daaa9ed71acf2fe659b789486f8c6542062c3080ca9a45efc0a1756504134c
SHA512c1a0817c7448a9d1f4645a50127419319317049ac092641eb4311f27b73df1932904e3db1901dd2c94c406107ab7f415f71a2847075b14aad9a09fe63565d18b