9df0740d66f31d641eba75871c43b0635a9df1afc1b4c510d79d6cce23c35e1d

Analysis

max time kernel
103s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15-09-2024 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9df0740d66f31d641eba75871c43b0635a9df1afc1b4c510d79d6cce23c35e1d.exe
Size

10.4MB
MD5

deed8a95fcacd57f018a7a71710b07c6
SHA1

70906b0cce0880586956c7f237804b1750efe2b8
SHA256

9df0740d66f31d641eba75871c43b0635a9df1afc1b4c510d79d6cce23c35e1d
SHA512

dd645d7194dd364f7db801a43e5cf567d2d473a6780c526d982cc6fc9074cdfdeb86e9424057d6266948e5fe94b8cd3b55ac1d274053670473972799d67feab9
SSDEEP

196608:XZGmuKsR2/LGPLCXOKODxH5qFlXS47dV2MANpvrjVbEKGWIoS:XZGnKsREJLODBWlX3d+NpvdHIo

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
4608	wcsctyuzck.exe
3048	wcsctyuzck.exe
4300	gcgxrsjhls.exe
4092	gcgxrsjhls.exe
2004	lhmnnvghdi.exe
5064	lhmnnvghdi.exe
4980	vsdlugkskr.exe
4752	vsdlugkskr.exe
4720	lbahmekgvt.exe
4600	lbahmekgvt.exe
368	gwohylshgj.exe
3756	gwohylshgj.exe
3184	dniqwhzwtu.exe
4080	dniqwhzwtu.exe
3296	dgdrbvtffu.exe
8	dgdrbvtffu.exe
3652	xisadlchee.exe
2972	xisadlchee.exe
1436	qbgptzchlc.exe
1396	qbgptzchlc.exe
2480	ndksimyiwo.exe
1828	ndksimyiwo.exe
1080	pccqjlwdid.exe
4432	pccqjlwdid.exe
4156	xkkzgcqmnt.exe
4396	xkkzgcqmnt.exe
3172	dbbdnsmhsw.exe
1408	dbbdnsmhsw.exe
2544	unpwltqgkh.exe
3096	unpwltqgkh.exe
452	kzhsavnfkd.exe
3152	kzhsavnfkd.exe
220	hbdohijgwh.exe
2164	hbdohijgwh.exe
2876	kwshmcjyni.exe
692	kwshmcjyni.exe
4276	mzffbmlfgq.exe
2284	mzffbmlfgq.exe
4524	cxywfvjefh.exe
4532	cxywfvjefh.exe
4424	exyuothyrw.exe
3200	exyuothyrw.exe
2888	eqlvtqbhdw.exe
4764	eqlvtqbhdw.exe
868	wxxjigdqit.exe
1960	wxxjigdqit.exe
764	uzsaddtrzy.exe
368	uzsaddtrzy.exe
3240	ezoatksmdp.exe
3184	ezoatksmdp.exe
1256	rtxtwrjwte.exe
4396	rtxtwrjwte.exe
4880	wzceovberv.exe
2464	wzceovberv.exe
4100	rndfazjejn.exe
1992	rndfazjejn.exe
1736	tevypyjzsd.exe
4104	tevypyjzsd.exe
2560	hdjkjizyre.exe
4404	hdjkjizyre.exe
3252	wudtgdhweo.exe
4984	wudtgdhweo.exe
4820	lrqjexszcd.exe
1068	lrqjexszcd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
1876	9df0740d66f31d641eba75871c43b0635a9df1afc1b4c510d79d6cce23c35e1d.exe
2840	9df0740d66f31d641eba75871c43b0635a9df1afc1b4c510d79d6cce23c35e1d.exe
4608	wcsctyuzck.exe
3048	wcsctyuzck.exe
4300	gcgxrsjhls.exe
4092	gcgxrsjhls.exe
2004	lhmnnvghdi.exe
5064	lhmnnvghdi.exe
4980	vsdlugkskr.exe
4752	vsdlugkskr.exe
4720	lbahmekgvt.exe
4600	lbahmekgvt.exe
368	gwohylshgj.exe
3756	gwohylshgj.exe
3184	dniqwhzwtu.exe
4080	dniqwhzwtu.exe
3296	dgdrbvtffu.exe
8	dgdrbvtffu.exe
3652	xisadlchee.exe
2972	xisadlchee.exe
1436	qbgptzchlc.exe
1396	qbgptzchlc.exe
2480	ndksimyiwo.exe
1828	ndksimyiwo.exe
1080	pccqjlwdid.exe
4432	pccqjlwdid.exe
4156	xkkzgcqmnt.exe
4396	xkkzgcqmnt.exe
3172	dbbdnsmhsw.exe
1408	dbbdnsmhsw.exe
2544	unpwltqgkh.exe
3096	unpwltqgkh.exe
452	kzhsavnfkd.exe
3152	kzhsavnfkd.exe
220	hbdohijgwh.exe
2164	hbdohijgwh.exe
2876	kwshmcjyni.exe
692	kwshmcjyni.exe
4276	mzffbmlfgq.exe
2284	mzffbmlfgq.exe
4524	cxywfvjefh.exe
4532	cxywfvjefh.exe
4424	exyuothyrw.exe
3200	exyuothyrw.exe
2888	eqlvtqbhdw.exe
4764	eqlvtqbhdw.exe
868	wxxjigdqit.exe
1960	wxxjigdqit.exe
764	uzsaddtrzy.exe
368	uzsaddtrzy.exe
3240	ezoatksmdp.exe
3184	ezoatksmdp.exe
1256	rtxtwrjwte.exe
4396	rtxtwrjwte.exe
4880	wzceovberv.exe
2464	wzceovberv.exe
4100	rndfazjejn.exe
1992	rndfazjejn.exe
1736	tevypyjzsd.exe
4104	tevypyjzsd.exe
2560	hdjkjizyre.exe
4404	hdjkjizyre.exe
3252	wudtgdhweo.exe
4984	wudtgdhweo.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dgdrbvtffu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eqlvtqbhdw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mzffbmlfgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wzceovberv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rtxtwrjwte.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dniqwhzwtu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xisadlchee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ndksimyiwo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lhqmwaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ijytbhdcsp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecnvhaatce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lhmnnvghdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unpwltqgkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xvhmunssyz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ckbtivlgcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdwvmojgza.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cxywfvjefh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rtxtwrjwte.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xxwxigehwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skmkzvygyj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	exyuothyrw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uzsaddtrzy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lhqmwaubev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pccqjlwdid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	njievxbtwa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kpmbvdwwby.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inhyvizsfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qbgptzchlc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ndksimyiwo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xkkzgcqmnt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wzceovberv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tevypyjzsd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bwipmmhpac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcsctyuzck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unpwltqgkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pccqjlwdid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xxwxigehwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cuhzbrijts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	utjgfdqhzn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hbdohijgwh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uzsaddtrzy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	utjgfdqhzn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eqlvtqbhdw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ezoatksmdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bwipmmhpac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dmnppfjvmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ckbtivlgcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	exyuothyrw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lxrumlkpbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xvhmunssyz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wudtgdhweo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yhrefbsnog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	czjedbtrjv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hcxzvsnopd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvnobciwlr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dniqwhzwtu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbbdnsmhsw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kwshmcjyni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ijytbhdcsp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iohnfxcbxb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inhyvizsfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rndfazjejn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skmkzvygyj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lbahmekgvt.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1876	9df0740d66f31d641eba75871c43b0635a9df1afc1b4c510d79d6cce23c35e1d.exe
1876	9df0740d66f31d641eba75871c43b0635a9df1afc1b4c510d79d6cce23c35e1d.exe
1876	9df0740d66f31d641eba75871c43b0635a9df1afc1b4c510d79d6cce23c35e1d.exe
1876	9df0740d66f31d641eba75871c43b0635a9df1afc1b4c510d79d6cce23c35e1d.exe
2840	9df0740d66f31d641eba75871c43b0635a9df1afc1b4c510d79d6cce23c35e1d.exe
2840	9df0740d66f31d641eba75871c43b0635a9df1afc1b4c510d79d6cce23c35e1d.exe
4608	wcsctyuzck.exe
4608	wcsctyuzck.exe
4608	wcsctyuzck.exe
4608	wcsctyuzck.exe
3048	wcsctyuzck.exe
3048	wcsctyuzck.exe
1876	9df0740d66f31d641eba75871c43b0635a9df1afc1b4c510d79d6cce23c35e1d.exe
1876	9df0740d66f31d641eba75871c43b0635a9df1afc1b4c510d79d6cce23c35e1d.exe
4300	gcgxrsjhls.exe
4300	gcgxrsjhls.exe
4300	gcgxrsjhls.exe
4300	gcgxrsjhls.exe
4092	gcgxrsjhls.exe
4092	gcgxrsjhls.exe
2004	lhmnnvghdi.exe
2004	lhmnnvghdi.exe
2004	lhmnnvghdi.exe
2004	lhmnnvghdi.exe
5064	lhmnnvghdi.exe
5064	lhmnnvghdi.exe
4608	wcsctyuzck.exe
4608	wcsctyuzck.exe
4980	vsdlugkskr.exe
4980	vsdlugkskr.exe
4300	gcgxrsjhls.exe
4300	gcgxrsjhls.exe
4980	vsdlugkskr.exe
4980	vsdlugkskr.exe
4752	vsdlugkskr.exe
4752	vsdlugkskr.exe
2004	lhmnnvghdi.exe
2004	lhmnnvghdi.exe
4720	lbahmekgvt.exe
4720	lbahmekgvt.exe
4720	lbahmekgvt.exe
4720	lbahmekgvt.exe
4600	lbahmekgvt.exe
4600	lbahmekgvt.exe
4980	vsdlugkskr.exe
4980	vsdlugkskr.exe
368	gwohylshgj.exe
368	gwohylshgj.exe
368	gwohylshgj.exe
368	gwohylshgj.exe
3756	gwohylshgj.exe
3756	gwohylshgj.exe
4720	lbahmekgvt.exe
4720	lbahmekgvt.exe
3184	dniqwhzwtu.exe
3184	dniqwhzwtu.exe
3184	dniqwhzwtu.exe
3184	dniqwhzwtu.exe
4080	dniqwhzwtu.exe
4080	dniqwhzwtu.exe
368	gwohylshgj.exe
368	gwohylshgj.exe
3296	dgdrbvtffu.exe
3296	dgdrbvtffu.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1876	9df0740d66f31d641eba75871c43b0635a9df1afc1b4c510d79d6cce23c35e1d.exe
1876	9df0740d66f31d641eba75871c43b0635a9df1afc1b4c510d79d6cce23c35e1d.exe
2840	9df0740d66f31d641eba75871c43b0635a9df1afc1b4c510d79d6cce23c35e1d.exe
2840	9df0740d66f31d641eba75871c43b0635a9df1afc1b4c510d79d6cce23c35e1d.exe
4608	wcsctyuzck.exe
4608	wcsctyuzck.exe
3048	wcsctyuzck.exe
3048	wcsctyuzck.exe
4300	gcgxrsjhls.exe
4300	gcgxrsjhls.exe
4092	gcgxrsjhls.exe
4092	gcgxrsjhls.exe
2004	lhmnnvghdi.exe
2004	lhmnnvghdi.exe
5064	lhmnnvghdi.exe
5064	lhmnnvghdi.exe
4980	vsdlugkskr.exe
4980	vsdlugkskr.exe
4752	vsdlugkskr.exe
4752	vsdlugkskr.exe
4720	lbahmekgvt.exe
4720	lbahmekgvt.exe
4600	lbahmekgvt.exe
4600	lbahmekgvt.exe
368	gwohylshgj.exe
368	gwohylshgj.exe
3756	gwohylshgj.exe
3756	gwohylshgj.exe
3184	dniqwhzwtu.exe
3184	dniqwhzwtu.exe
4080	dniqwhzwtu.exe
4080	dniqwhzwtu.exe
3296	dgdrbvtffu.exe
3296	dgdrbvtffu.exe
8	dgdrbvtffu.exe
8	dgdrbvtffu.exe
3652	xisadlchee.exe
3652	xisadlchee.exe
2972	xisadlchee.exe
2972	xisadlchee.exe
1436	qbgptzchlc.exe
1436	qbgptzchlc.exe
1396	qbgptzchlc.exe
1396	qbgptzchlc.exe
2480	ndksimyiwo.exe
2480	ndksimyiwo.exe
1828	ndksimyiwo.exe
1828	ndksimyiwo.exe
1080	pccqjlwdid.exe
1080	pccqjlwdid.exe
4432	pccqjlwdid.exe
4432	pccqjlwdid.exe
4156	xkkzgcqmnt.exe
4156	xkkzgcqmnt.exe
4396	xkkzgcqmnt.exe
4396	xkkzgcqmnt.exe
3172	dbbdnsmhsw.exe
3172	dbbdnsmhsw.exe
1408	dbbdnsmhsw.exe
1408	dbbdnsmhsw.exe
2544	unpwltqgkh.exe
2544	unpwltqgkh.exe
3096	unpwltqgkh.exe
3096	unpwltqgkh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 2840	1876	9df0740d66f31d641eba75871c43b0635a9df1afc1b4c510d79d6cce23c35e1d.exe	85
PID 1876 wrote to memory of 2840	1876	9df0740d66f31d641eba75871c43b0635a9df1afc1b4c510d79d6cce23c35e1d.exe	85
PID 1876 wrote to memory of 2840	1876	9df0740d66f31d641eba75871c43b0635a9df1afc1b4c510d79d6cce23c35e1d.exe	85
PID 1876 wrote to memory of 4608	1876	9df0740d66f31d641eba75871c43b0635a9df1afc1b4c510d79d6cce23c35e1d.exe	87
PID 1876 wrote to memory of 4608	1876	9df0740d66f31d641eba75871c43b0635a9df1afc1b4c510d79d6cce23c35e1d.exe	87
PID 1876 wrote to memory of 4608	1876	9df0740d66f31d641eba75871c43b0635a9df1afc1b4c510d79d6cce23c35e1d.exe	87
PID 4608 wrote to memory of 3048	4608	wcsctyuzck.exe	88
PID 4608 wrote to memory of 3048	4608	wcsctyuzck.exe	88
PID 4608 wrote to memory of 3048	4608	wcsctyuzck.exe	88
PID 4608 wrote to memory of 4300	4608	wcsctyuzck.exe	89
PID 4608 wrote to memory of 4300	4608	wcsctyuzck.exe	89
PID 4608 wrote to memory of 4300	4608	wcsctyuzck.exe	89
PID 4300 wrote to memory of 4092	4300	gcgxrsjhls.exe	90
PID 4300 wrote to memory of 4092	4300	gcgxrsjhls.exe	90
PID 4300 wrote to memory of 4092	4300	gcgxrsjhls.exe	90
PID 4300 wrote to memory of 2004	4300	gcgxrsjhls.exe	91
PID 4300 wrote to memory of 2004	4300	gcgxrsjhls.exe	91
PID 4300 wrote to memory of 2004	4300	gcgxrsjhls.exe	91
PID 2004 wrote to memory of 5064	2004	lhmnnvghdi.exe	92
PID 2004 wrote to memory of 5064	2004	lhmnnvghdi.exe	92
PID 2004 wrote to memory of 5064	2004	lhmnnvghdi.exe	92
PID 2004 wrote to memory of 4980	2004	lhmnnvghdi.exe	95
PID 2004 wrote to memory of 4980	2004	lhmnnvghdi.exe	95
PID 2004 wrote to memory of 4980	2004	lhmnnvghdi.exe	95
PID 4980 wrote to memory of 4752	4980	vsdlugkskr.exe	97
PID 4980 wrote to memory of 4752	4980	vsdlugkskr.exe	97
PID 4980 wrote to memory of 4752	4980	vsdlugkskr.exe	97
PID 4980 wrote to memory of 4720	4980	vsdlugkskr.exe	98
PID 4980 wrote to memory of 4720	4980	vsdlugkskr.exe	98
PID 4980 wrote to memory of 4720	4980	vsdlugkskr.exe	98
PID 4720 wrote to memory of 4600	4720	lbahmekgvt.exe	99
PID 4720 wrote to memory of 4600	4720	lbahmekgvt.exe	99
PID 4720 wrote to memory of 4600	4720	lbahmekgvt.exe	99
PID 4720 wrote to memory of 368	4720	lbahmekgvt.exe	101
PID 4720 wrote to memory of 368	4720	lbahmekgvt.exe	101
PID 4720 wrote to memory of 368	4720	lbahmekgvt.exe	101
PID 368 wrote to memory of 3756	368	gwohylshgj.exe	102
PID 368 wrote to memory of 3756	368	gwohylshgj.exe	102
PID 368 wrote to memory of 3756	368	gwohylshgj.exe	102
PID 368 wrote to memory of 3184	368	gwohylshgj.exe	103
PID 368 wrote to memory of 3184	368	gwohylshgj.exe	103
PID 368 wrote to memory of 3184	368	gwohylshgj.exe	103
PID 3184 wrote to memory of 4080	3184	dniqwhzwtu.exe	104
PID 3184 wrote to memory of 4080	3184	dniqwhzwtu.exe	104
PID 3184 wrote to memory of 4080	3184	dniqwhzwtu.exe	104
PID 3184 wrote to memory of 3296	3184	dniqwhzwtu.exe	105
PID 3184 wrote to memory of 3296	3184	dniqwhzwtu.exe	105
PID 3184 wrote to memory of 3296	3184	dniqwhzwtu.exe	105
PID 3296 wrote to memory of 8	3296	dgdrbvtffu.exe	106
PID 3296 wrote to memory of 8	3296	dgdrbvtffu.exe	106
PID 3296 wrote to memory of 8	3296	dgdrbvtffu.exe	106
PID 3296 wrote to memory of 3652	3296	dgdrbvtffu.exe	108
PID 3296 wrote to memory of 3652	3296	dgdrbvtffu.exe	108
PID 3296 wrote to memory of 3652	3296	dgdrbvtffu.exe	108
PID 3652 wrote to memory of 2972	3652	xisadlchee.exe	109
PID 3652 wrote to memory of 2972	3652	xisadlchee.exe	109
PID 3652 wrote to memory of 2972	3652	xisadlchee.exe	109
PID 3652 wrote to memory of 1436	3652	xisadlchee.exe	110
PID 3652 wrote to memory of 1436	3652	xisadlchee.exe	110
PID 3652 wrote to memory of 1436	3652	xisadlchee.exe	110
PID 1436 wrote to memory of 1396	1436	qbgptzchlc.exe	112
PID 1436 wrote to memory of 1396	1436	qbgptzchlc.exe	112
PID 1436 wrote to memory of 1396	1436	qbgptzchlc.exe	112
PID 1436 wrote to memory of 2480	1436	qbgptzchlc.exe	114

C:\Users\Admin\AppData\Local\Temp\9df0740d66f31d641eba75871c43b0635a9df1afc1b4c510d79d6cce23c35e1d.exe
"C:\Users\Admin\AppData\Local\Temp\9df0740d66f31d641eba75871c43b0635a9df1afc1b4c510d79d6cce23c35e1d.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Users\Admin\AppData\Local\Temp\9df0740d66f31d641eba75871c43b0635a9df1afc1b4c510d79d6cce23c35e1d.exe
  C:\Users\Admin\AppData\Local\Temp\9df0740d66f31d641eba75871c43b0635a9df1afc1b4c510d79d6cce23c35e1d.exe update wcsctyuzck.exe
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2840
- C:\Users\Admin\AppData\Local\Temp\wcsctyuzck.exe
  C:\Users\Admin\AppData\Local\Temp\wcsctyuzck.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Users\Admin\AppData\Local\Temp\wcsctyuzck.exe
    C:\Users\Admin\AppData\Local\Temp\wcsctyuzck.exe update gcgxrsjhls.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3048
- - C:\Users\Admin\AppData\Local\Temp\gcgxrsjhls.exe
    C:\Users\Admin\AppData\Local\Temp\gcgxrsjhls.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4300
  - - C:\Users\Admin\AppData\Local\Temp\gcgxrsjhls.exe
      C:\Users\Admin\AppData\Local\Temp\gcgxrsjhls.exe update lhmnnvghdi.exe
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4092
  - - C:\Users\Admin\AppData\Local\Temp\lhmnnvghdi.exe
      C:\Users\Admin\AppData\Local\Temp\lhmnnvghdi.exe
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2004
    - - C:\Users\Admin\AppData\Local\Temp\lhmnnvghdi.exe
        
        C:\Users\Admin\AppData\Local\Temp\lhmnnvghdi.exe update vsdlugkskr.exe
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5064
    - - C:\Users\Admin\AppData\Local\Temp\vsdlugkskr.exe
        
        C:\Users\Admin\AppData\Local\Temp\vsdlugkskr.exe
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4980
      - C:\Users\Admin\AppData\Local\Temp\vsdlugkskr.exe
        
        C:\Users\Admin\AppData\Local\Temp\vsdlugkskr.exe update lbahmekgvt.exe
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4752
      - C:\Users\Admin\AppData\Local\Temp\lbahmekgvt.exe
        
        C:\Users\Admin\AppData\Local\Temp\lbahmekgvt.exe
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\lbahmekgvt.exe
        
        C:\Users\Admin\AppData\Local\Temp\lbahmekgvt.exe update gwohylshgj.exe
        7⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\gwohylshgj.exe
        
        C:\Users\Admin\AppData\Local\Temp\gwohylshgj.exe
        7⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\gwohylshgj.exe
        
        C:\Users\Admin\AppData\Local\Temp\gwohylshgj.exe update dniqwhzwtu.exe
        8⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\dniqwhzwtu.exe
        
        C:\Users\Admin\AppData\Local\Temp\dniqwhzwtu.exe
        8⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\dniqwhzwtu.exe
        
        C:\Users\Admin\AppData\Local\Temp\dniqwhzwtu.exe update dgdrbvtffu.exe
        9⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\dgdrbvtffu.exe
        
        C:\Users\Admin\AppData\Local\Temp\dgdrbvtffu.exe
        9⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\dgdrbvtffu.exe
        
        C:\Users\Admin\AppData\Local\Temp\dgdrbvtffu.exe update xisadlchee.exe
        10⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\xisadlchee.exe
        
        C:\Users\Admin\AppData\Local\Temp\xisadlchee.exe
        10⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\xisadlchee.exe
        
        C:\Users\Admin\AppData\Local\Temp\xisadlchee.exe update qbgptzchlc.exe
        11⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\qbgptzchlc.exe
        
        C:\Users\Admin\AppData\Local\Temp\qbgptzchlc.exe
        11⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\qbgptzchlc.exe
        
        C:\Users\Admin\AppData\Local\Temp\qbgptzchlc.exe update ndksimyiwo.exe
        12⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\ndksimyiwo.exe
        
        C:\Users\Admin\AppData\Local\Temp\ndksimyiwo.exe
        12⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\ndksimyiwo.exe
        
        C:\Users\Admin\AppData\Local\Temp\ndksimyiwo.exe update pccqjlwdid.exe
        13⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\pccqjlwdid.exe
        
        C:\Users\Admin\AppData\Local\Temp\pccqjlwdid.exe
        13⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\pccqjlwdid.exe
        
        C:\Users\Admin\AppData\Local\Temp\pccqjlwdid.exe update xkkzgcqmnt.exe
        14⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\xkkzgcqmnt.exe
        
        C:\Users\Admin\AppData\Local\Temp\xkkzgcqmnt.exe
        14⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\xkkzgcqmnt.exe
        
        C:\Users\Admin\AppData\Local\Temp\xkkzgcqmnt.exe update dbbdnsmhsw.exe
        15⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\dbbdnsmhsw.exe
        
        C:\Users\Admin\AppData\Local\Temp\dbbdnsmhsw.exe
        15⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\dbbdnsmhsw.exe
        
        C:\Users\Admin\AppData\Local\Temp\dbbdnsmhsw.exe update unpwltqgkh.exe
        16⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\unpwltqgkh.exe
        
        C:\Users\Admin\AppData\Local\Temp\unpwltqgkh.exe
        16⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\unpwltqgkh.exe
        
        C:\Users\Admin\AppData\Local\Temp\unpwltqgkh.exe update kzhsavnfkd.exe
        17⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\kzhsavnfkd.exe
        
        C:\Users\Admin\AppData\Local\Temp\kzhsavnfkd.exe
        17⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\kzhsavnfkd.exe
        
        C:\Users\Admin\AppData\Local\Temp\kzhsavnfkd.exe update hbdohijgwh.exe
        18⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\hbdohijgwh.exe
        
        C:\Users\Admin\AppData\Local\Temp\hbdohijgwh.exe
        18⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\hbdohijgwh.exe
        
        C:\Users\Admin\AppData\Local\Temp\hbdohijgwh.exe update kwshmcjyni.exe
        19⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\kwshmcjyni.exe
        
        C:\Users\Admin\AppData\Local\Temp\kwshmcjyni.exe
        19⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\kwshmcjyni.exe
        
        C:\Users\Admin\AppData\Local\Temp\kwshmcjyni.exe update mzffbmlfgq.exe
        20⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\mzffbmlfgq.exe
        
        C:\Users\Admin\AppData\Local\Temp\mzffbmlfgq.exe
        20⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\mzffbmlfgq.exe
        
        C:\Users\Admin\AppData\Local\Temp\mzffbmlfgq.exe update cxywfvjefh.exe
        21⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\cxywfvjefh.exe
        
        C:\Users\Admin\AppData\Local\Temp\cxywfvjefh.exe
        21⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\cxywfvjefh.exe
        
        C:\Users\Admin\AppData\Local\Temp\cxywfvjefh.exe update exyuothyrw.exe
        22⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\exyuothyrw.exe
        
        C:\Users\Admin\AppData\Local\Temp\exyuothyrw.exe
        22⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\exyuothyrw.exe
        
        C:\Users\Admin\AppData\Local\Temp\exyuothyrw.exe update eqlvtqbhdw.exe
        23⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\eqlvtqbhdw.exe
        
        C:\Users\Admin\AppData\Local\Temp\eqlvtqbhdw.exe
        23⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\eqlvtqbhdw.exe
        
        C:\Users\Admin\AppData\Local\Temp\eqlvtqbhdw.exe update wxxjigdqit.exe
        24⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\wxxjigdqit.exe
        
        C:\Users\Admin\AppData\Local\Temp\wxxjigdqit.exe
        24⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\wxxjigdqit.exe
        
        C:\Users\Admin\AppData\Local\Temp\wxxjigdqit.exe update uzsaddtrzy.exe
        25⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\uzsaddtrzy.exe
        
        C:\Users\Admin\AppData\Local\Temp\uzsaddtrzy.exe
        25⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\uzsaddtrzy.exe
        
        C:\Users\Admin\AppData\Local\Temp\uzsaddtrzy.exe update ezoatksmdp.exe
        26⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\ezoatksmdp.exe
        
        C:\Users\Admin\AppData\Local\Temp\ezoatksmdp.exe
        26⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\ezoatksmdp.exe
        
        C:\Users\Admin\AppData\Local\Temp\ezoatksmdp.exe update rtxtwrjwte.exe
        27⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\rtxtwrjwte.exe
        
        C:\Users\Admin\AppData\Local\Temp\rtxtwrjwte.exe
        27⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\rtxtwrjwte.exe
        
        C:\Users\Admin\AppData\Local\Temp\rtxtwrjwte.exe update wzceovberv.exe
        28⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\wzceovberv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wzceovberv.exe
        28⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\wzceovberv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wzceovberv.exe update rndfazjejn.exe
        29⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\rndfazjejn.exe
        
        C:\Users\Admin\AppData\Local\Temp\rndfazjejn.exe
        29⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\rndfazjejn.exe
        
        C:\Users\Admin\AppData\Local\Temp\rndfazjejn.exe update tevypyjzsd.exe
        30⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tevypyjzsd.exe
        
        C:\Users\Admin\AppData\Local\Temp\tevypyjzsd.exe
        30⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tevypyjzsd.exe
        
        C:\Users\Admin\AppData\Local\Temp\tevypyjzsd.exe update hdjkjizyre.exe
        31⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\hdjkjizyre.exe
        
        C:\Users\Admin\AppData\Local\Temp\hdjkjizyre.exe
        31⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\hdjkjizyre.exe
        
        C:\Users\Admin\AppData\Local\Temp\hdjkjizyre.exe update wudtgdhweo.exe
        32⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\wudtgdhweo.exe
        
        C:\Users\Admin\AppData\Local\Temp\wudtgdhweo.exe
        32⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\wudtgdhweo.exe
        
        C:\Users\Admin\AppData\Local\Temp\wudtgdhweo.exe update lrqjexszcd.exe
        33⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\lrqjexszcd.exe
        
        C:\Users\Admin\AppData\Local\Temp\lrqjexszcd.exe
        33⤵
        Executes dropped EXE
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\lrqjexszcd.exe
        
        C:\Users\Admin\AppData\Local\Temp\lrqjexszcd.exe update bwipmmhpac.exe
        34⤵
        Executes dropped EXE
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\bwipmmhpac.exe
        
        C:\Users\Admin\AppData\Local\Temp\bwipmmhpac.exe
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\bwipmmhpac.exe
        
        C:\Users\Admin\AppData\Local\Temp\bwipmmhpac.exe update qtcgjgaazs.exe
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\qtcgjgaazs.exe
        
        C:\Users\Admin\AppData\Local\Temp\qtcgjgaazs.exe
        35⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\qtcgjgaazs.exe
        
        C:\Users\Admin\AppData\Local\Temp\qtcgjgaazs.exe update lhqmwaubev.exe
        36⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\lhqmwaubev.exe
        
        C:\Users\Admin\AppData\Local\Temp\lhqmwaubev.exe
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\lhqmwaubev.exe
        
        C:\Users\Admin\AppData\Local\Temp\lhqmwaubev.exe update lxrumlkpbj.exe
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\lxrumlkpbj.exe
        
        C:\Users\Admin\AppData\Local\Temp\lxrumlkpbj.exe
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\lxrumlkpbj.exe
        
        C:\Users\Admin\AppData\Local\Temp\lxrumlkpbj.exe update ijytbhdcsp.exe
        38⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\ijytbhdcsp.exe
        
        C:\Users\Admin\AppData\Local\Temp\ijytbhdcsp.exe
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\ijytbhdcsp.exe
        
        C:\Users\Admin\AppData\Local\Temp\ijytbhdcsp.exe update yhrefbsnog.exe
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\yhrefbsnog.exe
        
        C:\Users\Admin\AppData\Local\Temp\yhrefbsnog.exe
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\yhrefbsnog.exe
        
        C:\Users\Admin\AppData\Local\Temp\yhrefbsnog.exe update dmnppfjvmx.exe
        40⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\dmnppfjvmx.exe
        
        C:\Users\Admin\AppData\Local\Temp\dmnppfjvmx.exe
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\dmnppfjvmx.exe
        
        C:\Users\Admin\AppData\Local\Temp\dmnppfjvmx.exe update iohnfxcbxb.exe
        41⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\iohnfxcbxb.exe
        
        C:\Users\Admin\AppData\Local\Temp\iohnfxcbxb.exe
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\iohnfxcbxb.exe
        
        C:\Users\Admin\AppData\Local\Temp\iohnfxcbxb.exe update njievxbtwa.exe
        42⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\njievxbtwa.exe
        
        C:\Users\Admin\AppData\Local\Temp\njievxbtwa.exe
        42⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\njievxbtwa.exe
        
        C:\Users\Admin\AppData\Local\Temp\njievxbtwa.exe update xxwxigehwm.exe
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\xxwxigehwm.exe
        
        C:\Users\Admin\AppData\Local\Temp\xxwxigehwm.exe
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\xxwxigehwm.exe
        
        C:\Users\Admin\AppData\Local\Temp\xxwxigehwm.exe update kpmbvdwwby.exe
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\kpmbvdwwby.exe
        
        C:\Users\Admin\AppData\Local\Temp\kpmbvdwwby.exe
        44⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\kpmbvdwwby.exe
        
        C:\Users\Admin\AppData\Local\Temp\kpmbvdwwby.exe update xvhmunssyz.exe
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\xvhmunssyz.exe
        
        C:\Users\Admin\AppData\Local\Temp\xvhmunssyz.exe
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\xvhmunssyz.exe
        
        C:\Users\Admin\AppData\Local\Temp\xvhmunssyz.exe update pkruwrmtve.exe
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\pkruwrmtve.exe
        
        C:\Users\Admin\AppData\Local\Temp\pkruwrmtve.exe
        46⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\pkruwrmtve.exe
        
        C:\Users\Admin\AppData\Local\Temp\pkruwrmtve.exe update inhyvizsfw.exe
        47⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\inhyvizsfw.exe
        
        C:\Users\Admin\AppData\Local\Temp\inhyvizsfw.exe
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\inhyvizsfw.exe
        
        C:\Users\Admin\AppData\Local\Temp\inhyvizsfw.exe update qhpwwqgjxr.exe
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\qhpwwqgjxr.exe
        
        C:\Users\Admin\AppData\Local\Temp\qhpwwqgjxr.exe
        48⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\qhpwwqgjxr.exe
        
        C:\Users\Admin\AppData\Local\Temp\qhpwwqgjxr.exe update cuhzbrijts.exe
        49⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\cuhzbrijts.exe
        
        C:\Users\Admin\AppData\Local\Temp\cuhzbrijts.exe
        49⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\cuhzbrijts.exe
        
        C:\Users\Admin\AppData\Local\Temp\cuhzbrijts.exe update skmkzvygyj.exe
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\skmkzvygyj.exe
        
        C:\Users\Admin\AppData\Local\Temp\skmkzvygyj.exe
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\skmkzvygyj.exe
        
        C:\Users\Admin\AppData\Local\Temp\skmkzvygyj.exe update ckbtivlgcp.exe
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\ckbtivlgcp.exe
        
        C:\Users\Admin\AppData\Local\Temp\ckbtivlgcp.exe
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\ckbtivlgcp.exe
        
        C:\Users\Admin\AppData\Local\Temp\ckbtivlgcp.exe update cvnobciwlr.exe
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\cvnobciwlr.exe
        
        C:\Users\Admin\AppData\Local\Temp\cvnobciwlr.exe
        52⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\cvnobciwlr.exe
        
        C:\Users\Admin\AppData\Local\Temp\cvnobciwlr.exe update czjedbtrjv.exe
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\czjedbtrjv.exe
        
        C:\Users\Admin\AppData\Local\Temp\czjedbtrjv.exe
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\czjedbtrjv.exe
        
        C:\Users\Admin\AppData\Local\Temp\czjedbtrjv.exe update cdwvmojgza.exe
        54⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\cdwvmojgza.exe
        
        C:\Users\Admin\AppData\Local\Temp\cdwvmojgza.exe
        54⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\cdwvmojgza.exe
        
        C:\Users\Admin\AppData\Local\Temp\cdwvmojgza.exe update ecnvhaatce.exe
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\ecnvhaatce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ecnvhaatce.exe
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\ecnvhaatce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ecnvhaatce.exe update utjgfdqhzn.exe
        56⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\utjgfdqhzn.exe
        
        C:\Users\Admin\AppData\Local\Temp\utjgfdqhzn.exe
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\utjgfdqhzn.exe
        
        C:\Users\Admin\AppData\Local\Temp\utjgfdqhzn.exe update hcxzvsnopd.exe
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\hcxzvsnopd.exe
        
        C:\Users\Admin\AppData\Local\Temp\hcxzvsnopd.exe
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\hcxzvsnopd.exe
        
        C:\Users\Admin\AppData\Local\Temp\hcxzvsnopd.exe update rcmaflaosr.exe
        58⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\rcmaflaosr.exe
        
        C:\Users\Admin\AppData\Local\Temp\rcmaflaosr.exe
        58⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\rcmaflaosr.exe
        
        C:\Users\Admin\AppData\Local\Temp\rcmaflaosr.exe update wdfgnlsbdv.exe
        59⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\wdfgnlsbdv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wdfgnlsbdv.exe
        59⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\wdfgnlsbdv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wdfgnlsbdv.exe update rnkmbchwiz.exe
        60⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\rnkmbchwiz.exe
        
        C:\Users\Admin\AppData\Local\Temp\rnkmbchwiz.exe
        60⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\rnkmbchwiz.exe
        
        C:\Users\Admin\AppData\Local\Temp\rnkmbchwiz.exe update jdkhgezbki.exe
        61⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\jdkhgezbki.exe
        
        C:\Users\Admin\AppData\Local\Temp\jdkhgezbki.exe
        61⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\jdkhgezbki.exe
        
        C:\Users\Admin\AppData\Local\Temp\jdkhgezbki.exe update zaeyvytejx.exe
        62⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\zaeyvytejx.exe
        
        C:\Users\Admin\AppData\Local\Temp\zaeyvytejx.exe
        62⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\zaeyvytejx.exe
        
        C:\Users\Admin\AppData\Local\Temp\zaeyvytejx.exe update jprmwzraok.exe
        63⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\jprmwzraok.exe
        
        C:\Users\Admin\AppData\Local\Temp\jprmwzraok.exe
        63⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\jprmwzraok.exe
        
        C:\Users\Admin\AppData\Local\Temp\jprmwzraok.exe update hmaxuozqer.exe
        64⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\hmaxuozqer.exe
        
        C:\Users\Admin\AppData\Local\Temp\hmaxuozqer.exe
        64⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\hmaxuozqer.exe
        
        C:\Users\Admin\AppData\Local\Temp\hmaxuozqer.exe update jwdxmemooh.exe
        65⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\jwdxmemooh.exe
        
        C:\Users\Admin\AppData\Local\Temp\jwdxmemooh.exe
        65⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\jwdxmemooh.exe
        
        C:\Users\Admin\AppData\Local\Temp\jwdxmemooh.exe update gygozjlxfv.exe
        66⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\gygozjlxfv.exe
        
        C:\Users\Admin\AppData\Local\Temp\gygozjlxfv.exe
        66⤵
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\gygozjlxfv.exe
        
        C:\Users\Admin\AppData\Local\Temp\gygozjlxfv.exe update bpyuhpjkrj.exe
        67⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\bpyuhpjkrj.exe
        
        C:\Users\Admin\AppData\Local\Temp\bpyuhpjkrj.exe
        67⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\bpyuhpjkrj.exe
        
        C:\Users\Admin\AppData\Local\Temp\bpyuhpjkrj.exe update goofmkvwpa.exe
        68⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\goofmkvwpa.exe
        
        C:\Users\Admin\AppData\Local\Temp\goofmkvwpa.exe
        68⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\goofmkvwpa.exe
        
        C:\Users\Admin\AppData\Local\Temp\goofmkvwpa.exe update tfutunndld.exe
        69⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\tfutunndld.exe
        
        C:\Users\Admin\AppData\Local\Temp\tfutunndld.exe
        69⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\tfutunndld.exe
        
        C:\Users\Admin\AppData\Local\Temp\tfutunndld.exe update dxkmysktdu.exe
        70⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\dxkmysktdu.exe
        
        C:\Users\Admin\AppData\Local\Temp\dxkmysktdu.exe
        70⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\dxkmysktdu.exe
        
        C:\Users\Admin\AppData\Local\Temp\dxkmysktdu.exe update gejammyxbx.exe
        71⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\gejammyxbx.exe
        
        C:\Users\Admin\AppData\Local\Temp\gejammyxbx.exe
        71⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\gejammyxbx.exe
        
        C:\Users\Admin\AppData\Local\Temp\gejammyxbx.exe update vqsihoxfyn.exe
        72⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\vqsihoxfyn.exe
        
        C:\Users\Admin\AppData\Local\Temp\vqsihoxfyn.exe
        72⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\vqsihoxfyn.exe
        
        C:\Users\Admin\AppData\Local\Temp\vqsihoxfyn.exe update tvyhlsufqc.exe
        73⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\tvyhlsufqc.exe
        
        C:\Users\Admin\AppData\Local\Temp\tvyhlsufqc.exe
        73⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\tvyhlsufqc.exe
        
        C:\Users\Admin\AppData\Local\Temp\tvyhlsufqc.exe update nfextvtqja.exe
        74⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\nfextvtqja.exe
        
        C:\Users\Admin\AppData\Local\Temp\nfextvtqja.exe
        74⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\nfextvtqja.exe
        
        C:\Users\Admin\AppData\Local\Temp\nfextvtqja.exe update fjdlmzqgzd.exe
        75⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\fjdlmzqgzd.exe
        
        C:\Users\Admin\AppData\Local\Temp\fjdlmzqgzd.exe
        75⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\fjdlmzqgzd.exe
        
        C:\Users\Admin\AppData\Local\Temp\fjdlmzqgzd.exe update gkxbxbaffs.exe
        76⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\gkxbxbaffs.exe
        
        C:\Users\Admin\AppData\Local\Temp\gkxbxbaffs.exe
        76⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\gkxbxbaffs.exe
        
        C:\Users\Admin\AppData\Local\Temp\gkxbxbaffs.exe update juachrvepi.exe
        77⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\juachrvepi.exe
        
        C:\Users\Admin\AppData\Local\Temp\juachrvepi.exe
        77⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\juachrvepi.exe
        
        C:\Users\Admin\AppData\Local\Temp\juachrvepi.exe update qdxyhpojak.exe
        78⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\qdxyhpojak.exe
        
        C:\Users\Admin\AppData\Local\Temp\qdxyhpojak.exe
        78⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\qdxyhpojak.exe
        
        C:\Users\Admin\AppData\Local\Temp\qdxyhpojak.exe update cqpjlipjxd.exe
        79⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\cqpjlipjxd.exe
        
        C:\Users\Admin\AppData\Local\Temp\cqpjlipjxd.exe
        79⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\cqpjlipjxd.exe
        
        C:\Users\Admin\AppData\Local\Temp\cqpjlipjxd.exe update dqbaokzbds.exe
        80⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\dqbaokzbds.exe
        
        C:\Users\Admin\AppData\Local\Temp\dqbaokzbds.exe
        80⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\dqbaokzbds.exe
        
        C:\Users\Admin\AppData\Local\Temp\dqbaokzbds.exe update lzivibwtgk.exe
        81⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\lzivibwtgk.exe
        
        C:\Users\Admin\AppData\Local\Temp\lzivibwtgk.exe
        81⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\lzivibwtgk.exe
        
        C:\Users\Admin\AppData\Local\Temp\lzivibwtgk.exe update nmxofwnmfl.exe
        82⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\nmxofwnmfl.exe
        
        C:\Users\Admin\AppData\Local\Temp\nmxofwnmfl.exe
        82⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\nmxofwnmfl.exe
        
        C:\Users\Admin\AppData\Local\Temp\nmxofwnmfl.exe update pmohdcnhoc.exe
        83⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\pmohdcnhoc.exe
        
        C:\Users\Admin\AppData\Local\Temp\pmohdcnhoc.exe
        83⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\pmohdcnhoc.exe
        
        C:\Users\Admin\AppData\Local\Temp\pmohdcnhoc.exe update axmkctbfyt.exe
        84⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\axmkctbfyt.exe
        
        C:\Users\Admin\AppData\Local\Temp\axmkctbfyt.exe
        84⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\axmkctbfyt.exe
        
        C:\Users\Admin\AppData\Local\Temp\axmkctbfyt.exe update iqwohckbcu.exe
        85⤵
        
        PID:3768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dbbdnsmhsw.exe

Filesize
10.4MB

MD5
bc721bf5f79ed6906049b163d0de4676

SHA1
3226760f1bc6f776229fa73377a8ca7e4017e2cb

SHA256
8b64bdbdba8b80e736e14b0bd91faf24ab729d42c87cf0ac3e6659fb0932d9c9

SHA512
242b3faf5e8ccfd911076aee90563197550ab65ac9120693d75dbee2f2b523f2d9960fa9ba00e135ff8d06a9fb234b2092bf4410103cc3a7f6e2749e1336b8ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgdrbvtffu.exe

Filesize
10.4MB

MD5
49e937af74d0bbdb1b3f61244854e740

SHA1
45e9143d0151dbc779cba3bb9477fd3b425a4990

SHA256
6f474bae22aeb2d0958af8801edf7af2688e3786ec49540d0ea2bd0d91846e87

SHA512
5aef2a6d0b63f184c4e7ed437aa95bfcb5286a8dae3c1c734298a0f2e2f3cde6b29ced691f8f9d248fc56e47aa10d7e2ea9031f9fbfbba2942a7961a94a532aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\dniqwhzwtu.exe

Filesize
10.4MB

MD5
e3b847c944a18d07948923ddb7ed3e29

SHA1
fe1ba8b0dddc7429e485952c850df1ab5f8c79ea

SHA256
b62effa149b58c06ecf5b5ad926b3eb68b5e60970a9bec529f016440508bd99a

SHA512
4e19288cdbbc6ef702416f1d05ef076ace13676e26db0322be9650eef773482be7f00b2e965d1fb7676baab30c0bf03fac37725ee9cdfa2e294106850af880e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcgxrsjhls.exe

Filesize
10.4MB

MD5
3caa003974bac689f7fbb021b1c4bd2f

SHA1
493e1a6be1fde12b6685a63fcbc4beff03f96b6b

SHA256
034ee7c54cfc0c6034b81826fbc44053b4a30387bbeb4f02261f15d79a175793

SHA512
274a521f7554debc63e7a9e5da66f57ae21a8c0a7af6cb9a02a5200cb08edf27c0cee1bf566f5c7083c27b0daba734c5b7d1f3736c0d8188eddea0cd5f72cb5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwohylshgj.exe

Filesize
10.4MB

MD5
c1df55eb5451449bc9b57f085d674d41

SHA1
f1a285d0e187001594c5334b80568fbe784a0647

SHA256
8428badfb2abe644a8aa74bed1671f1fcb09fe15bf0acb0887cefc32c912b552

SHA512
17f80c71bfde9e50e951043f3dc5414517030e8bc51c1354acd21ce5dfb7e2abae28f90be8a8c6bd19bc22559ff3abf3dd53c5a0725529be48e2d84719293e4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbdohijgwh.exe

Filesize
10.4MB

MD5
f5d1a576a766a59b30a3bfd71796daee

SHA1
3e488ea113f3baad8d12c97e46b2e1ebf941f7a0

SHA256
9271c975e705c42692ce408461cb7a26ed0128261ec615323e77e1365e4033c3

SHA512
209ad4c04662d2b181886da684bba3fe5074dd30daf212c5517361c6ebc79fd770b801da28792b30a76e0b722f7951227dc8886d3cfee84c2188f8de0bacecbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwshmcjyni.exe

Filesize
10.4MB

MD5
2e2f4e9ec4da9c5569320ba5c40bd840

SHA1
add2996b4650757cbb5d7cc882ca62d80cd3161d

SHA256
e2a92af8d02b00975c96423173ee6a5983ffb96adac4b0795f3baca8f5248d89

SHA512
0a66b06626a5df323813ead13f2975884fc6d41a8cdc153d98db0dfa3c6d12a6c23e99414897db6452ab3125a86a3d5d91545acd450e36dd86e24dd07ed60487

Download Submit
C:\Users\Admin\AppData\Local\Temp\kzhsavnfkd.exe

Filesize
10.4MB

MD5
d04a5c5f3a596d6246b52f6001a5e3d8

SHA1
acfc7cbb9efae96ff0997b656f26d97477be08fd

SHA256
4c8c9b27fd3b06a6b54efbb9926a4343b9159ff692ecd0d58c89512d72d827b4

SHA512
0bd733044cdfd86c41ffcdf15d9559931ca72354855fd7b643a014ad7788281666e569621b7a0f42799caa17d236783543da733d8db51666cc5044e6d1b1d37a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lbahmekgvt.exe

Filesize
10.4MB

MD5
05d9bf06a3bc87f98d50a55137d12cf5

SHA1
451555402b9ae9e140e45dfd6497f970d99ebf5e

SHA256
ec0eb6fbc7642f043f1f6f24129a8dc4273196778daab9b03ff866b6824cda8b

SHA512
422e6254f4c7d0c26d709190073c770fef6706a259a2aecf2e75ec869400869df8c5768059506996ee2ed6c06b6e8613d2ff4bdce91ea6cf529574c71aa8ef66

Download Submit
C:\Users\Admin\AppData\Local\Temp\lhmnnvghdi.exe

Filesize
10.4MB

MD5
770dc24ea749070eb171d980e5aee576

SHA1
8ef4f6975d94d615a051ef18853571feb4709e32

SHA256
f8cea7131fd4010bf8f1815a4b8b045089c0a85abc77a4df450b97e324b914ae

SHA512
ca12fe2d48dcdb5855ce2217cad04ded7871ad976a9e7e3de96b9f6ef9f48033e9432bf5e61e69f3243833b0526e8a53b10e8164fddada2b06fceafba8c4299b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndksimyiwo.exe

Filesize
10.4MB

MD5
c5bcbc7f7a9a59d16d31a9e7530cf764

SHA1
e4b33cdfcb2f860771c990e5a607f01c43b25cca

SHA256
c78e3c8f0f8ddc405688aad6d104cfee3d4a3a7264c383ba04e4db4ee42ab184

SHA512
ef168ae67d57cdfe6915808b1f44324b3b6fc76c2322e619e296dd4961ca35e855fca4987df2e7a9c2e19d9573385a0959c66ebd146bcac4cb1c29befd15bba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\pccqjlwdid.exe

Filesize
10.4MB

MD5
9b4412487524113d72b3ba756af1f95a

SHA1
6cbf24776eb49cb0406a1f0994679e200918eed6

SHA256
ac597e2deab42dd95131e7c7ff7253a1cd08798a84162594532532bcd8e989e2

SHA512
052d03561c94cae5c82eb3e8449d755f6740f90460b4b2ea60501645097b3a1669edd2d69289a7d64e932feca32192ba03786f2c50de743db24fc67019a10a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbgptzchlc.exe

Filesize
10.4MB

MD5
a4ae8387961fdcf50fa76d69c4ec9dd2

SHA1
05781e13852e532cf7730282122c53bcca2b6877

SHA256
30ab301e0e329fed143b553ef86b57e299689b01a8b25baed165f012af591242

SHA512
c8afd105577f5194e014aa658a914e98a7a8380ef8b60aaae91b4e0b4876fad42021bab60681c8f36ba47ffb570b5e605e7957cb718f8f78f77a567d2839f542

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpwltqgkh.exe

Filesize
10.4MB

MD5
8c5a5de5add80464a79eb687e223bfb5

SHA1
6ee4e750bc65881774ee2bea0c0bb3557160edf2

SHA256
ebc80ada8e97b2a0fb8694a66995cd6bd162d98f1fea268df14c3e34e9353c8c

SHA512
6233580f065b5b05c223c2943cc6ed847a079b6e8a2eb0af268ad77681f9eed31bfc13826dda6668d6900d6a8920c6e1eb7ebb2f9e235cd4783c33f10aa78468

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
b48d10f1026a140334e9a643cb1aca12

SHA1
4785b0f823202dc556bccbfd965c52373ce15ca0

SHA256
45aac461426d0d1bec8fa3ed6ed1e94ebda071fbb63752b5c882f0b0ffd7fd86

SHA512
5894e409c3defb5a3638192a6ffc20086e9684f6e89a80d6fa25e8d175433853baa369b0c5ad04479b5542e8cc119d21b6146dd53a071ca13dcae655356469f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
ae6426114c6314e57e1c90d5ccfd9238

SHA1
dd3ff81e435993e9e6a388835243eb0b8ea642ed

SHA256
80555f7db5e001032c9f07baeb14e63ec1d657cce52fed636f07000c4d4a1648

SHA512
221c72dfafbff7e2fcca1d8abe2234eb2bdc138fc4861b68229d58c84d035f69398128fe8c657f35e3ff161a2edc536c5f48b7553e21d73ef13e6c0900041959

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
3d5770a5e7b92f3b6fcda65d26a4825a

SHA1
dcafeff6c433b33473d34bf9fbfe4ca2297b359f

SHA256
2b118c02c0b69dc80149119ce5cf852453ada82c91e95f2d12e9c6f0e0a18e5a

SHA512
dbaf0ed9bc921006ab329cdc51acf0d7dcd60bf5380f2d0564801e59f82ab347d248e86026f5a2969a5a8c9a3dd5c85565d6b1de4145721fd55fd3638a3a852e

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
b04dda040d4d645e4e783c0c686289b8

SHA1
969c556e0e10e4168cb1cfccc5ae6f985bb11eab

SHA256
3ff7d3c7fa51c0df87c97a6a70d54b5387c4494febc1d1dbd7c187ddfe7cdf5b

SHA512
438af17914002e26336f503d1c5a86e15f5316db7aa1ef27738dc697217d2f87b149699c2718960696326a85401b864505fd8445d0bbcadb4ff5b63d69df789b

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
458960317d1be00f211ee2ce83520b30

SHA1
04f9fd054698c625f13d853375737162d8fccdfc

SHA256
5611af8ceaa1cd7a4aafb271056718dcbfd23c72c1e5904bce99cc31d0465ebf

SHA512
222d6755fe6be342a74f9539ccd71f3d38af2325be0db7e2740d66442d1ac5ce194133fe810a0e300d327d28d0684ca6ef2e64ece2d77c0dce95217dff728705

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
578c566a5dae6919e588717aa10f25b9

SHA1
f31d24592c999642c2506fdab0d81777ca142510

SHA256
99d43b66caefb48196af492d706cbdd3632fd9ca7c509411bb5c86b7042a907a

SHA512
e1902f7f4a7f9dd8e960f09485acba55ef417c0acdfb1f0b30925aabfd0cc2e2e56b1a3171c3c9af1ba04436cffd28939376d8cfe2201dc14e342055481e0781

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
a3d8e38bc6d7714101d000b9b77deafe

SHA1
1169eebface60fb475835b74eae9d8f8ba36f183

SHA256
e75e3d344a7c7e39a6d7575712a79811b18520f92b87b6259832e74261da944c

SHA512
198bb78f8c5d897f64a0694f91ec83293c8d5d2eacb0be66f528d8cc27b6f78bef177fc11f719593d121d3579ea025cb44680df43a97b6e90b9d7eea05823f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
ae357e784e0bf75efdfd59e5d7076826

SHA1
9adf59ddfe22da6b0bb7c538a1f9ae95d7d3cf6a

SHA256
f6ab97af5ff23a414c819b01a7dadce121f098cae2ef37b55a030433b26c2efd

SHA512
319de211e764ef671f421af03849b208d47a2487c752a25d85deb95e96985fcaed23da1067787e44e9747776cae2ebda1cad82876685913724311f2f194940e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsdlugkskr.exe

Filesize
10.4MB

MD5
5e59deccca070f70136194328508e813

SHA1
bb40c03dcdc2ea19b2bc5e2553df3cc2af537c15

SHA256
d38c0eeadecea44f2fbf57dfb35c439c36182ebcbb4a90aed038e745ba56f9d0

SHA512
2854d3edc605fec410871e56fb5f205b8b4f63f4c1d89a79a47e696a05adf5cda9a585f1843fc0fbcd609081b8397cfe156d7075cc4a3af0359e75a1fef485cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcsctyuzck.exe

Filesize
10.4MB

MD5
0efa33dd3b2b54cb74de2a1b81af0748

SHA1
a4b1c3e1f9b1cc7ca15bf47a3e8ef16e3aa9a8a7

SHA256
b04eead20ec080d426558e7df4c7107e3954a884559566e26be648ddeafc2507

SHA512
cae4d379f41c2258e375243aa826dc492dd327377adbdcb8368120c49c48eac09db9485a929ec887c2d380302cf9a13e445bf77ab072a017e54366b1f88b77e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\xisadlchee.exe

Filesize
10.4MB

MD5
66b8c9fa977447496df77ef199d32485

SHA1
33d75ff2f7317b23803a0a0f324e01ac1e9df6f9

SHA256
ea3be7f64efd8921bb9e5f6003d2d594aea102a72d84ad7b766550c37a250e3f

SHA512
1ea6e46b75031072d9a13212ae4ecf6c0e08caf29c884c43bc27e3814b4dfbc15bc57e20fe14e4741a7f8d1884169ff8443a417c028c07fa9a36b39b672dbf58

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkkzgcqmnt.exe

Filesize
10.4MB

MD5
9d7ab74883ef18dcf62cf3470e4dcb5e

SHA1
82e4893160b639d32acf754ac1d8cba520831eb1

SHA256
b3fe9df1b57390f1f419bd63f125da1a5aa319e4307b1f1321eefe81ebcc3e7e

SHA512
cf4c4b866a84b6e801b60875e51f88c6b9580b118cfa7b4516b6d0a41c4b9df7ee87af10d61479c84491d663e0dfe6c7f02c65cac00ab9a4856416c0cd38a03d

Download Submit
memory/8-88-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/368-58-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1080-128-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/1080-129-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1396-110-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1408-154-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1436-107-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1828-121-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1876-0-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/1876-2-0x00000000005D7000-0x0000000000C65000-memory.dmp

Filesize
6.6MB

Download
memory/1876-62-0x00000000005D7000-0x0000000000C65000-memory.dmp

Filesize
6.6MB

Download
memory/1876-64-0x00000000005D7000-0x0000000000C65000-memory.dmp

Filesize
6.6MB

Download
memory/1876-1-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2004-31-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2480-118-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2544-160-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2840-5-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2840-7-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2840-4-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2972-99-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3048-15-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/3048-16-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3096-165-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3172-149-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3184-70-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3296-82-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3652-94-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3756-61-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3756-60-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/4080-73-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4092-25-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4156-140-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4300-22-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4300-21-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/4396-143-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4432-132-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4600-52-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4608-13-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4608-11-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4608-74-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4608-12-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/4608-85-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4720-49-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4752-43-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4980-39-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/4980-40-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/5064-33-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/5064-34-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download