5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179

Analysis

max time kernel
135s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe
Size

10.4MB
MD5

11f1eb0f5bc7b2154d81e5aefd9b2810
SHA1

5fb0ba246b285b7c341fc0465ffc520356f6b5ad
SHA256

5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179
SHA512

b03dcf048451eddeb1313583bd9ee2b1ddb3ae775e6a520108e78799ae68bd11d552de967a7e3a6f348783ef280ea135651391e243dec350b6cf95388a06d941
SSDEEP

196608:XZGmuosR2/LGPLCXOKODxH5qFlXS47dV2MANpvrjVbEKGWIoS:XZGnosREJLODBWlX3d+NpvdHIo

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
3820	vhbwxwsggw.exe
3768	vhbwxwsggw.exe
1620	ljiprvepas.exe
5000	ljiprvepas.exe
3884	svslrrxusw.exe
1356	svslrrxusw.exe
4932	lkffkgwvsr.exe
708	lkffkgwvsr.exe
1060	nfsakoofji.exe
2264	nfsakoofji.exe
5032	qiwlozluhk.exe
4280	qiwlozluhk.exe
4284	dslpqcpfuy.exe
3888	dslpqcpfuy.exe
976	dmioalqvhq.exe
3240	dmioalqvhq.exe
3024	negheqvezi.exe
4464	negheqvezi.exe
1664	svpklyrgdl.exe
3272	svpklyrgdl.exe
4752	vqdtonyiob.exe
1464	vqdtonyiob.exe
4276	zohphkeuan.exe
1208	zohphkeuan.exe
1924	nnwibuubzo.exe
4884	nnwibuubzo.exe
3692	hqlrdkcdyy.exe
1336	hqlrdkcdyy.exe
860	fgwhhlajxo.exe
1640	fgwhhlajxo.exe
4560	okftorehwk.exe
2556	okftorehwk.exe
2352	xhbpieappn.exe
624	xhbpieappn.exe
2144	cjxtdqsdij.exe
5076	cjxtdqsdij.exe
996	rwohsaxcax.exe
4132	rwohsaxcax.exe
2944	bzraksxnzi.exe
1920	bzraksxnzi.exe
3240	tozmxfgygf.exe
3884	tozmxfgygf.exe
4464	wkpkogdiaf.exe
4960	wkpkogdiaf.exe
3616	odmdhbdusp.exe
1060	odmdhbdusp.exe
5004	wijzbnybdt.exe
1032	wijzbnybdt.exe
4460	jvynhbogzm.exe
4392	jvynhbogzm.exe
3644	gahyfhweyb.exe
208	gahyfhweyb.exe
4688	bowlkvukmu.exe
2908	bowlkvukmu.exe
2280	gmeepqgvkl.exe
3648	gmeepqgvkl.exe
5060	tovxsxxxbs.exe
2984	tovxsxxxbs.exe
3540	onxjgwxohd.exe
2624	onxjgwxohd.exe
3120	dseedxvzkw.exe
1072	dseedxvzkw.exe
1324	lxsiysihvi.exe
2472	lxsiysihvi.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
1772	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe
2044	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe
3820	vhbwxwsggw.exe
3768	vhbwxwsggw.exe
1620	ljiprvepas.exe
5000	ljiprvepas.exe
3884	svslrrxusw.exe
1356	svslrrxusw.exe
4932	lkffkgwvsr.exe
708	lkffkgwvsr.exe
1060	nfsakoofji.exe
2264	nfsakoofji.exe
5032	qiwlozluhk.exe
4280	qiwlozluhk.exe
4284	dslpqcpfuy.exe
3888	dslpqcpfuy.exe
976	dmioalqvhq.exe
3240	dmioalqvhq.exe
3024	negheqvezi.exe
4464	negheqvezi.exe
1664	svpklyrgdl.exe
3272	svpklyrgdl.exe
4752	vqdtonyiob.exe
1464	vqdtonyiob.exe
4276	zohphkeuan.exe
1208	zohphkeuan.exe
1924	nnwibuubzo.exe
4884	nnwibuubzo.exe
3692	hqlrdkcdyy.exe
1336	hqlrdkcdyy.exe
860	fgwhhlajxo.exe
1640	fgwhhlajxo.exe
4560	okftorehwk.exe
2556	okftorehwk.exe
2352	xhbpieappn.exe
624	xhbpieappn.exe
2144	cjxtdqsdij.exe
5076	cjxtdqsdij.exe
996	rwohsaxcax.exe
4132	rwohsaxcax.exe
2944	bzraksxnzi.exe
1920	bzraksxnzi.exe
3240	tozmxfgygf.exe
3884	tozmxfgygf.exe
4464	wkpkogdiaf.exe
4960	wkpkogdiaf.exe
3616	odmdhbdusp.exe
1060	odmdhbdusp.exe
5004	wijzbnybdt.exe
1032	wijzbnybdt.exe
4460	jvynhbogzm.exe
4392	jvynhbogzm.exe
3644	gahyfhweyb.exe
208	gahyfhweyb.exe
4688	bowlkvukmu.exe
2908	bowlkvukmu.exe
2280	gmeepqgvkl.exe
3648	gmeepqgvkl.exe
5060	tovxsxxxbs.exe
2984	tovxsxxxbs.exe
3540	onxjgwxohd.exe
2624	onxjgwxohd.exe
3120	dseedxvzkw.exe
1072	dseedxvzkw.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfsakoofji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xaxgfruvln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gjqhlidblv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nnwibuubzo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ckqknqghkt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fgwhhlajxo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tozmxfgygf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zohphkeuan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	okftorehwk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bzraksxnzi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dchjctgtzs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ykdmrsuoaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fwvfrcokax.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmnijdoqxx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nnwibuubzo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dseedxvzkw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bumynmbsux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bgtvlhtrxr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xaxgfruvln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dmioalqvhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hdzhdwtpwn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	piuylbjeus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mcjswmrgzy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jpoqbwaetx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brpehcvxmq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bowlkvukmu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tovxsxxxbs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eizshpxjet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lemfuymyqu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tjhwclboha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxyjypghsy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ckqknqghkt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmnijdoqxx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qiwlozluhk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wkpkogdiaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	odmdhbdusp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wijzbnybdt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lxsiysihvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bpbwhgssjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jvynhbogzm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tktjetqgoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ltfwogglng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tovxsxxxbs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pfvpkwphwv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gjqhlidblv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vhbwxwsggw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	negheqvezi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zohphkeuan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lxsiysihvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svpklyrgdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tozmxfgygf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	odmdhbdusp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hcnbqyyfgt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	otbtfmvvxs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lemfuymyqu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brpehcvxmq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qtrppskdpb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eabovyirca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jplqgywfcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jplqgywfcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ljiprvepas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dslpqcpfuy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gahyfhweyb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gmeepqgvkl.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1772	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe
1772	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe
1772	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe
1772	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe
2044	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe
2044	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe
3820	vhbwxwsggw.exe
3820	vhbwxwsggw.exe
3820	vhbwxwsggw.exe
3820	vhbwxwsggw.exe
1772	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe
1772	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe
3768	vhbwxwsggw.exe
3768	vhbwxwsggw.exe
1620	ljiprvepas.exe
1620	ljiprvepas.exe
1620	ljiprvepas.exe
1620	ljiprvepas.exe
5000	ljiprvepas.exe
5000	ljiprvepas.exe
3820	vhbwxwsggw.exe
3820	vhbwxwsggw.exe
3884	svslrrxusw.exe
3884	svslrrxusw.exe
3884	svslrrxusw.exe
3884	svslrrxusw.exe
1356	svslrrxusw.exe
1356	svslrrxusw.exe
1620	ljiprvepas.exe
1620	ljiprvepas.exe
4932	lkffkgwvsr.exe
4932	lkffkgwvsr.exe
4932	lkffkgwvsr.exe
4932	lkffkgwvsr.exe
708	lkffkgwvsr.exe
708	lkffkgwvsr.exe
3884	svslrrxusw.exe
3884	svslrrxusw.exe
1060	nfsakoofji.exe
1060	nfsakoofji.exe
1060	nfsakoofji.exe
1060	nfsakoofji.exe
2264	nfsakoofji.exe
2264	nfsakoofji.exe
4932	lkffkgwvsr.exe
4932	lkffkgwvsr.exe
5032	qiwlozluhk.exe
5032	qiwlozluhk.exe
5032	qiwlozluhk.exe
5032	qiwlozluhk.exe
4280	qiwlozluhk.exe
4280	qiwlozluhk.exe
1060	nfsakoofji.exe
1060	nfsakoofji.exe
4284	dslpqcpfuy.exe
4284	dslpqcpfuy.exe
4284	dslpqcpfuy.exe
4284	dslpqcpfuy.exe
3888	dslpqcpfuy.exe
3888	dslpqcpfuy.exe
5032	qiwlozluhk.exe
5032	qiwlozluhk.exe
976	dmioalqvhq.exe
976	dmioalqvhq.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1772	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe
1772	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe
2044	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe
2044	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe
3820	vhbwxwsggw.exe
3820	vhbwxwsggw.exe
3768	vhbwxwsggw.exe
3768	vhbwxwsggw.exe
1620	ljiprvepas.exe
1620	ljiprvepas.exe
5000	ljiprvepas.exe
5000	ljiprvepas.exe
3884	svslrrxusw.exe
3884	svslrrxusw.exe
1356	svslrrxusw.exe
1356	svslrrxusw.exe
4932	lkffkgwvsr.exe
4932	lkffkgwvsr.exe
708	lkffkgwvsr.exe
708	lkffkgwvsr.exe
1060	nfsakoofji.exe
1060	nfsakoofji.exe
2264	nfsakoofji.exe
2264	nfsakoofji.exe
5032	qiwlozluhk.exe
5032	qiwlozluhk.exe
4280	qiwlozluhk.exe
4280	qiwlozluhk.exe
4284	dslpqcpfuy.exe
4284	dslpqcpfuy.exe
3888	dslpqcpfuy.exe
3888	dslpqcpfuy.exe
976	dmioalqvhq.exe
976	dmioalqvhq.exe
3240	dmioalqvhq.exe
3240	dmioalqvhq.exe
3024	negheqvezi.exe
3024	negheqvezi.exe
4464	negheqvezi.exe
4464	negheqvezi.exe
1664	svpklyrgdl.exe
1664	svpklyrgdl.exe
3272	svpklyrgdl.exe
3272	svpklyrgdl.exe
4752	vqdtonyiob.exe
4752	vqdtonyiob.exe
1464	vqdtonyiob.exe
1464	vqdtonyiob.exe
4276	zohphkeuan.exe
4276	zohphkeuan.exe
1208	zohphkeuan.exe
1208	zohphkeuan.exe
1924	nnwibuubzo.exe
1924	nnwibuubzo.exe
4884	nnwibuubzo.exe
4884	nnwibuubzo.exe
3692	hqlrdkcdyy.exe
3692	hqlrdkcdyy.exe
1336	hqlrdkcdyy.exe
1336	hqlrdkcdyy.exe
860	fgwhhlajxo.exe
860	fgwhhlajxo.exe
1640	fgwhhlajxo.exe
1640	fgwhhlajxo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 2044	1772	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe	83
PID 1772 wrote to memory of 2044	1772	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe	83
PID 1772 wrote to memory of 2044	1772	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe	83
PID 1772 wrote to memory of 3820	1772	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe	86
PID 1772 wrote to memory of 3820	1772	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe	86
PID 1772 wrote to memory of 3820	1772	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe	86
PID 3820 wrote to memory of 3768	3820	vhbwxwsggw.exe	87
PID 3820 wrote to memory of 3768	3820	vhbwxwsggw.exe	87
PID 3820 wrote to memory of 3768	3820	vhbwxwsggw.exe	87
PID 3820 wrote to memory of 1620	3820	vhbwxwsggw.exe	88
PID 3820 wrote to memory of 1620	3820	vhbwxwsggw.exe	88
PID 3820 wrote to memory of 1620	3820	vhbwxwsggw.exe	88
PID 1620 wrote to memory of 5000	1620	ljiprvepas.exe	89
PID 1620 wrote to memory of 5000	1620	ljiprvepas.exe	89
PID 1620 wrote to memory of 5000	1620	ljiprvepas.exe	89
PID 1620 wrote to memory of 3884	1620	ljiprvepas.exe	92
PID 1620 wrote to memory of 3884	1620	ljiprvepas.exe	92
PID 1620 wrote to memory of 3884	1620	ljiprvepas.exe	92
PID 3884 wrote to memory of 1356	3884	svslrrxusw.exe	94
PID 3884 wrote to memory of 1356	3884	svslrrxusw.exe	94
PID 3884 wrote to memory of 1356	3884	svslrrxusw.exe	94
PID 3884 wrote to memory of 4932	3884	svslrrxusw.exe	96
PID 3884 wrote to memory of 4932	3884	svslrrxusw.exe	96
PID 3884 wrote to memory of 4932	3884	svslrrxusw.exe	96
PID 4932 wrote to memory of 708	4932	lkffkgwvsr.exe	97
PID 4932 wrote to memory of 708	4932	lkffkgwvsr.exe	97
PID 4932 wrote to memory of 708	4932	lkffkgwvsr.exe	97
PID 4932 wrote to memory of 1060	4932	lkffkgwvsr.exe	98
PID 4932 wrote to memory of 1060	4932	lkffkgwvsr.exe	98
PID 4932 wrote to memory of 1060	4932	lkffkgwvsr.exe	98
PID 1060 wrote to memory of 2264	1060	nfsakoofji.exe	99
PID 1060 wrote to memory of 2264	1060	nfsakoofji.exe	99
PID 1060 wrote to memory of 2264	1060	nfsakoofji.exe	99
PID 1060 wrote to memory of 5032	1060	nfsakoofji.exe	100
PID 1060 wrote to memory of 5032	1060	nfsakoofji.exe	100
PID 1060 wrote to memory of 5032	1060	nfsakoofji.exe	100
PID 5032 wrote to memory of 4280	5032	qiwlozluhk.exe	102
PID 5032 wrote to memory of 4280	5032	qiwlozluhk.exe	102
PID 5032 wrote to memory of 4280	5032	qiwlozluhk.exe	102
PID 5032 wrote to memory of 4284	5032	qiwlozluhk.exe	103
PID 5032 wrote to memory of 4284	5032	qiwlozluhk.exe	103
PID 5032 wrote to memory of 4284	5032	qiwlozluhk.exe	103
PID 4284 wrote to memory of 3888	4284	dslpqcpfuy.exe	104
PID 4284 wrote to memory of 3888	4284	dslpqcpfuy.exe	104
PID 4284 wrote to memory of 3888	4284	dslpqcpfuy.exe	104
PID 4284 wrote to memory of 976	4284	dslpqcpfuy.exe	106
PID 4284 wrote to memory of 976	4284	dslpqcpfuy.exe	106
PID 4284 wrote to memory of 976	4284	dslpqcpfuy.exe	106
PID 976 wrote to memory of 3240	976	dmioalqvhq.exe	134
PID 976 wrote to memory of 3240	976	dmioalqvhq.exe	134
PID 976 wrote to memory of 3240	976	dmioalqvhq.exe	134
PID 976 wrote to memory of 3024	976	dmioalqvhq.exe	109
PID 976 wrote to memory of 3024	976	dmioalqvhq.exe	109
PID 976 wrote to memory of 3024	976	dmioalqvhq.exe	109
PID 3024 wrote to memory of 4464	3024	negheqvezi.exe	136
PID 3024 wrote to memory of 4464	3024	negheqvezi.exe	136
PID 3024 wrote to memory of 4464	3024	negheqvezi.exe	136
PID 3024 wrote to memory of 1664	3024	negheqvezi.exe	111
PID 3024 wrote to memory of 1664	3024	negheqvezi.exe	111
PID 3024 wrote to memory of 1664	3024	negheqvezi.exe	111
PID 1664 wrote to memory of 3272	1664	svpklyrgdl.exe	112
PID 1664 wrote to memory of 3272	1664	svpklyrgdl.exe	112
PID 1664 wrote to memory of 3272	1664	svpklyrgdl.exe	112
PID 1664 wrote to memory of 4752	1664	svpklyrgdl.exe	113

C:\Users\Admin\AppData\Local\Temp\5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe
"C:\Users\Admin\AppData\Local\Temp\5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Users\Admin\AppData\Local\Temp\5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe
  C:\Users\Admin\AppData\Local\Temp\5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe update vhbwxwsggw.exe
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2044
- C:\Users\Admin\AppData\Local\Temp\vhbwxwsggw.exe
  C:\Users\Admin\AppData\Local\Temp\vhbwxwsggw.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3820
- - C:\Users\Admin\AppData\Local\Temp\vhbwxwsggw.exe
    C:\Users\Admin\AppData\Local\Temp\vhbwxwsggw.exe update ljiprvepas.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3768
- - C:\Users\Admin\AppData\Local\Temp\ljiprvepas.exe
    C:\Users\Admin\AppData\Local\Temp\ljiprvepas.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1620
  - - C:\Users\Admin\AppData\Local\Temp\ljiprvepas.exe
      C:\Users\Admin\AppData\Local\Temp\ljiprvepas.exe update svslrrxusw.exe
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:5000
  - - C:\Users\Admin\AppData\Local\Temp\svslrrxusw.exe
      C:\Users\Admin\AppData\Local\Temp\svslrrxusw.exe
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3884
    - - C:\Users\Admin\AppData\Local\Temp\svslrrxusw.exe
        
        C:\Users\Admin\AppData\Local\Temp\svslrrxusw.exe update lkffkgwvsr.exe
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1356
    - - C:\Users\Admin\AppData\Local\Temp\lkffkgwvsr.exe
        
        C:\Users\Admin\AppData\Local\Temp\lkffkgwvsr.exe
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4932
      - C:\Users\Admin\AppData\Local\Temp\lkffkgwvsr.exe
        
        C:\Users\Admin\AppData\Local\Temp\lkffkgwvsr.exe update nfsakoofji.exe
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:708
      - C:\Users\Admin\AppData\Local\Temp\nfsakoofji.exe
        
        C:\Users\Admin\AppData\Local\Temp\nfsakoofji.exe
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\nfsakoofji.exe
        
        C:\Users\Admin\AppData\Local\Temp\nfsakoofji.exe update qiwlozluhk.exe
        7⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\qiwlozluhk.exe
        
        C:\Users\Admin\AppData\Local\Temp\qiwlozluhk.exe
        7⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\qiwlozluhk.exe
        
        C:\Users\Admin\AppData\Local\Temp\qiwlozluhk.exe update dslpqcpfuy.exe
        8⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\dslpqcpfuy.exe
        
        C:\Users\Admin\AppData\Local\Temp\dslpqcpfuy.exe
        8⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\dslpqcpfuy.exe
        
        C:\Users\Admin\AppData\Local\Temp\dslpqcpfuy.exe update dmioalqvhq.exe
        9⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\dmioalqvhq.exe
        
        C:\Users\Admin\AppData\Local\Temp\dmioalqvhq.exe
        9⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\dmioalqvhq.exe
        
        C:\Users\Admin\AppData\Local\Temp\dmioalqvhq.exe update negheqvezi.exe
        10⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\negheqvezi.exe
        
        C:\Users\Admin\AppData\Local\Temp\negheqvezi.exe
        10⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\negheqvezi.exe
        
        C:\Users\Admin\AppData\Local\Temp\negheqvezi.exe update svpklyrgdl.exe
        11⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\svpklyrgdl.exe
        
        C:\Users\Admin\AppData\Local\Temp\svpklyrgdl.exe
        11⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\svpklyrgdl.exe
        
        C:\Users\Admin\AppData\Local\Temp\svpklyrgdl.exe update vqdtonyiob.exe
        12⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\vqdtonyiob.exe
        
        C:\Users\Admin\AppData\Local\Temp\vqdtonyiob.exe
        12⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\vqdtonyiob.exe
        
        C:\Users\Admin\AppData\Local\Temp\vqdtonyiob.exe update zohphkeuan.exe
        13⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\zohphkeuan.exe
        
        C:\Users\Admin\AppData\Local\Temp\zohphkeuan.exe
        13⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\zohphkeuan.exe
        
        C:\Users\Admin\AppData\Local\Temp\zohphkeuan.exe update nnwibuubzo.exe
        14⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\nnwibuubzo.exe
        
        C:\Users\Admin\AppData\Local\Temp\nnwibuubzo.exe
        14⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\nnwibuubzo.exe
        
        C:\Users\Admin\AppData\Local\Temp\nnwibuubzo.exe update hqlrdkcdyy.exe
        15⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\hqlrdkcdyy.exe
        
        C:\Users\Admin\AppData\Local\Temp\hqlrdkcdyy.exe
        15⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\hqlrdkcdyy.exe
        
        C:\Users\Admin\AppData\Local\Temp\hqlrdkcdyy.exe update fgwhhlajxo.exe
        16⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\fgwhhlajxo.exe
        
        C:\Users\Admin\AppData\Local\Temp\fgwhhlajxo.exe
        16⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\fgwhhlajxo.exe
        
        C:\Users\Admin\AppData\Local\Temp\fgwhhlajxo.exe update okftorehwk.exe
        17⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\okftorehwk.exe
        
        C:\Users\Admin\AppData\Local\Temp\okftorehwk.exe
        17⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\okftorehwk.exe
        
        C:\Users\Admin\AppData\Local\Temp\okftorehwk.exe update xhbpieappn.exe
        18⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\xhbpieappn.exe
        
        C:\Users\Admin\AppData\Local\Temp\xhbpieappn.exe
        18⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\xhbpieappn.exe
        
        C:\Users\Admin\AppData\Local\Temp\xhbpieappn.exe update cjxtdqsdij.exe
        19⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\cjxtdqsdij.exe
        
        C:\Users\Admin\AppData\Local\Temp\cjxtdqsdij.exe
        19⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\cjxtdqsdij.exe
        
        C:\Users\Admin\AppData\Local\Temp\cjxtdqsdij.exe update rwohsaxcax.exe
        20⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\rwohsaxcax.exe
        
        C:\Users\Admin\AppData\Local\Temp\rwohsaxcax.exe
        20⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\rwohsaxcax.exe
        
        C:\Users\Admin\AppData\Local\Temp\rwohsaxcax.exe update bzraksxnzi.exe
        21⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\bzraksxnzi.exe
        
        C:\Users\Admin\AppData\Local\Temp\bzraksxnzi.exe
        21⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\bzraksxnzi.exe
        
        C:\Users\Admin\AppData\Local\Temp\bzraksxnzi.exe update tozmxfgygf.exe
        22⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\tozmxfgygf.exe
        
        C:\Users\Admin\AppData\Local\Temp\tozmxfgygf.exe
        22⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\tozmxfgygf.exe
        
        C:\Users\Admin\AppData\Local\Temp\tozmxfgygf.exe update wkpkogdiaf.exe
        23⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\wkpkogdiaf.exe
        
        C:\Users\Admin\AppData\Local\Temp\wkpkogdiaf.exe
        23⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\wkpkogdiaf.exe
        
        C:\Users\Admin\AppData\Local\Temp\wkpkogdiaf.exe update odmdhbdusp.exe
        24⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\odmdhbdusp.exe
        
        C:\Users\Admin\AppData\Local\Temp\odmdhbdusp.exe
        24⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\odmdhbdusp.exe
        
        C:\Users\Admin\AppData\Local\Temp\odmdhbdusp.exe update wijzbnybdt.exe
        25⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\wijzbnybdt.exe
        
        C:\Users\Admin\AppData\Local\Temp\wijzbnybdt.exe
        25⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\wijzbnybdt.exe
        
        C:\Users\Admin\AppData\Local\Temp\wijzbnybdt.exe update jvynhbogzm.exe
        26⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\jvynhbogzm.exe
        
        C:\Users\Admin\AppData\Local\Temp\jvynhbogzm.exe
        26⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\jvynhbogzm.exe
        
        C:\Users\Admin\AppData\Local\Temp\jvynhbogzm.exe update gahyfhweyb.exe
        27⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\gahyfhweyb.exe
        
        C:\Users\Admin\AppData\Local\Temp\gahyfhweyb.exe
        27⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\gahyfhweyb.exe
        
        C:\Users\Admin\AppData\Local\Temp\gahyfhweyb.exe update bowlkvukmu.exe
        28⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\bowlkvukmu.exe
        
        C:\Users\Admin\AppData\Local\Temp\bowlkvukmu.exe
        28⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\bowlkvukmu.exe
        
        C:\Users\Admin\AppData\Local\Temp\bowlkvukmu.exe update gmeepqgvkl.exe
        29⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\gmeepqgvkl.exe
        
        C:\Users\Admin\AppData\Local\Temp\gmeepqgvkl.exe
        29⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\gmeepqgvkl.exe
        
        C:\Users\Admin\AppData\Local\Temp\gmeepqgvkl.exe update tovxsxxxbs.exe
        30⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\tovxsxxxbs.exe
        
        C:\Users\Admin\AppData\Local\Temp\tovxsxxxbs.exe
        30⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\tovxsxxxbs.exe
        
        C:\Users\Admin\AppData\Local\Temp\tovxsxxxbs.exe update onxjgwxohd.exe
        31⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\onxjgwxohd.exe
        
        C:\Users\Admin\AppData\Local\Temp\onxjgwxohd.exe
        31⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\onxjgwxohd.exe
        
        C:\Users\Admin\AppData\Local\Temp\onxjgwxohd.exe update dseedxvzkw.exe
        32⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\dseedxvzkw.exe
        
        C:\Users\Admin\AppData\Local\Temp\dseedxvzkw.exe
        32⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\dseedxvzkw.exe
        
        C:\Users\Admin\AppData\Local\Temp\dseedxvzkw.exe update lxsiysihvi.exe
        33⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\lxsiysihvi.exe
        
        C:\Users\Admin\AppData\Local\Temp\lxsiysihvi.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\lxsiysihvi.exe
        
        C:\Users\Admin\AppData\Local\Temp\lxsiysihvi.exe update bumynmbsux.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\bumynmbsux.exe
        
        C:\Users\Admin\AppData\Local\Temp\bumynmbsux.exe
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\bumynmbsux.exe
        
        C:\Users\Admin\AppData\Local\Temp\bumynmbsux.exe update dxyjypghsy.exe
        35⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\dxyjypghsy.exe
        
        C:\Users\Admin\AppData\Local\Temp\dxyjypghsy.exe
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\dxyjypghsy.exe
        
        C:\Users\Admin\AppData\Local\Temp\dxyjypghsy.exe update bgtvlhtrxr.exe
        36⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\bgtvlhtrxr.exe
        
        C:\Users\Admin\AppData\Local\Temp\bgtvlhtrxr.exe
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\bgtvlhtrxr.exe
        
        C:\Users\Admin\AppData\Local\Temp\bgtvlhtrxr.exe update tktjetqgoc.exe
        37⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\tktjetqgoc.exe
        
        C:\Users\Admin\AppData\Local\Temp\tktjetqgoc.exe
        37⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\tktjetqgoc.exe
        
        C:\Users\Admin\AppData\Local\Temp\tktjetqgoc.exe update dchjctgtzs.exe
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\dchjctgtzs.exe
        
        C:\Users\Admin\AppData\Local\Temp\dchjctgtzs.exe
        38⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\dchjctgtzs.exe
        
        C:\Users\Admin\AppData\Local\Temp\dchjctgtzs.exe update ckqknqghkt.exe
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\ckqknqghkt.exe
        
        C:\Users\Admin\AppData\Local\Temp\ckqknqghkt.exe
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\ckqknqghkt.exe
        
        C:\Users\Admin\AppData\Local\Temp\ckqknqghkt.exe update dartvawvhz.exe
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\dartvawvhz.exe
        
        C:\Users\Admin\AppData\Local\Temp\dartvawvhz.exe
        40⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\dartvawvhz.exe
        
        C:\Users\Admin\AppData\Local\Temp\dartvawvhz.exe update vdqwcrkusr.exe
        41⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\vdqwcrkusr.exe
        
        C:\Users\Admin\AppData\Local\Temp\vdqwcrkusr.exe
        41⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\vdqwcrkusr.exe
        
        C:\Users\Admin\AppData\Local\Temp\vdqwcrkusr.exe update nkaxyholci.exe
        42⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\nkaxyholci.exe
        
        C:\Users\Admin\AppData\Local\Temp\nkaxyholci.exe
        42⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\nkaxyholci.exe
        
        C:\Users\Admin\AppData\Local\Temp\nkaxyholci.exe update snsvuodnow.exe
        43⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\snsvuodnow.exe
        
        C:\Users\Admin\AppData\Local\Temp\snsvuodnow.exe
        43⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\snsvuodnow.exe
        
        C:\Users\Admin\AppData\Local\Temp\snsvuodnow.exe update xaxgfruvln.exe
        44⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\xaxgfruvln.exe
        
        C:\Users\Admin\AppData\Local\Temp\xaxgfruvln.exe
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\xaxgfruvln.exe
        
        C:\Users\Admin\AppData\Local\Temp\xaxgfruvln.exe update hdzhdwtpwn.exe
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\hdzhdwtpwn.exe
        
        C:\Users\Admin\AppData\Local\Temp\hdzhdwtpwn.exe
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\hdzhdwtpwn.exe
        
        C:\Users\Admin\AppData\Local\Temp\hdzhdwtpwn.exe update piuylbjeus.exe
        46⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\piuylbjeus.exe
        
        C:\Users\Admin\AppData\Local\Temp\piuylbjeus.exe
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\piuylbjeus.exe
        
        C:\Users\Admin\AppData\Local\Temp\piuylbjeus.exe update zakrppfvds.exe
        47⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\zakrppfvds.exe
        
        C:\Users\Admin\AppData\Local\Temp\zakrppfvds.exe
        47⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\zakrppfvds.exe
        
        C:\Users\Admin\AppData\Local\Temp\zakrppfvds.exe update pfvpkwphwv.exe
        48⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\pfvpkwphwv.exe
        
        C:\Users\Admin\AppData\Local\Temp\pfvpkwphwv.exe
        48⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\pfvpkwphwv.exe
        
        C:\Users\Admin\AppData\Local\Temp\pfvpkwphwv.exe update mcjswmrgzy.exe
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\mcjswmrgzy.exe
        
        C:\Users\Admin\AppData\Local\Temp\mcjswmrgzy.exe
        49⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\mcjswmrgzy.exe
        
        C:\Users\Admin\AppData\Local\Temp\mcjswmrgzy.exe update zfslhtiqqo.exe
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\zfslhtiqqo.exe
        
        C:\Users\Admin\AppData\Local\Temp\zfslhtiqqo.exe
        50⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\zfslhtiqqo.exe
        
        C:\Users\Admin\AppData\Local\Temp\zfslhtiqqo.exe update hcnbqyyfgt.exe
        51⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\hcnbqyyfgt.exe
        
        C:\Users\Admin\AppData\Local\Temp\hcnbqyyfgt.exe
        51⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\hcnbqyyfgt.exe
        
        C:\Users\Admin\AppData\Local\Temp\hcnbqyyfgt.exe update fwvfrcokax.exe
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\fwvfrcokax.exe
        
        C:\Users\Admin\AppData\Local\Temp\fwvfrcokax.exe
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\fwvfrcokax.exe
        
        C:\Users\Admin\AppData\Local\Temp\fwvfrcokax.exe update cmnijdoqxx.exe
        53⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\cmnijdoqxx.exe
        
        C:\Users\Admin\AppData\Local\Temp\cmnijdoqxx.exe
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\cmnijdoqxx.exe
        
        C:\Users\Admin\AppData\Local\Temp\cmnijdoqxx.exe update eabovyirca.exe
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\eabovyirca.exe
        
        C:\Users\Admin\AppData\Local\Temp\eabovyirca.exe
        54⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\eabovyirca.exe
        
        C:\Users\Admin\AppData\Local\Temp\eabovyirca.exe update eizshpxjet.exe
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\eizshpxjet.exe
        
        C:\Users\Admin\AppData\Local\Temp\eizshpxjet.exe
        55⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\eizshpxjet.exe
        
        C:\Users\Admin\AppData\Local\Temp\eizshpxjet.exe update otbtfmvvxs.exe
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\otbtfmvvxs.exe
        
        C:\Users\Admin\AppData\Local\Temp\otbtfmvvxs.exe
        56⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\otbtfmvvxs.exe
        
        C:\Users\Admin\AppData\Local\Temp\otbtfmvvxs.exe update mcwereiful.exe
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\mcwereiful.exe
        
        C:\Users\Admin\AppData\Local\Temp\mcwereiful.exe
        57⤵
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\mcwereiful.exe
        
        C:\Users\Admin\AppData\Local\Temp\mcwereiful.exe update rlmcfmgqep.exe
        58⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\rlmcfmgqep.exe
        
        C:\Users\Admin\AppData\Local\Temp\rlmcfmgqep.exe
        58⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\rlmcfmgqep.exe
        
        C:\Users\Admin\AppData\Local\Temp\rlmcfmgqep.exe update jplqgywfcs.exe
        59⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\jplqgywfcs.exe
        
        C:\Users\Admin\AppData\Local\Temp\jplqgywfcs.exe
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\jplqgywfcs.exe
        
        C:\Users\Admin\AppData\Local\Temp\jplqgywfcs.exe update bpbwhgssjp.exe
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\bpbwhgssjp.exe
        
        C:\Users\Admin\AppData\Local\Temp\bpbwhgssjp.exe
        60⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\bpbwhgssjp.exe
        
        C:\Users\Admin\AppData\Local\Temp\bpbwhgssjp.exe update ykdmrsuoaf.exe
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\ykdmrsuoaf.exe
        
        C:\Users\Admin\AppData\Local\Temp\ykdmrsuoaf.exe
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\ykdmrsuoaf.exe
        
        C:\Users\Admin\AppData\Local\Temp\ykdmrsuoaf.exe update lemfuymyqu.exe
        62⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\lemfuymyqu.exe
        
        C:\Users\Admin\AppData\Local\Temp\lemfuymyqu.exe
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\lemfuymyqu.exe
        
        C:\Users\Admin\AppData\Local\Temp\lemfuymyqu.exe update tjhwclboha.exe
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\tjhwclboha.exe
        
        C:\Users\Admin\AppData\Local\Temp\tjhwclboha.exe
        63⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\tjhwclboha.exe
        
        C:\Users\Admin\AppData\Local\Temp\tjhwclboha.exe update brpehcvxmq.exe
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\brpehcvxmq.exe
        
        C:\Users\Admin\AppData\Local\Temp\brpehcvxmq.exe
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\brpehcvxmq.exe
        
        C:\Users\Admin\AppData\Local\Temp\brpehcvxmq.exe update wmfxzqjudq.exe
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\wmfxzqjudq.exe
        
        C:\Users\Admin\AppData\Local\Temp\wmfxzqjudq.exe
        65⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\wmfxzqjudq.exe
        
        C:\Users\Admin\AppData\Local\Temp\wmfxzqjudq.exe update jpoqbwaetx.exe
        66⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\jpoqbwaetx.exe
        
        C:\Users\Admin\AppData\Local\Temp\jpoqbwaetx.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\jpoqbwaetx.exe
        
        C:\Users\Admin\AppData\Local\Temp\jpoqbwaetx.exe update gjqhlidblv.exe
        67⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\gjqhlidblv.exe
        
        C:\Users\Admin\AppData\Local\Temp\gjqhlidblv.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\gjqhlidblv.exe
        
        C:\Users\Admin\AppData\Local\Temp\gjqhlidblv.exe update qtrppskdpb.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\qtrppskdpb.exe
        
        C:\Users\Admin\AppData\Local\Temp\qtrppskdpb.exe
        68⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\qtrppskdpb.exe
        
        C:\Users\Admin\AppData\Local\Temp\qtrppskdpb.exe update gcothrkjad.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\gcothrkjad.exe
        
        C:\Users\Admin\AppData\Local\Temp\gcothrkjad.exe
        69⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\gcothrkjad.exe
        
        C:\Users\Admin\AppData\Local\Temp\gcothrkjad.exe update ltfwogglng.exe
        70⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\ltfwogglng.exe
        
        C:\Users\Admin\AppData\Local\Temp\ltfwogglng.exe
        70⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\ltfwogglng.exe
        
        C:\Users\Admin\AppData\Local\Temp\ltfwogglng.exe update vpiigyholr.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\vpiigyholr.exe
        
        C:\Users\Admin\AppData\Local\Temp\vpiigyholr.exe
        71⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\vpiigyholr.exe
        
        C:\Users\Admin\AppData\Local\Temp\vpiigyholr.exe update nteyawbqbu.exe
        72⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\nteyawbqbu.exe
        
        C:\Users\Admin\AppData\Local\Temp\nteyawbqbu.exe
        72⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\nteyawbqbu.exe
        
        C:\Users\Admin\AppData\Local\Temp\nteyawbqbu.exe update nifoqgrmyb.exe
        73⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\nifoqgrmyb.exe
        
        C:\Users\Admin\AppData\Local\Temp\nifoqgrmyb.exe
        73⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\nifoqgrmyb.exe
        
        C:\Users\Admin\AppData\Local\Temp\nifoqgrmyb.exe update gxqcecixxe.exe
        74⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\gxqcecixxe.exe
        
        C:\Users\Admin\AppData\Local\Temp\gxqcecixxe.exe
        74⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\gxqcecixxe.exe
        
        C:\Users\Admin\AppData\Local\Temp\gxqcecixxe.exe update vyngeablah.exe
        75⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\vyngeablah.exe
        
        C:\Users\Admin\AppData\Local\Temp\vyngeablah.exe
        75⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\vyngeablah.exe
        
        C:\Users\Admin\AppData\Local\Temp\vyngeablah.exe update dgujprpdlh.exe
        76⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\dgujprpdlh.exe
        
        C:\Users\Admin\AppData\Local\Temp\dgujprpdlh.exe
        76⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\dgujprpdlh.exe
        
        C:\Users\Admin\AppData\Local\Temp\dgujprpdlh.exe update xfnhjjrupl.exe
        77⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\xfnhjjrupl.exe
        
        C:\Users\Admin\AppData\Local\Temp\xfnhjjrupl.exe
        77⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\xfnhjjrupl.exe
        
        C:\Users\Admin\AppData\Local\Temp\xfnhjjrupl.exe update fywlezelbn.exe
        78⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\fywlezelbn.exe
        
        C:\Users\Admin\AppData\Local\Temp\fywlezelbn.exe
        78⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\fywlezelbn.exe
        
        C:\Users\Admin\AppData\Local\Temp\fywlezelbn.exe update cxowwawsfo.exe
        79⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\cxowwawsfo.exe
        
        C:\Users\Admin\AppData\Local\Temp\cxowwawsfo.exe
        79⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\cxowwawsfo.exe
        
        C:\Users\Admin\AppData\Local\Temp\cxowwawsfo.exe update suimltqvdv.exe
        80⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\suimltqvdv.exe
        
        C:\Users\Admin\AppData\Local\Temp\suimltqvdv.exe
        80⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\suimltqvdv.exe
        
        C:\Users\Admin\AppData\Local\Temp\suimltqvdv.exe update forxwaheul.exe
        81⤵
        
        PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cjxtdqsdij.exe

Filesize
10.4MB

MD5
526e8533cbecb64a9b1756b21872f557

SHA1
a21cbfa0b07b72115527cc129ed320b7403c8d2a

SHA256
3ed57db065017e7a91e9fd1164f74d616fd404547f7dc9be2bc7060532525503

SHA512
6023afbcb40b050845e1826db17d9c6efb0a3684a80ceb9fcc56191dbfd55a030e8b15e35740fce7acf2e8f16cb1d3778caab117a49dde0757613dffaeabdc13

Download Submit
C:\Users\Admin\AppData\Local\Temp\dmioalqvhq.exe

Filesize
10.4MB

MD5
98ce2e3395c6d3ea343c1cb8f1de31a3

SHA1
01008bde94408865d83318370321da15209c357b

SHA256
ddecbfa7d044d9e3658a3a4ba9516ea2dc6764fe7f428c6d1a8b2a36ce5fb4aa

SHA512
1100d31aea6f5d384ed1c5b72d2e5c49b5a6627915dd5d90e7459104bd82d4a2e03bcbe895039084b112718d8026f03c4ce7d96b71b3f6724aaf87cb54be5dd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\dslpqcpfuy.exe

Filesize
10.4MB

MD5
aa74408df1932f867f7b64ae94bba523

SHA1
e7d4c7e627b0cc877f078a9ac8b75c2c30f89a3f

SHA256
559a83635b55cb0fdd59154e4599093f4b97d3a26937d1e3ed198f5b28e2db19

SHA512
1340dedc2fb9eca12ca84e0dea53f6f2954189453cb08975405b2de8f1d6b4bcc21c94b23f1675b93486b54edb8ec93dca17f4ff486ac0e929ceec0d5a2f11a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fgwhhlajxo.exe

Filesize
10.4MB

MD5
d2a322d5332503b3ab0eef09113097b5

SHA1
61d1b9264a9acaf9669cf3f343e1d6843d9ee1dc

SHA256
933beb3b7909a2adcf27153b285ce5e2abbb784f882aa452982ec089a8cf25f0

SHA512
68dd61baf7a790f81e6b68818c92b554e39b3b12fc0fdae8fa879cf6aa51a1abeaea451d8d48313cd4c1d5ea761339049d48d7e8644a96908cebcc26c50f538f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hqlrdkcdyy.exe

Filesize
10.4MB

MD5
472f03057a1a405857de6fcf6eb94a53

SHA1
cffde960e8ebe79666f9e53dbe71d71cda497aee

SHA256
5a2f03460880af99e20a4d2caa68f6e5c6e8d43286dbd1aaa3e24918c86271fe

SHA512
13ec35216323860b517e255158ffb4f70c9fdea2484b8a20a716a681b81e85e98404ecca02f86a6cdc60d84726de576f2763580245a184e02bcef861e8ba5391

Download Submit
C:\Users\Admin\AppData\Local\Temp\ljiprvepas.exe

Filesize
10.4MB

MD5
8cdf717f44de1d0ff20582fe74fecfd9

SHA1
f52a534e2fd4f29bacdbb71f31a46663840cac35

SHA256
d3d5438cf56555b8424d53a68bd8d609a5b6e780175cd65fc8709a685613ef44

SHA512
a6f3b5dba029bfcb7c3baf09692e00c96754c58505d6ce17b696afe45e4a32ef7447b0bc98925e97c11591e74863c169d261e6e4c84bb98392a340b93f1e7dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkffkgwvsr.exe

Filesize
10.4MB

MD5
e0c8bd8397b76d6c68ee92339a5d598c

SHA1
0a0d4d49c55265afb8f68d44dab646230be88bd5

SHA256
2c61f1b46c7c927e066f01b0108c9e6505a9963be571bab9281a4f138ad209ff

SHA512
56eeb003fce9d04134fd8fea7385c8310124a0b9ccb5637c5867a6eb126f77e76a533185f092512a2882a656abfa116eeaccc5a62c42c911dd078302429f9aa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\negheqvezi.exe

Filesize
10.4MB

MD5
387511a607af6a1a3579a84d2df97f24

SHA1
83a2281d5e80aff453a135bf5165293bef5635bb

SHA256
c6dc20c75a8f1f39b0e1d589ed0627c857403a3864ce8ad1781e1da79ed0c670

SHA512
005d8c050f2685314911b86f779054951356cbb1176513321029471f2d43df5bf3a01fc3be0e9fe805ab79137a97df4b599d59453ce804a5ab6b126bdad2e73a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nfsakoofji.exe

Filesize
10.4MB

MD5
2f5d1da0d71c045b8c3549e881f12228

SHA1
da5d1e91dda694b2a6bd9b6a7025a4ea66f1dac9

SHA256
2c7f6bacd28d06722be85f6d6ec602318834163600b6d04d3f4a290b67831fe8

SHA512
183f34c1fd5af7a96920701acf2bd87a5845f4d6bf525f617d1b2ad265598c8451836e51b1735b6a08db79270954204645f73140c7217bda39936195edf3f593

Download Submit
C:\Users\Admin\AppData\Local\Temp\nnwibuubzo.exe

Filesize
10.4MB

MD5
164576c703265e983eda13b82715838f

SHA1
2637c731f17b023ddf5e1cd0acdd9a29ffe9c1e7

SHA256
adc37ec907e99e521cb98e373f2da923ab406e5fb5d864fcf692c37e5437e51c

SHA512
807caad0b17c975f3a974f4c4cd81cbca9563ec133f856409bd3e88653d41a03b7a97e9527d638735504fa2d15fd3e0f86b11f5ceb1b6dd531af7ebbbfbea0e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\okftorehwk.exe

Filesize
10.4MB

MD5
caf412b748ebb7baea5d591fc205ecd3

SHA1
674eb7b5a630f799535a251c6fdad05f50e17562

SHA256
76ae0b0bc9e0ea75aabdf2da3c922fa51f4032f73115a2fc4d1f81909eb65265

SHA512
421f1076f6dd875d4bc8e60d8da0c6ebf3ad359b87ec04c864fe0202aed1bba183c9faa0332fceab882f98a8600585fb38276a81a5fd51be52c8756dc25cc8d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qiwlozluhk.exe

Filesize
10.4MB

MD5
f3f83d3ce53caf00e8c1186db001cb1f

SHA1
a7e10872f3805b6bcb0706f6b6f1c2e761b615c5

SHA256
309bd6d541021d6a00a40ed9ab9c68af21a77b5c16a38497a54c356c909c87d3

SHA512
d675b86d2d446a1eb10ab370d080e3051ab2b693e14c26bf2c07798e5b4783513c63475777ca001021c57b4163ef24c8b2d1e42582b9622fb84c255cfc8e025d

Download Submit
C:\Users\Admin\AppData\Local\Temp\svpklyrgdl.exe

Filesize
10.4MB

MD5
54bc6317340fbeeb944541084f350837

SHA1
cab7caec7d5ab5f60f97a285f4f4c9b66b4111fa

SHA256
d652599856dbfccbd47973c3b8c0434009b63a0ccc19f30d1de92f8d2c7427b8

SHA512
4c4a61dc9966069ea8188b6b92b31f5ba7d630ef84f9278785ef84d71c23a57cd365f375f3baba36438c2b9e4074109c2bdc9bd2274912be0367c3222e8cc7e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\svslrrxusw.exe

Filesize
10.4MB

MD5
abad4cbceed00225691de02fe43e3139

SHA1
703dcaabe8e4543f74d7cdf4a9d6e4ee5f6c9c04

SHA256
ac027d97cdfe73a50c34c6d3b55e96eff00c6d1341232df19abcb8e325c910fb

SHA512
3ba887778527a91af85a0e6eac210c84b014ef8a3164b0ad78002adbbd4ce9c03fc56259c4b201e7ab84159425a77799a56d81afd9bf2e90c5fe3c0b95488d41

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
c41a768653ae6fae2108cefcff933700

SHA1
4546ae318668a0ad0510d82e1178f2fea1beeea4

SHA256
fbef715508f07c66ef7cfcb6ed3504ccc26eace01b31ae6c35b49952374b7fea

SHA512
611e0a1ec7f8b4076ffad993b2d88ee594da1f244b9f05be5f5a239b5b12a6f72ab27ac83a523f33a299d69d734f45471c4337a38d5b6e2648b3e12280c1c7c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
22ce5aa2f9201e710118b88cc081cbd5

SHA1
31609a23467424ce6b0f419139657f74f0d04283

SHA256
ac4c7a67812b9a567d812f9868530b8a5fd69430a5eed8f62337581c15538c57

SHA512
1cf664771824cf81783785b301825db6dada6c75001fb33b2465d588b955e46a6f24d8d9f7688081f298da3853a3cbe9b3b7cc3c553b18d10a78b057ccca6f3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
57dd6f8cb3c3dfaf30d3fff30406d491

SHA1
1de95a1cce54eb0275046ba466dcd1f11f36418b

SHA256
ad479cc12e7e79cd16e2332e14cd49568cd1ea119c4ef34a494a34351aea4fe9

SHA512
a6411047bfcf75980d65d2304858c9bff3e81e317694d6797d583d549002abd22730967b6aca1ef3344cbc1c86ab4f093fcbff027f71a88072adea33ca00253e

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
e6cb5771f89f6c4620ed8a38838da82c

SHA1
88d2b1b1ad53f53e58714f002c626b90b3ef57aa

SHA256
50eee3fc59c245007b7a26062cf8ef262887764f8d95b11d07ae428d6a5d498b

SHA512
fbecf22f3075d5174072678e9dd7183c25f37ee75f77e7ded4784b09aadaa5281bcdbe3bc2dd77c1bb92ee7a6cd6fc677e36aca1bc1a51099bcbbe82f81f5f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
688ca6f5d97fda483dd3ba8963200608

SHA1
9cd636f6a8847866b770ab832ebbefff4f85e712

SHA256
0863c184c2954d55dbc3ee4690c684e93c48a0cc6993d8b1c7af4a9f341db980

SHA512
a6ed66f7e1a4c41f912488742bd7b3479b4d602208e46697b98c07b632d5c7ff757c473200b3863fe62a38ed133ebeb041cde60d0853809083b9b9ec51026c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
b8cc03e6cc3d98e920a0b039198b7591

SHA1
6945777bb527f1a7310eab6a581de5e4caf3461f

SHA256
bdf9da3d5c4097dfb22a3fd7c61e54abb849df0cd5d8c0133fde468d8b8cefa2

SHA512
9e9bc50884af67eb9cf0275c546908393caa818bc1e74f74cb5439ddf775f1a565daab52c9410d649d8153db0d51050432100d86d490dcb544c558d2c6a2eb21

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
a9a9b51bae77ecdf655dab38b21d5e5c

SHA1
1ee3888efc3e7f5561d945ea006e729320fb9cdd

SHA256
d2cd4f6e3f38d205e8d8e62be9e4e8af68dd0a3135a92943ed37d4cfa808ff9a

SHA512
64b4f9b3100da8aa2f0f4030d97f073b94f64f8721527221cc45531a70f0d36bec2f2aa51743bfddd5a70564d99d53ee33bc80f0f2d680a1bc4607ca68b97179

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
49dea1a081dcad29071ac1ea3346c202

SHA1
317f8a77c3c8bdfa4bb68503cc481f4ff74654d7

SHA256
5def6099e322dc9a793f593dc11d35570c68b8445e9f671e0b88e19e5adc0891

SHA512
b57c9dc07a138cf66e14520ffebf4423e0ffb61b78c0da463df5c32ea17122ba68e31e2a548d6a74c27ff39064dcbc8d1cc75bc6571bc4cd8a69e04fc07c2509

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
882156f1eb352549e46074f31ddf3a59

SHA1
4bed9ccdbe3db721f292e8ad1663786c5f9834ac

SHA256
d8c022c0d5c4dfea5e0983760967a026b1e3571715d1111be68e9a65f9cc14b7

SHA512
8acac569e8c863b70a0adfb8b2b55703fbd1ed0be461167aa50ecd4dbe00ae499984184e523a786e582f865b8aae6c98fee058fc201683e29ccbe928aefc7263

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
f6e0446b84fd08186335ad382fc04955

SHA1
315be4bd75b41daaf4832a8c6443e8c2f7dbf4ff

SHA256
cd3d7634ba901552dc2c5c70a8e820d4c820af5ad454dea30fd21d01456d08a7

SHA512
557944fc88895c863ce85b70856647c599f9a32cd29127be6e183df63b273cd362dd4b59ae5d8601f1f117da559c923196bea8361f35daf38dd31e9bb975234c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhbwxwsggw.exe

Filesize
10.4MB

MD5
6c203c47930d5c00af5fae8e40a8360f

SHA1
088d1a757d7d07a8c03cc02e0aa8af5807bdc062

SHA256
09a4b27efdb61179b50e8a41ad0c6a088122a831eca84b07648a3b4afa50e139

SHA512
91f38510e57f15672b1bfeab1e754f831666c7fab7f5f32aa408cd34ece362e78e630c5cd2d4c60ba6a15bb36f0901342d92cac2861c50f94a39bfe51920ac7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vqdtonyiob.exe

Filesize
10.4MB

MD5
cacf9f7bfcd106bf0b9f585373dfa553

SHA1
a9e7e1b7f6aa3b960d894c1996696a87bef9ec3d

SHA256
047162a597f43b2020995d4d3dab6b88308b3533e490e7f064c2967597226be3

SHA512
b1913d765a68a323daab39205079b69608e3561d19d4d957aaf8ba485b6be38cfa9f453687f78d6a6b218d7f1a2f2d2e6ed922d79756fd5287367ee001cd8935

Download Submit
C:\Users\Admin\AppData\Local\Temp\xhbpieappn.exe

Filesize
10.4MB

MD5
8f98d535378c002bacc60dacedf5d0fc

SHA1
d199a362f6777cf2540af1253c8e27bc40ea8d2e

SHA256
ee0b44db2391ef3da064c1d0f2a4473c507ea87e25a759f3daba627dcf11acb8

SHA512
cf6bfac5de8c888d16d26d3b28ae2c4632307a83394b9f10b904c2080cddc5ded4a5d7d68112835a9e8a8d804a6e9a7e056e9deaed1d0b7ff80c12c7c823163b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zohphkeuan.exe

Filesize
10.4MB

MD5
2e70f7dffd988508e09f8ef4bc20ae5a

SHA1
0b0850ea9b914086ba6af05a7952a64dd56cd034

SHA256
da7262347dccbcf7600320b07b10b70b0bf9f470d113427ebe558599fbbf7158

SHA512
dd024d5d62462b43311d896fa48edcdca26d15f2ec73a95b5cd97f0ac904ef1be7f456d43e512f868d07faca804a2b6776c978b92f5416b9bcfcd04eef7f9973

Download Submit
memory/708-43-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/860-160-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/976-84-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/976-85-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1060-49-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1208-130-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1336-154-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1356-33-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/1356-34-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1464-119-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1620-21-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/1620-22-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1640-165-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1664-105-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1772-50-0x00000000005D7000-0x0000000000C65000-memory.dmp

Filesize
6.6MB

Download
memory/1772-62-0x00000000005D7000-0x0000000000C65000-memory.dmp

Filesize
6.6MB

Download
memory/1772-0-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/1772-1-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1772-2-0x00000000005D7000-0x0000000000C65000-memory.dmp

Filesize
6.6MB

Download
memory/1924-138-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2044-7-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2044-5-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2044-4-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2044-3-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/2264-53-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3024-94-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3240-88-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3272-110-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3692-149-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3768-16-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3820-11-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/3820-13-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3820-65-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3820-69-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3820-12-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3884-31-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3884-30-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/3888-77-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3888-76-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/4276-127-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4280-64-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4284-74-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4464-99-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4752-116-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4884-141-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4932-40-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/5000-25-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/5000-24-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/5032-58-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/5032-59-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download