Analysis
-
max time kernel
111s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:40
Static task
static1
Behavioral task
behavioral1
Sample
af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe
Resource
win10v2004-20241007-en
General
-
Target
af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe
-
Size
107KB
-
MD5
e4bbd14f58c9db9a9f161b1aa5247350
-
SHA1
6d0efd03776876e34c7adf5f9e3d807a1ec7762f
-
SHA256
af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066
-
SHA512
2f15d097a0140dc41db54b33a184a953b77bbd8f7576bb30f6dd35af837b7a4e891d9e23effcba19407702bb034c8f3c007f2c6750416277eb2c5a9eadc980c7
-
SSDEEP
1536:2zfXIsxrhzk2nfsW3ou3yWW2dvcW6eHcBwUi6vWE0Dl27b58XBdqaMGxuA1n1:yfjxrhzk2nfsWhP7dvavi6vWEbh8X/
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
woicqw.exewgeekhpsg.exeweyedjw.exewjpcalyv.exewqgnitag.exewfj.exewwifm.exewxrqdl.exewlsgdms.exewgwrse.exewtnrwrv.exeweuk.exewroydkw.exewsnoy.exewqotopmkn.exewbvwnr.exewrjqw.exewctap.exewggjcfk.exewwptofs.exewkgxljiy.exewcekla.exewph.exewkjhpe.exewlsih.exewdahd.exewwkehar.exewekojvq.exewnxd.exewaps.exewddbxnthl.exewvaoox.exewdcrphn.exewlfpnbe.exewpyirfx.exewlxp.exewnhhk.exewbarie.exewyiwhx.exewkuiacj.exewoopiwv.exewpnqjkawo.exewgrwtdg.exewdul.exewjw.exewetug.exewgue.exewbu.exewaytnc.exewchxpsty.exewpvecm.exewllpqat.exewgnf.exewosm.exewxeajfdf.exewoyeq.exewgqan.exewsjcd.exewbkq.exewxxqvo.exewxos.exewtcquv.exewkops.exewbhvfn.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation woicqw.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wgeekhpsg.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation weyedjw.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wjpcalyv.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wqgnitag.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wfj.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wwifm.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wxrqdl.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wlsgdms.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wgwrse.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wtnrwrv.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation weuk.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wroydkw.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wsnoy.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wqotopmkn.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wbvwnr.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wrjqw.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wctap.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wggjcfk.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wwptofs.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wkgxljiy.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wcekla.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wph.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wkjhpe.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wlsih.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wdahd.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wwkehar.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wekojvq.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wnxd.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation waps.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wddbxnthl.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wvaoox.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wdcrphn.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wlfpnbe.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wpyirfx.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wlxp.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wnhhk.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wbarie.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wyiwhx.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wkuiacj.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation woopiwv.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wpnqjkawo.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wgrwtdg.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wdul.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wjw.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wetug.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wgue.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wbu.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation waytnc.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wchxpsty.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wpvecm.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wllpqat.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wgnf.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wosm.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wxeajfdf.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation woyeq.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wgqan.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wsjcd.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wbkq.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wxxqvo.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wxos.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wtcquv.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wkops.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wbhvfn.exe -
Executes dropped EXE 64 IoCs
Processes:
wwkehar.exewtnrwrv.exewrtxcpet.exewsjcd.exewjw.exewbkq.exewekojvq.exeweuk.exewntcur.exewvaoox.exewchxpsty.exewmefo.exewtcquv.exewdxwtuc.exewkuiacj.exewdcrphn.exewxxqvo.exewnxd.exewoopiwv.exewggjcfk.exewbb.exewlxp.exewvtawfd.exewroydkw.exewetug.exewxos.exewqgnitag.exewwptofs.exewpvecm.exewjdnqtb.exewgue.exewgeoqm.exewfj.exewsnoy.exewwifm.exewxrqdl.exewaps.exewtw.exewpnqjkawo.exewcjyjg.exewvcsep.exewoicqw.exewosm.exewmrra.exewfr.exewjvasmc.exewxeajfdf.exewtsvbkos.exewgeekhpsg.exewgrwtdg.exewbu.exewlsgdms.exewkgxljiy.exewkjhpe.exewllpqat.exewoyeq.exewgnf.exewdqq.exewcekla.exewgqan.exewlfpnbe.exewgwrse.exeweyedjw.exewlw.exepid process 2940 wwkehar.exe 3476 wtnrwrv.exe 1364 wrtxcpet.exe 3024 wsjcd.exe 1100 wjw.exe 744 wbkq.exe 3900 wekojvq.exe 1200 weuk.exe 1048 wntcur.exe 2360 wvaoox.exe 1584 wchxpsty.exe 3920 wmefo.exe 2428 wtcquv.exe 1996 wdxwtuc.exe 4268 wkuiacj.exe 876 wdcrphn.exe 3508 wxxqvo.exe 2304 wnxd.exe 1804 woopiwv.exe 1944 wggjcfk.exe 2936 wbb.exe 4372 wlxp.exe 1900 wvtawfd.exe 2716 wroydkw.exe 2728 wetug.exe 4576 wxos.exe 1948 wqgnitag.exe 3988 wwptofs.exe 1832 wpvecm.exe 3224 wjdnqtb.exe 1500 wgue.exe 4324 wgeoqm.exe 4232 wfj.exe 1628 wsnoy.exe 3900 wwifm.exe 4008 wxrqdl.exe 212 waps.exe 2268 wtw.exe 3584 wpnqjkawo.exe 3500 wcjyjg.exe 1380 wvcsep.exe 1292 woicqw.exe 3568 wosm.exe 3900 wmrra.exe 2120 wfr.exe 3236 wjvasmc.exe 1996 wxeajfdf.exe 1644 wtsvbkos.exe 1156 wgeekhpsg.exe 3124 wgrwtdg.exe 3964 wbu.exe 3348 wlsgdms.exe 3768 wkgxljiy.exe 4228 wkjhpe.exe 2972 wllpqat.exe 4600 woyeq.exe 3792 wgnf.exe 4920 wdqq.exe 3028 wcekla.exe 2368 wgqan.exe 1032 wlfpnbe.exe 972 wgwrse.exe 1332 weyedjw.exe 1364 wlw.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 64 IoCs
Processes:
wtw.exewmrra.exewekojvq.exewpvecm.exewbb.exewosm.exewdcrphn.exewqgnitag.exewcekla.exewnhhk.exewbarie.exewvkb.exewsjcd.exewdxwtuc.exewcjyjg.exewbhvfn.exewpyirfx.exewkuiacj.exewaps.exeweyedjw.exewrjqw.exewdul.exewbkq.exewfj.exewkops.exewkcudh.exewlsih.exewtnrwrv.exewjvasmc.exewsnoy.exewxeajfdf.exewnlchxwex.exewxos.exewjdnqtb.exewgeekhpsg.exewbu.exewgnf.exewmefo.exewlxp.exewgrwtdg.exewlsgdms.exewgtvs.exewph.exewjw.exewgeoqm.exewvcsep.exewgwrse.exewqotopmkn.exewoopiwv.exewvtawfd.exewbvwnr.exewwptofs.exedescription ioc process File created C:\Windows\SysWOW64\wpnqjkawo.exe wtw.exe File created C:\Windows\SysWOW64\wfr.exe wmrra.exe File created C:\Windows\SysWOW64\weuk.exe wekojvq.exe File opened for modification C:\Windows\SysWOW64\wjdnqtb.exe wpvecm.exe File opened for modification C:\Windows\SysWOW64\wlxp.exe wbb.exe File opened for modification C:\Windows\SysWOW64\wmrra.exe wosm.exe File created C:\Windows\SysWOW64\wxxqvo.exe wdcrphn.exe File opened for modification C:\Windows\SysWOW64\wwptofs.exe wqgnitag.exe File created C:\Windows\SysWOW64\wgqan.exe wcekla.exe File opened for modification C:\Windows\SysWOW64\wbarie.exe wnhhk.exe File created C:\Windows\SysWOW64\wrjqw.exe wbarie.exe File opened for modification C:\Windows\SysWOW64\wnbgih.exe wvkb.exe File created C:\Windows\SysWOW64\wjw.exe wsjcd.exe File opened for modification C:\Windows\SysWOW64\wkuiacj.exe wdxwtuc.exe File opened for modification C:\Windows\SysWOW64\wvcsep.exe wcjyjg.exe File created C:\Windows\SysWOW64\wsklya.exe wbhvfn.exe File created C:\Windows\SysWOW64\wkcudh.exe wpyirfx.exe File created C:\Windows\SysWOW64\wdcrphn.exe wkuiacj.exe File created C:\Windows\SysWOW64\wtw.exe waps.exe File opened for modification C:\Windows\SysWOW64\wlw.exe weyedjw.exe File created C:\Windows\SysWOW64\wnlchxwex.exe wrjqw.exe File created C:\Windows\SysWOW64\wlsih.exe wdul.exe File created C:\Windows\SysWOW64\wekojvq.exe wbkq.exe File opened for modification C:\Windows\SysWOW64\wsnoy.exe wfj.exe File created C:\Windows\SysWOW64\wbhvfn.exe wkops.exe File created C:\Windows\SysWOW64\wctap.exe wkcudh.exe File created C:\Windows\SysWOW64\wph.exe wlsih.exe File created C:\Windows\SysWOW64\wrtxcpet.exe wtnrwrv.exe File created C:\Windows\SysWOW64\wxeajfdf.exe wjvasmc.exe File created C:\Windows\SysWOW64\wwifm.exe wsnoy.exe File created C:\Windows\SysWOW64\wtsvbkos.exe wxeajfdf.exe File opened for modification C:\Windows\SysWOW64\wkops.exe wnlchxwex.exe File opened for modification C:\Windows\SysWOW64\wqgnitag.exe wxos.exe File created C:\Windows\SysWOW64\wgue.exe wjdnqtb.exe File created C:\Windows\SysWOW64\wsnoy.exe wfj.exe File opened for modification C:\Windows\SysWOW64\wgrwtdg.exe wgeekhpsg.exe File opened for modification C:\Windows\SysWOW64\wlsgdms.exe wbu.exe File created C:\Windows\SysWOW64\wdqq.exe wgnf.exe File created C:\Windows\SysWOW64\wlw.exe weyedjw.exe File created C:\Windows\SysWOW64\wtcquv.exe wmefo.exe File created C:\Windows\SysWOW64\wvtawfd.exe wlxp.exe File created C:\Windows\SysWOW64\wlxp.exe wbb.exe File created C:\Windows\SysWOW64\wbu.exe wgrwtdg.exe File created C:\Windows\SysWOW64\wkgxljiy.exe wlsgdms.exe File opened for modification C:\Windows\SysWOW64\wnhhk.exe wgtvs.exe File created C:\Windows\SysWOW64\wkops.exe wnlchxwex.exe File created C:\Windows\SysWOW64\wdahd.exe wph.exe File opened for modification C:\Windows\SysWOW64\wrtxcpet.exe wtnrwrv.exe File created C:\Windows\SysWOW64\wbkq.exe wjw.exe File opened for modification C:\Windows\SysWOW64\wfr.exe wmrra.exe File opened for modification C:\Windows\SysWOW64\wlsih.exe wdul.exe File opened for modification C:\Windows\SysWOW64\wekojvq.exe wbkq.exe File opened for modification C:\Windows\SysWOW64\wxxqvo.exe wdcrphn.exe File created C:\Windows\SysWOW64\wfj.exe wgeoqm.exe File opened for modification C:\Windows\SysWOW64\wpnqjkawo.exe wtw.exe File created C:\Windows\SysWOW64\woicqw.exe wvcsep.exe File opened for modification C:\Windows\SysWOW64\wgqan.exe wcekla.exe File created C:\Windows\SysWOW64\weyedjw.exe wgwrse.exe File created C:\Windows\SysWOW64\wbvwnr.exe wqotopmkn.exe File created C:\Windows\SysWOW64\wggjcfk.exe woopiwv.exe File opened for modification C:\Windows\SysWOW64\wroydkw.exe wvtawfd.exe File created C:\Windows\SysWOW64\wgtvs.exe wbvwnr.exe File opened for modification C:\Windows\SysWOW64\wpvecm.exe wwptofs.exe File opened for modification C:\Windows\SysWOW64\wgtvs.exe wbvwnr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 11 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3580 1100 WerFault.exe wjw.exe 208 212 WerFault.exe waps.exe 1612 3124 WerFault.exe wgrwtdg.exe 2036 3348 WerFault.exe wlsgdms.exe 832 3792 WerFault.exe wgnf.exe 2940 1156 WerFault.exe wbvwnr.exe 4248 3976 WerFault.exe wyiwhx.exe 4360 3976 WerFault.exe wyiwhx.exe 1720 2648 WerFault.exe wdul.exe 4608 4544 WerFault.exe wjpcalyv.exe 5096 4544 WerFault.exe wjpcalyv.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
wxeajfdf.exewnhhk.exewkuiacj.exewaps.execmd.execmd.execmd.execmd.execmd.exewgtvs.exewlxp.exewroydkw.exewctap.exewvkb.exewrjqw.exewsklya.exewvtawfd.exewjpcalyv.exewekojvq.execmd.execmd.exewjvasmc.exewkcudh.execmd.execmd.execmd.execmd.execmd.execmd.exewxos.execmd.exewgeekhpsg.exewjw.execmd.execmd.exewlw.execmd.execmd.execmd.exewpvecm.exewllpqat.exewgnf.exewnbgih.execmd.execmd.execmd.execmd.execmd.execmd.exewvaoox.execmd.exewoopiwv.execmd.exewlfpnbe.exewkops.execmd.execmd.execmd.exewbu.execmd.exeaf9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.execmd.execmd.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wxeajfdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnhhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wkuiacj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language waps.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wgtvs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wlxp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wroydkw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wctap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wvkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wrjqw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wsklya.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wvtawfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wjpcalyv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wekojvq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wjvasmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wkcudh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wxos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wgeekhpsg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wjw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wlw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpvecm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wllpqat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wgnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wnbgih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wvaoox.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language woopiwv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wlfpnbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wkops.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wbu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exewwkehar.exewtnrwrv.exewrtxcpet.exewsjcd.exewjw.exewbkq.exewekojvq.exeweuk.exewntcur.exewvaoox.exedescription pid process target process PID 836 wrote to memory of 2940 836 af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe wwkehar.exe PID 836 wrote to memory of 2940 836 af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe wwkehar.exe PID 836 wrote to memory of 2940 836 af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe wwkehar.exe PID 836 wrote to memory of 968 836 af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe cmd.exe PID 836 wrote to memory of 968 836 af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe cmd.exe PID 836 wrote to memory of 968 836 af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe cmd.exe PID 2940 wrote to memory of 3476 2940 wwkehar.exe wtnrwrv.exe PID 2940 wrote to memory of 3476 2940 wwkehar.exe wtnrwrv.exe PID 2940 wrote to memory of 3476 2940 wwkehar.exe wtnrwrv.exe PID 2940 wrote to memory of 2484 2940 wwkehar.exe cmd.exe PID 2940 wrote to memory of 2484 2940 wwkehar.exe cmd.exe PID 2940 wrote to memory of 2484 2940 wwkehar.exe cmd.exe PID 3476 wrote to memory of 1364 3476 wtnrwrv.exe wrtxcpet.exe PID 3476 wrote to memory of 1364 3476 wtnrwrv.exe wrtxcpet.exe PID 3476 wrote to memory of 1364 3476 wtnrwrv.exe wrtxcpet.exe PID 3476 wrote to memory of 2036 3476 wtnrwrv.exe cmd.exe PID 3476 wrote to memory of 2036 3476 wtnrwrv.exe cmd.exe PID 3476 wrote to memory of 2036 3476 wtnrwrv.exe cmd.exe PID 1364 wrote to memory of 3024 1364 wrtxcpet.exe wsjcd.exe PID 1364 wrote to memory of 3024 1364 wrtxcpet.exe wsjcd.exe PID 1364 wrote to memory of 3024 1364 wrtxcpet.exe wsjcd.exe PID 1364 wrote to memory of 3320 1364 wrtxcpet.exe cmd.exe PID 1364 wrote to memory of 3320 1364 wrtxcpet.exe cmd.exe PID 1364 wrote to memory of 3320 1364 wrtxcpet.exe cmd.exe PID 3024 wrote to memory of 1100 3024 wsjcd.exe wjw.exe PID 3024 wrote to memory of 1100 3024 wsjcd.exe wjw.exe PID 3024 wrote to memory of 1100 3024 wsjcd.exe wjw.exe PID 3024 wrote to memory of 4516 3024 wsjcd.exe cmd.exe PID 3024 wrote to memory of 4516 3024 wsjcd.exe cmd.exe PID 3024 wrote to memory of 4516 3024 wsjcd.exe cmd.exe PID 1100 wrote to memory of 744 1100 wjw.exe wbkq.exe PID 1100 wrote to memory of 744 1100 wjw.exe wbkq.exe PID 1100 wrote to memory of 744 1100 wjw.exe wbkq.exe PID 1100 wrote to memory of 832 1100 wjw.exe cmd.exe PID 1100 wrote to memory of 832 1100 wjw.exe cmd.exe PID 1100 wrote to memory of 832 1100 wjw.exe cmd.exe PID 744 wrote to memory of 3900 744 wbkq.exe wekojvq.exe PID 744 wrote to memory of 3900 744 wbkq.exe wekojvq.exe PID 744 wrote to memory of 3900 744 wbkq.exe wekojvq.exe PID 744 wrote to memory of 2424 744 wbkq.exe cmd.exe PID 744 wrote to memory of 2424 744 wbkq.exe cmd.exe PID 744 wrote to memory of 2424 744 wbkq.exe cmd.exe PID 3900 wrote to memory of 1200 3900 wekojvq.exe weuk.exe PID 3900 wrote to memory of 1200 3900 wekojvq.exe weuk.exe PID 3900 wrote to memory of 1200 3900 wekojvq.exe weuk.exe PID 3900 wrote to memory of 1948 3900 wekojvq.exe cmd.exe PID 3900 wrote to memory of 1948 3900 wekojvq.exe cmd.exe PID 3900 wrote to memory of 1948 3900 wekojvq.exe cmd.exe PID 1200 wrote to memory of 1048 1200 weuk.exe wntcur.exe PID 1200 wrote to memory of 1048 1200 weuk.exe wntcur.exe PID 1200 wrote to memory of 1048 1200 weuk.exe wntcur.exe PID 1200 wrote to memory of 3204 1200 weuk.exe cmd.exe PID 1200 wrote to memory of 3204 1200 weuk.exe cmd.exe PID 1200 wrote to memory of 3204 1200 weuk.exe cmd.exe PID 1048 wrote to memory of 2360 1048 wntcur.exe wvaoox.exe PID 1048 wrote to memory of 2360 1048 wntcur.exe wvaoox.exe PID 1048 wrote to memory of 2360 1048 wntcur.exe wvaoox.exe PID 1048 wrote to memory of 4600 1048 wntcur.exe cmd.exe PID 1048 wrote to memory of 4600 1048 wntcur.exe cmd.exe PID 1048 wrote to memory of 4600 1048 wntcur.exe cmd.exe PID 2360 wrote to memory of 1584 2360 wvaoox.exe wchxpsty.exe PID 2360 wrote to memory of 1584 2360 wvaoox.exe wchxpsty.exe PID 2360 wrote to memory of 1584 2360 wvaoox.exe wchxpsty.exe PID 2360 wrote to memory of 1960 2360 wvaoox.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe"C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\wwkehar.exe"C:\Windows\system32\wwkehar.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\wtnrwrv.exe"C:\Windows\system32\wtnrwrv.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\wrtxcpet.exe"C:\Windows\system32\wrtxcpet.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\wsjcd.exe"C:\Windows\system32\wsjcd.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\wjw.exe"C:\Windows\system32\wjw.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\wbkq.exe"C:\Windows\system32\wbkq.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\wekojvq.exe"C:\Windows\system32\wekojvq.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\SysWOW64\weuk.exe"C:\Windows\system32\weuk.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\wntcur.exe"C:\Windows\system32\wntcur.exe"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\wvaoox.exe"C:\Windows\system32\wvaoox.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\wchxpsty.exe"C:\Windows\system32\wchxpsty.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\wmefo.exe"C:\Windows\system32\wmefo.exe"13⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3920 -
C:\Windows\SysWOW64\wtcquv.exe"C:\Windows\system32\wtcquv.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\wdxwtuc.exe"C:\Windows\system32\wdxwtuc.exe"15⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\wkuiacj.exe"C:\Windows\system32\wkuiacj.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4268 -
C:\Windows\SysWOW64\wdcrphn.exe"C:\Windows\system32\wdcrphn.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:876 -
C:\Windows\SysWOW64\wxxqvo.exe"C:\Windows\system32\wxxqvo.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
PID:3508 -
C:\Windows\SysWOW64\wnxd.exe"C:\Windows\system32\wnxd.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\woopiwv.exe"C:\Windows\system32\woopiwv.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1804 -
C:\Windows\SysWOW64\wggjcfk.exe"C:\Windows\system32\wggjcfk.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\wbb.exe"C:\Windows\system32\wbb.exe"22⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\wlxp.exe"C:\Windows\system32\wlxp.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4372 -
C:\Windows\SysWOW64\wvtawfd.exe"C:\Windows\system32\wvtawfd.exe"24⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1900 -
C:\Windows\SysWOW64\wroydkw.exe"C:\Windows\system32\wroydkw.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2716 -
C:\Windows\SysWOW64\wetug.exe"C:\Windows\system32\wetug.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\wxos.exe"C:\Windows\system32\wxos.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4576 -
C:\Windows\SysWOW64\wqgnitag.exe"C:\Windows\system32\wqgnitag.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\wwptofs.exe"C:\Windows\system32\wwptofs.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3988 -
C:\Windows\SysWOW64\wpvecm.exe"C:\Windows\system32\wpvecm.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1832 -
C:\Windows\SysWOW64\wjdnqtb.exe"C:\Windows\system32\wjdnqtb.exe"31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3224 -
C:\Windows\SysWOW64\wgue.exe"C:\Windows\system32\wgue.exe"32⤵
- Checks computer location settings
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\wgeoqm.exe"C:\Windows\system32\wgeoqm.exe"33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4324 -
C:\Windows\SysWOW64\wfj.exe"C:\Windows\system32\wfj.exe"34⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4232 -
C:\Windows\SysWOW64\wsnoy.exe"C:\Windows\system32\wsnoy.exe"35⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\wwifm.exe"C:\Windows\system32\wwifm.exe"36⤵
- Checks computer location settings
- Executes dropped EXE
PID:3900 -
C:\Windows\SysWOW64\wxrqdl.exe"C:\Windows\system32\wxrqdl.exe"37⤵
- Checks computer location settings
- Executes dropped EXE
PID:4008 -
C:\Windows\SysWOW64\waps.exe"C:\Windows\system32\waps.exe"38⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:212 -
C:\Windows\SysWOW64\wtw.exe"C:\Windows\system32\wtw.exe"39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\wpnqjkawo.exe"C:\Windows\system32\wpnqjkawo.exe"40⤵
- Checks computer location settings
- Executes dropped EXE
PID:3584 -
C:\Windows\SysWOW64\wcjyjg.exe"C:\Windows\system32\wcjyjg.exe"41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3500 -
C:\Windows\SysWOW64\wvcsep.exe"C:\Windows\system32\wvcsep.exe"42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1380 -
C:\Windows\SysWOW64\woicqw.exe"C:\Windows\system32\woicqw.exe"43⤵
- Checks computer location settings
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\wosm.exe"C:\Windows\system32\wosm.exe"44⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3568 -
C:\Windows\SysWOW64\wmrra.exe"C:\Windows\system32\wmrra.exe"45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3900 -
C:\Windows\SysWOW64\wfr.exe"C:\Windows\system32\wfr.exe"46⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\wjvasmc.exe"C:\Windows\system32\wjvasmc.exe"47⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3236 -
C:\Windows\SysWOW64\wxeajfdf.exe"C:\Windows\system32\wxeajfdf.exe"48⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1996 -
C:\Windows\SysWOW64\wtsvbkos.exe"C:\Windows\system32\wtsvbkos.exe"49⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\wgeekhpsg.exe"C:\Windows\system32\wgeekhpsg.exe"50⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1156 -
C:\Windows\SysWOW64\wgrwtdg.exe"C:\Windows\system32\wgrwtdg.exe"51⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3124 -
C:\Windows\SysWOW64\wbu.exe"C:\Windows\system32\wbu.exe"52⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3964 -
C:\Windows\SysWOW64\wlsgdms.exe"C:\Windows\system32\wlsgdms.exe"53⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3348 -
C:\Windows\SysWOW64\wkgxljiy.exe"C:\Windows\system32\wkgxljiy.exe"54⤵
- Checks computer location settings
- Executes dropped EXE
PID:3768 -
C:\Windows\SysWOW64\wkjhpe.exe"C:\Windows\system32\wkjhpe.exe"55⤵
- Checks computer location settings
- Executes dropped EXE
PID:4228 -
C:\Windows\SysWOW64\wllpqat.exe"C:\Windows\system32\wllpqat.exe"56⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2972 -
C:\Windows\SysWOW64\woyeq.exe"C:\Windows\system32\woyeq.exe"57⤵
- Checks computer location settings
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\wgnf.exe"C:\Windows\system32\wgnf.exe"58⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3792 -
C:\Windows\SysWOW64\wdqq.exe"C:\Windows\system32\wdqq.exe"59⤵
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\wcekla.exe"C:\Windows\system32\wcekla.exe"60⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\wgqan.exe"C:\Windows\system32\wgqan.exe"61⤵
- Checks computer location settings
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\wlfpnbe.exe"C:\Windows\system32\wlfpnbe.exe"62⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1032 -
C:\Windows\SysWOW64\wgwrse.exe"C:\Windows\system32\wgwrse.exe"63⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:972 -
C:\Windows\SysWOW64\weyedjw.exe"C:\Windows\system32\weyedjw.exe"64⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1332 -
C:\Windows\SysWOW64\wlw.exe"C:\Windows\system32\wlw.exe"65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1364 -
C:\Windows\SysWOW64\waytnc.exe"C:\Windows\system32\waytnc.exe"66⤵
- Checks computer location settings
PID:1992 -
C:\Windows\SysWOW64\wqotopmkn.exe"C:\Windows\system32\wqotopmkn.exe"67⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3756 -
C:\Windows\SysWOW64\wbvwnr.exe"C:\Windows\system32\wbvwnr.exe"68⤵
- Checks computer location settings
- Drops file in System32 directory
PID:1156 -
C:\Windows\SysWOW64\wgtvs.exe"C:\Windows\system32\wgtvs.exe"69⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3760 -
C:\Windows\SysWOW64\wnhhk.exe"C:\Windows\system32\wnhhk.exe"70⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1520 -
C:\Windows\SysWOW64\wbarie.exe"C:\Windows\system32\wbarie.exe"71⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3900 -
C:\Windows\SysWOW64\wrjqw.exe"C:\Windows\system32\wrjqw.exe"72⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1796 -
C:\Windows\SysWOW64\wnlchxwex.exe"C:\Windows\system32\wnlchxwex.exe"73⤵
- Drops file in System32 directory
PID:1924 -
C:\Windows\SysWOW64\wkops.exe"C:\Windows\system32\wkops.exe"74⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3424 -
C:\Windows\SysWOW64\wbhvfn.exe"C:\Windows\system32\wbhvfn.exe"75⤵
- Checks computer location settings
- Drops file in System32 directory
PID:1580 -
C:\Windows\SysWOW64\wsklya.exe"C:\Windows\system32\wsklya.exe"76⤵
- System Location Discovery: System Language Discovery
PID:528 -
C:\Windows\SysWOW64\wpyirfx.exe"C:\Windows\system32\wpyirfx.exe"77⤵
- Checks computer location settings
- Drops file in System32 directory
PID:2116 -
C:\Windows\SysWOW64\wkcudh.exe"C:\Windows\system32\wkcudh.exe"78⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1708 -
C:\Windows\SysWOW64\wctap.exe"C:\Windows\system32\wctap.exe"79⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3456 -
C:\Windows\SysWOW64\wyiwhx.exe"C:\Windows\system32\wyiwhx.exe"80⤵
- Checks computer location settings
PID:3976 -
C:\Windows\SysWOW64\wdul.exe"C:\Windows\system32\wdul.exe"81⤵
- Checks computer location settings
- Drops file in System32 directory
PID:2648 -
C:\Windows\SysWOW64\wlsih.exe"C:\Windows\system32\wlsih.exe"82⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4396 -
C:\Windows\SysWOW64\wph.exe"C:\Windows\system32\wph.exe"83⤵
- Checks computer location settings
- Drops file in System32 directory
PID:5052 -
C:\Windows\SysWOW64\wdahd.exe"C:\Windows\system32\wdahd.exe"84⤵
- Checks computer location settings
PID:4412 -
C:\Windows\SysWOW64\wemam.exe"C:\Windows\system32\wemam.exe"85⤵PID:4392
-
C:\Windows\SysWOW64\wiof.exe"C:\Windows\system32\wiof.exe"86⤵PID:4992
-
C:\Windows\SysWOW64\wddbxnthl.exe"C:\Windows\system32\wddbxnthl.exe"87⤵
- Checks computer location settings
PID:2908 -
C:\Windows\SysWOW64\wagnj.exe"C:\Windows\system32\wagnj.exe"88⤵PID:448
-
C:\Windows\SysWOW64\wvkb.exe"C:\Windows\system32\wvkb.exe"89⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1904 -
C:\Windows\SysWOW64\wnbgih.exe"C:\Windows\system32\wnbgih.exe"90⤵
- System Location Discovery: System Language Discovery
PID:3392 -
C:\Windows\SysWOW64\wjpcalyv.exe"C:\Windows\system32\wjpcalyv.exe"91⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4544 -
C:\Windows\SysWOW64\waijn.exe"C:\Windows\system32\waijn.exe"92⤵PID:4896
-
C:\Windows\SysWOW64\wwwgfc.exe"C:\Windows\system32\wwwgfc.exe"93⤵PID:3804
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waijn.exe"93⤵PID:2612
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjpcalyv.exe"92⤵PID:3308
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 164892⤵
- Program crash
PID:5096 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 147292⤵
- Program crash
PID:4608 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnbgih.exe"91⤵PID:1740
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvkb.exe"90⤵PID:4840
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wagnj.exe"89⤵
- System Location Discovery: System Language Discovery
PID:1520 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wddbxnthl.exe"88⤵PID:4904
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiof.exe"87⤵PID:968
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wemam.exe"86⤵PID:1200
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdahd.exe"85⤵
- System Location Discovery: System Language Discovery
PID:316 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wph.exe"84⤵PID:3592
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlsih.exe"83⤵
- System Location Discovery: System Language Discovery
PID:3536 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdul.exe"82⤵PID:3024
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 74882⤵
- Program crash
PID:1720 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wyiwhx.exe"81⤵
- System Location Discovery: System Language Discovery
PID:3680 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 11681⤵
- Program crash
PID:4248 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 153681⤵
- Program crash
PID:4360 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wctap.exe"80⤵PID:2832
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkcudh.exe"79⤵PID:3220
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpyirfx.exe"78⤵
- System Location Discovery: System Language Discovery
PID:3844 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsklya.exe"77⤵PID:740
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbhvfn.exe"76⤵PID:4816
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkops.exe"75⤵
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnlchxwex.exe"74⤵
- System Location Discovery: System Language Discovery
PID:4896 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrjqw.exe"73⤵PID:4984
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbarie.exe"72⤵PID:3496
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnhhk.exe"71⤵PID:2912
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgtvs.exe"70⤵
- System Location Discovery: System Language Discovery
PID:1292 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbvwnr.exe"69⤵PID:2396
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 153669⤵
- Program crash
PID:2940 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqotopmkn.exe"68⤵PID:5040
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waytnc.exe"67⤵PID:2420
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlw.exe"66⤵PID:2240
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weyedjw.exe"65⤵PID:2032
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgwrse.exe"64⤵PID:4292
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlfpnbe.exe"63⤵
- System Location Discovery: System Language Discovery
PID:3404 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgqan.exe"62⤵PID:1828
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcekla.exe"61⤵
- System Location Discovery: System Language Discovery
PID:2360 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdqq.exe"60⤵PID:1772
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgnf.exe"59⤵PID:1596
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 144459⤵
- Program crash
PID:832 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woyeq.exe"58⤵PID:4316
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wllpqat.exe"57⤵
- System Location Discovery: System Language Discovery
PID:1068 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkjhpe.exe"56⤵PID:4356
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkgxljiy.exe"55⤵
- System Location Discovery: System Language Discovery
PID:3836 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlsgdms.exe"54⤵
- System Location Discovery: System Language Discovery
PID:4956 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3348 -s 153654⤵
- Program crash
PID:2036 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbu.exe"53⤵
- System Location Discovery: System Language Discovery
PID:2068 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgrwtdg.exe"52⤵
- System Location Discovery: System Language Discovery
PID:4100 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 167652⤵
- Program crash
PID:1612 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgeekhpsg.exe"51⤵
- System Location Discovery: System Language Discovery
PID:5040 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtsvbkos.exe"50⤵
- System Location Discovery: System Language Discovery
PID:4760 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxeajfdf.exe"49⤵PID:4564
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjvasmc.exe"48⤵
- System Location Discovery: System Language Discovery
PID:1924 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfr.exe"47⤵PID:3752
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmrra.exe"46⤵PID:972
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wosm.exe"45⤵
- System Location Discovery: System Language Discovery
PID:4364 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woicqw.exe"44⤵PID:4696
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvcsep.exe"43⤵PID:1236
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcjyjg.exe"42⤵
- System Location Discovery: System Language Discovery
PID:804 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpnqjkawo.exe"41⤵PID:2432
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtw.exe"40⤵
- System Location Discovery: System Language Discovery
PID:3476 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\waps.exe"39⤵PID:4892
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 166039⤵
- Program crash
PID:208 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxrqdl.exe"38⤵
- System Location Discovery: System Language Discovery
PID:4804 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwifm.exe"37⤵
- System Location Discovery: System Language Discovery
PID:1828 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsnoy.exe"36⤵PID:1920
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfj.exe"35⤵PID:4272
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgeoqm.exe"34⤵
- System Location Discovery: System Language Discovery
PID:1424 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wgue.exe"33⤵
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjdnqtb.exe"32⤵PID:2648
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpvecm.exe"31⤵PID:2888
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwptofs.exe"30⤵
- System Location Discovery: System Language Discovery
PID:4732 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqgnitag.exe"29⤵
- System Location Discovery: System Language Discovery
PID:4068 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxos.exe"28⤵PID:3900
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wetug.exe"27⤵
- System Location Discovery: System Language Discovery
PID:4828 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wroydkw.exe"26⤵PID:832
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvtawfd.exe"25⤵PID:4564
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlxp.exe"24⤵PID:4812
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbb.exe"23⤵PID:2464
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wggjcfk.exe"22⤵PID:1008
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\woopiwv.exe"21⤵
- System Location Discovery: System Language Discovery
PID:3596 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wnxd.exe"20⤵PID:3572
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wxxqvo.exe"19⤵PID:4232
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdcrphn.exe"18⤵
- System Location Discovery: System Language Discovery
PID:4324 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkuiacj.exe"17⤵PID:2264
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdxwtuc.exe"16⤵PID:4996
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtcquv.exe"15⤵
- System Location Discovery: System Language Discovery
PID:1828 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmefo.exe"14⤵PID:4900
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wchxpsty.exe"13⤵
- System Location Discovery: System Language Discovery
PID:4920 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvaoox.exe"12⤵PID:1960
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wntcur.exe"11⤵PID:4600
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\weuk.exe"10⤵PID:3204
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wekojvq.exe"9⤵
- System Location Discovery: System Language Discovery
PID:1948 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wbkq.exe"8⤵PID:2424
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wjw.exe"7⤵PID:832
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 13087⤵
- Program crash
PID:3580 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsjcd.exe"6⤵PID:4516
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrtxcpet.exe"5⤵PID:3320
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wtnrwrv.exe"4⤵PID:2036
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wwkehar.exe"3⤵PID:2484
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\af9b9a674c87f6f5e662e61e9741e0b0c060c839254963824db1cf5f3d5eb066N.exe"2⤵
- System Location Discovery: System Language Discovery
PID:968
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1100 -ip 11001⤵PID:4464
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 212 -ip 2121⤵PID:4228
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3124 -ip 31241⤵PID:4864
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3348 -ip 33481⤵PID:1008
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3792 -ip 37921⤵PID:3608
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1156 -ip 11561⤵PID:4888
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3976 -ip 39761⤵PID:2036
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3976 -ip 39761⤵PID:3392
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2648 -ip 26481⤵PID:1740
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4544 -ip 45441⤵PID:2492
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4544 -ip 45441⤵PID:3848
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD59463ba07743e8a9aca3b55373121b7c5
SHA14fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f
SHA256d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d
SHA5126a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7
-
Filesize
108KB
MD5dd58640e11fb116ff558854f3aff3364
SHA1b6fa284995551cd842ec82d813b881f344fbc213
SHA2565b37a133f675ebaf4e6de090f15f28220b745103dff2616eebebfd4df5a0aaf6
SHA512f0d957a73f9a3917f4d96a224a7ab174d0a26770ef6f24158cc8e1fdd9caf44d2340d7d34f06bc70cb77dec21a8613f0f83b7e0dfd70d67b0508294559302d42
-
Filesize
107KB
MD52baf14267ae0638aabc0f41f87c4d019
SHA1df8e720d8e38f27222d0ca247633aa5b871c0580
SHA2564181ab947afd3539ddf77f975ca0dd8c892d2d6930d34a024f468e0f7c0c966c
SHA512df6a5e1dbbff8e15964123f0814d54671f5e712453dfa36b1417ae176954128f70478d2b3c762c9232ea4609a36c8515cd6b3aa2fe80c08efd68fb6b06fe53a2
-
Filesize
108KB
MD5f8a96c73edc4206f67d67cdd8f64e42e
SHA1a781686fc410f0e5791b859f53b8f09ad3badd8d
SHA256f1942ac22056d9121862a4afa6c3e9068316a0a0333e350993eb2d2aa280b833
SHA5125a290b6c5619bb5d9233ef83606bbd36d3b35385b17f191ffd6f709f9943c24e2d0ba836d3dc0e9a232b900146ea46046f091fcea5234c44de67fc15e3246423
-
Filesize
108KB
MD596ed296554abac9a395a7b376cc70908
SHA1062875a892f7dbe80e161e3d85393eec7cf6e014
SHA2562da938a25ebaf96b1ea77486892700b6ae797d9245d10519f8a44a9977ac2384
SHA512d383f99466d097432a5063a0801baf9bf20e31793571fe3b4fbaec861acaa7eb133b539739c6d35b437603b4ff161818f58cd00207133021e218efd52a525124
-
Filesize
108KB
MD58a1437d3c1a3273dbafdb0e5fe5afda2
SHA1c5ab27a4c122fcb969d996535e8f78bd29cbce7e
SHA2566af05907650ef5d3e7931e7ec455636ae6c1f6b1add5adf937be5ebce7cd6a72
SHA512169dd20a03564cc578f223d93597b980f9dd13e7d887090fea7e29719fe238f9f6093037749eef592b4d84722eebc63160d5f8b208c02380429ed2650bbd0bc4
-
Filesize
108KB
MD52940e341f41b90dcabcb40beec81ce74
SHA17da62a86c3293db48d9be98e91b677602279a4a5
SHA25614c2b1d88f82a5772d1088b9bbaabf58dff43ae55b60d8122517aff7e25abbfe
SHA512de272b6d8109d6f504a2cfcc9316ceaa4a4fe6bf30ff2cb6a5023f94aaa82c0e8ed71ebf205548082484a1c98023b30d59a3b2cae7f490606ff0d50d7b82b5f6
-
Filesize
108KB
MD5dec472a5661224fdcbc4f05147855e76
SHA194a167afd172a60232a2eacf733a1b8f502f0e8c
SHA256133ec1139e9c97ee4c7223066c9f698f65b916d73ad134ba141027287af1b030
SHA512304826b10daf5576dcff64818c0b6ff0a5ea1dd7024efcbb42ead2f8142a909ce443e86d95494e52a155664b175f07aa34fdf647a4fc95181b3bea1140d966e0
-
Filesize
108KB
MD5eac730272ec3221de919ade7abcc7b98
SHA1934cfc5b4f886ed28f697dbfe0ddcd6d8765c7d5
SHA256f8bb44f4119fbf82f484276d645cbcf1336a85b72dd88f31a43fb9e06bf1253e
SHA512353dbffb6543e998b366ac5d8e110b9daf9db45719e2a04fcf6b23e4c08bcec1aef7ae95495f216b7e7798cfc674862dd951b1ef053c86eb2953c7c35b656302
-
Filesize
108KB
MD5d3a817900f014dc63d338596f85f7c69
SHA1ab0036cffa3ce87390006d95b7bde45361d1b4b6
SHA25618d3928f565c8b8c75c402edfddabd56c7bb0ca43d65ac24e8b4bb1a950a71a9
SHA51255cd68059b7a070f721fe1e049a83b313dd377ec638d76dd8cb7b4ce96cd04eee3e7b96a96ff61c557efee5495f21f7d32d00241f5b314501f528b5f828ce6ee
-
Filesize
108KB
MD5b2ad6ce49de8c6f1708f36437e44a677
SHA1b4f5f728f988bd8ea6b95c29280522f7ce414eef
SHA25677e8d513c5f1215670e54f193ddb672891266bafb76c65dd71801aa856867058
SHA51201e1248b84fcb54fa1b93a6490dd07a2adbb1b0fb4cf866ccf63ef57368b31d8897653223a8e0b6598b489fb5eb6814553e1188e38149896354d37a281516892
-
Filesize
108KB
MD5e91d47e0740aa951479982a95ae6bd18
SHA17d6d4681c44eef42fd0814447e04f8e7bff1e521
SHA2569874f6b5102ed9a033c7dd7ebc13de4187c1e2acbe7f2bd40de7759ad6fc1f7d
SHA5126397331f303e8291af94e499a9519ed1d2adcfd43d29da9c0232f72aea086dd8e4135f8c7193ad3fe8908471d95315054f026276eeae04eaab3d31bce9a81631
-
Filesize
108KB
MD5eefe85a88281be7ecb476b63568dd015
SHA13fde7bad3f6068866b7580bb104c410508a16ca7
SHA256d3bc30c834c414075614060d891ea53f300c3ef670de1129dc8416f071facc96
SHA512f6dd2402897c1ea8100fb546951a4d29c77665e6006a8743ebce25829cb8ef1328ae7b70fbe5638579470a6a5095d268da72b5be7e7247054ccb6b629a8c71c3
-
Filesize
107KB
MD5a648135d7e08fec5b6f729ef347d3585
SHA18503e99efabdab82c3605b5927d8e2d0d82440f4
SHA2569dd7889e30059ed0753a237eeffcaacb1670b258e319283b4dd44f5df641a19e
SHA5127394b9fb017090b6884a6bd36bb4ce3e1a520638affc6b53cedea6ec54fb8a9286957b464d77785153aaf156d00d2624c5e6073e03cecc25c7c23e4ad5de4278
-
Filesize
108KB
MD57275ff3a384a169abffd1039f02d995b
SHA1c98dc15b4db80672a7e7ecf3905a30bb18962e93
SHA25674542e3850373806de42a032db30c29006f3d28eb50448660046cd3e342c81c8
SHA512589c606dcf12aa61144557ccad3d169a6a2f358f3b6b0479fc4f2a2edfe20ff75fb721b3b1e9315ee2f50d5029225989b25e2609097e2e3732724105727b31d9
-
Filesize
108KB
MD5d8d506f087a77741c5eae398fe57fc7a
SHA14805753c862e594b112506360b476c08b4e78e4d
SHA256b481b3e420888f09a0376e5f5146d994fed741c22928a2bf27351ee971862bca
SHA512a2fe23746ce110b13b494b476608487cd4641329cd98e58690a0044ce9fa2b489149f030ff77b6fd666dc76bee1550e720a75068bb148be888ac38eaf1a1115e
-
Filesize
108KB
MD52413044a1d68167e10330a7aed418e4c
SHA1fba87ae3803a95d0848d6731fe26683f07b0c218
SHA256403381db3841ec5f3f4df2fa480b842e8a3522d546a99c7063a4206840acfc7e
SHA5128c0edcde40fda9a6c0b66219bd615a416b4eb8df78eb37c0da9f4595901b1333a91d8d1c8782a8ed698b40c3e0778ab2cf07e85b6df19d59040e9cfbfa2f889f
-
Filesize
108KB
MD56565532460511b825b324baa2916d60e
SHA1219559b96245eb1f9e06c457a484247b017b1fec
SHA2565788c43d0ca4a1f11d0ca8c1d46f8f73107c036594f9ef6b7922123f07d7d021
SHA5127aa5f59439874bb2d7a9bdaf9726ef204311af59e3723608f330922029dae642691df4de6a31a61bdccaf675a8f2ca2846c16cddd02be1bf1ab43f08a7699802
-
Filesize
108KB
MD51ef638cd4ef521f90e0dad5e9aa1dd61
SHA1dac4a64f1cb6c18bff4ba757d9fa9dde42d64c8f
SHA256fea598ff307071f9a8d925c86f3ddef983bb938a09e2b698d276ffda08d0f764
SHA51247adb06cb4a8d8103695ad5ee1edd338962e1f9ccf5b157d1743afdb1273fe926fe42e254f0d53eff8daf0b9c2c7fb82baaa6f5630f5145df112e99ca48e8222
-
Filesize
108KB
MD5c465af67e692231538055966fb833da7
SHA1d81c034359d7ca27dc6ff822be4435ff69788c0e
SHA2565519423460f451d7d3282b2a7046ad1f4f567e2fecb658059e3c87cab8ba716c
SHA5127464ec1b8bd95769107d83d5b3eb731dfac69a6a306097736d2a2a831846ee9ea01065fb61a27c78cb80d2a002dca5d0523fb2c6674141120268d53657c77f95
-
Filesize
108KB
MD50a2eeaa7f377cf986e8c4782f99caac4
SHA14e92641cb3229693ca4ffabff1b482903ff4d0ed
SHA25622c98c9b9b420446c6c874963379675c92a8203005c27d789d1c87d6a9e2261d
SHA5125a75e6a22c2130fa1dd12cb8f2f2e453313974546957f8f317dff763dd069be537f64609cac9b68304995334bcc291a03024de10ab5c5e53aba8a7f25489dcc4
-
Filesize
108KB
MD50bb0cfef7b9f547641da41d2f69dee1f
SHA16a03aa8fbae741076e786b03934ebf2411dd1868
SHA25604a555b2acd7c432fd0eddf04df28e1249c924acd2253f0ce2c8a0d4b1ae687b
SHA512044d43af69a9187a954f3adc4795f83cde18dd5fc713cb49aeb5f011607f01876294ae0b91cfbd2b5c1abe915c82072eab5c0e925b2c86009cc0b495b8f767e0
-
Filesize
108KB
MD542805d2b2df3dd0ad18b2b6e497117a5
SHA18abf9b4e8c6df6e93e2907aa598801489ed39e64
SHA2561728320447c190d309de199a2cc7e0a7b0630119181eacd2ad978daa80ff3265
SHA512f90231a5d07e8dc7072fabb0d3520e1f154b1c439cf49aced8f6593b58ab2407df3966b20b9e1e8fc45afd479dae11b6b6427e145da6f2a2eedf53f4144707be
-
Filesize
107KB
MD5661180444cb1a90a5542f5af9e97734b
SHA146502f31d23a861d765627c9f23bcde621dde721
SHA256a4047c67030ae93c30fd21b66cedb4fd8229d7b679ed97b323eb98ab71fd5428
SHA51234b7d125b479d0f7683826d9ae7f5bfbd1cc3f68ffcccbb6ac95a7cacb1e1b06f3d29052bcbc0523c8d03896142d17c83c716771d277163d95e3cf94b045cecf
-
Filesize
107KB
MD5c391e26df1f2731cad31bfd05342357a
SHA1428ea4b461977a904e0cc1284571545a118c2221
SHA25651cbc2030bda178904bc4ce490dd5b0d9a06fcd20f1286190230d7aa6f41e1c7
SHA51269fd6411f4ff5974151b0c8bb1844dfb01b1d6492519ee898e7a9b46c449f192e4563c78285af478aba8e51e3fc994e2b06710cc5b019978c1a9010f10a81e7b
-
Filesize
108KB
MD56997d7a01feaed0e830afea8aef98ec6
SHA14433b02f85ad58c898e7b1819d3948685d14b9e7
SHA256a349823ba74f542fc84bb77ee0e6bf0bbc6c7a8374c74937a6b8a172f7baad42
SHA5121e36b887ae44fb80dcfe876200e3e63314a32dd3578dc76ef046a0cd9b0b81ad5a08bbc7be2d61628bbf39e95b86a147dcc6dac935e1b178f9c74c6dc5029078
-
Filesize
107KB
MD5dc56b3c5bbed155c45a2cd7e62c0280d
SHA1cb3ffe613f10149c0d42b32cd1306e6a149316d6
SHA25669ac01a9dcbef5e7a393ab225137dbdabf0b294495127ec8be86d598eeb9a43e
SHA512ba59116757b72ea844ee8c25747ae23030e0eb273b6aeb053831cab91b4b03dd95cdc0e626dca2fa457ce555af1b95c393d91207d834227e706abfccd82d6209
-
Filesize
108KB
MD539ad8d3180520a3222985801924ea8b4
SHA1404d777cfc93197a16d3c869d8280f1e95b5fd4f
SHA25643feb723b3f587452984ae13fd9220178718d19841bc18ce20d81d34a9a8eff8
SHA51276149d1edc28a8ccb726e4041a24e72f0de26198bdc114c35fae2b00e97f67cfc09b8bc6783a3dd476fd7a3929c77ecff7a98d1f689a919a77f235021bcfa157
-
Filesize
108KB
MD5d19d06fb67bc2a2ba2e7d385fb5b7e0a
SHA1a41695f231fa85c6a617e8164c30472f7de1ae8b
SHA256c88bce8f29014c442de8c2508b34bad22098b2628bb9602985bd69f749a2fad5
SHA512e47270c9d53c47aa37bb31b3b8673fba7b03330568630d7cb2e33603a2d82cf37bd9537b911110c25a0a98cc4e5587caa7d2397ecc14c8845d8ca2deb5789e54
-
Filesize
107KB
MD59aaeb52c2d8c8c5d53d961e2464ccf7c
SHA1e2f54eae4aa70a448baf4536b934b3b64ba9dc1b
SHA2566db2bf1bf608c8c1b07240b298ba8fd15327a937f7cc6618551d8078dfb32e4a
SHA512d9d097d2f8ea56da751f27f9d5699524b23cb30b4b1544c1241cae0cbb8891d85e488be0ca2fe119d7d4440093769a419d86df28809528ac2847181d94929bc2
-
Filesize
108KB
MD5e78decb794c5372fde0298bdd3d85844
SHA1bff9430aad84a178abd0d884004b02e93062d8fb
SHA2563ca49d93d63cb131fc506fad8b66896389b12f71c65a7f88284faa916650b52f
SHA512c36044e6c359bb894d021bf65537287e4334521b0c1e78020f4e307b7044b2f20537088e941fb060354a97f83741b666d961ef4053e74572ed39b682ab09d4e4
-
Filesize
108KB
MD54217c25b1f85e95f4e275da0cc20fe7d
SHA1ff4470183904ad6db730d5696008cf42138a332e
SHA25623bbc76b770669444151a9d5e524aed5d585367ca39568bbcc4dc3826e79a3dc
SHA5125481fea349b2d71532c03bc3391c7e154dced1f595d166f2b738dc22046b39ff7b93b3ce8c3af150a1805b0f545f9383ea247bf8744e1a3bf8321d00e5f9936d
-
Filesize
108KB
MD50dca54bdf09e1206f252ea340faba924
SHA1e689b641003be8a5d92d659d147ba7678d5e5a7d
SHA256b3bc818b6db709ccf1ab395b03d591d2c109f90539804e84154e5dc808a31052
SHA5127e469650cb7cc2e9b8b594c44f04c31c40ebb21559488691b534958d546d7d99c4acdfbf26d47073f04d6f0335b312f6b265926b0600f3110ef36a9fdeeda5d0