f31b80fd0cc4265dae3be295940b5913abf89fd2c23a31ad09fb49bfd573565f

Analysis

max time kernel
90s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15/09/2024, 07:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f31b80fd0cc4265dae3be295940b5913abf89fd2c23a31ad09fb49bfd573565f.exe
Size

10.4MB
MD5

dea9b2798daed234c552da17e06bc58a
SHA1

a881ea99d35d216ce7582afd3f3cd40960c8b06d
SHA256

f31b80fd0cc4265dae3be295940b5913abf89fd2c23a31ad09fb49bfd573565f
SHA512

ded04fe7f41e03d268eb80b815c9135bac1f3b54d7a79dd82db6d6fa5c11cafc2cd3a778cb6eab1d87cad358a393a38ef02d7113cf65e37ffe9af851be05ea28
SSDEEP

196608:XZGmussR2/LGPLCXOKODxH5qFlXS47dV2MANpvrjVbEKGWIoS:XZGnssREJLODBWlX3d+NpvdHIo

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
4904	ixbueflita.exe
2964	ixbueflita.exe
2644	elskqqoihb.exe
5004	elskqqoihb.exe
340	bfoxosunwy.exe
2216	bfoxosunwy.exe
2324	iqvqpuircu.exe
4436	iqvqpuircu.exe
3276	ygidhdjfya.exe
2344	ygidhdjfya.exe
4628	bqkrntymok.exe
1120	bqkrntymok.exe
3132	vivanujhdp.exe
1604	vivanujhdp.exe
2796	ioqlmefcbq.exe
3040	ioqlmefcbq.exe
4576	vjrccfeusp.exe
4836	vjrccfeusp.exe
1004	sloyjkavmt.exe
4268	sloyjkavmt.exe
2744	qjhontyuks.exe
1424	qjhontyuks.exe
3292	amhqsesbdu.exe
4536	amhqsesbdu.exe
1680	xvalmsuyog.exe
456	xvalmsuyog.exe
4680	agopukcxbm.exe
4108	agopukcxbm.exe
3316	kjzgybjzvw.exe
4388	kjzgybjzvw.exe
1612	ptqcgkkfwu.exe
4604	ptqcgkkfwu.exe
2396	uzwskwifoj.exe
3056	uzwskwifoj.exe
1776	cheubzmfzu.exe
4224	cheubzmfzu.exe
1996	uacikhzsfi.exe
2844	uacikhzsfi.exe
4828	rfirafhjej.exe
3636	rfirafhjej.exe
4500	cnyfwfzakw.exe
2708	cnyfwfzakw.exe
3436	wmadqxtznb.exe
992	wmadqxtznb.exe
4944	unegwcpszn.exe
4536	unegwcpszn.exe
456	pfjmtlmvdr.exe
1812	pfjmtlmvdr.exe
2788	wuuywfaohi.exe
1656	wuuywfaohi.exe
2256	jmjoyuumrw.exe
4604	jmjoyuumrw.exe
1296	wsmzxeqipx.exe
4236	wsmzxeqipx.exe
560	eswgaqzadf.exe
1908	eswgaqzadf.exe
5012	deszzzdzvr.exe
4904	deszzzdzvr.exe
2144	lbepwtxkug.exe
1716	lbepwtxkug.exe
3272	wxqldhlhla.exe
1464	wxqldhlhla.exe
3964	wqchowaycb.exe
2868	wqchowaycb.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
4568	f31b80fd0cc4265dae3be295940b5913abf89fd2c23a31ad09fb49bfd573565f.exe
532	f31b80fd0cc4265dae3be295940b5913abf89fd2c23a31ad09fb49bfd573565f.exe
4904	ixbueflita.exe
2964	ixbueflita.exe
2644	elskqqoihb.exe
5004	elskqqoihb.exe
340	bfoxosunwy.exe
2216	bfoxosunwy.exe
2324	iqvqpuircu.exe
4436	iqvqpuircu.exe
3276	ygidhdjfya.exe
2344	ygidhdjfya.exe
4628	bqkrntymok.exe
1120	bqkrntymok.exe
3132	vivanujhdp.exe
1604	vivanujhdp.exe
2796	ioqlmefcbq.exe
3040	ioqlmefcbq.exe
4576	vjrccfeusp.exe
4836	vjrccfeusp.exe
1004	sloyjkavmt.exe
4268	sloyjkavmt.exe
2744	qjhontyuks.exe
1424	qjhontyuks.exe
3292	amhqsesbdu.exe
4536	amhqsesbdu.exe
1680	xvalmsuyog.exe
456	xvalmsuyog.exe
4680	agopukcxbm.exe
4108	agopukcxbm.exe
4388	kjzgybjzvw.exe
1612	ptqcgkkfwu.exe
4604	ptqcgkkfwu.exe
2396	uzwskwifoj.exe
3056	uzwskwifoj.exe
1776	cheubzmfzu.exe
4224	cheubzmfzu.exe
1996	uacikhzsfi.exe
2844	uacikhzsfi.exe
4828	rfirafhjej.exe
3636	rfirafhjej.exe
4500	cnyfwfzakw.exe
2708	cnyfwfzakw.exe
3436	wmadqxtznb.exe
992	wmadqxtznb.exe
4944	unegwcpszn.exe
4536	unegwcpszn.exe
456	pfjmtlmvdr.exe
1812	pfjmtlmvdr.exe
2788	wuuywfaohi.exe
1656	wuuywfaohi.exe
2256	jmjoyuumrw.exe
4604	jmjoyuumrw.exe
1296	wsmzxeqipx.exe
4236	wsmzxeqipx.exe
560	eswgaqzadf.exe
1908	eswgaqzadf.exe
5012	deszzzdzvr.exe
4904	deszzzdzvr.exe
2144	lbepwtxkug.exe
1716	lbepwtxkug.exe
3272	wxqldhlhla.exe
1464	wxqldhlhla.exe
3964	wqchowaycb.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wxqldhlhla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qjhontyuks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yyozezbhon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iyczdgzcad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gqlweyaplv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sloyjkavmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wsmzxeqipx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abvwcfbwtm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmadqxtznb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qkvvccshkp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqchowaycb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpwrhhdbzs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfoxosunwy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rfirafhjej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cnyfwfzakw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vqxvoqkuzf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	albpvlvmcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfoxosunwy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xvalmsuyog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uzwskwifoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lbepwtxkug.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unegwcpszn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abvwcfbwtm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ixbueflita.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uacikhzsfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f31b80fd0cc4265dae3be295940b5913abf89fd2c23a31ad09fb49bfd573565f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qjhontyuks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amhqsesbdu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wsmzxeqipx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vjrccfeusp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nhzibxwrrn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqchowaycb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igqwpjlvwp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuuywfaohi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheubzmfzu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jmjoyuumrw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vivanujhdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vjrccfeusp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sloyjkavmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nafyvdknoh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pfjmtlmvdr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuuywfaohi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nafyvdknoh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	artxwrmlhw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kjzgybjzvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmadqxtznb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheubzmfzu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unegwcpszn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yeqmiqtzze.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ixbueflita.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ptqcgkkfwu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uzwskwifoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iqvqpuircu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	agopukcxbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uacikhzsfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlbnesthob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xvalmsuyog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yeqmiqtzze.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nhzibxwrrn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	elskqqoihb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pfjmtlmvdr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qkvvccshkp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ypdpngvjxd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amhqsesbdu.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4568	f31b80fd0cc4265dae3be295940b5913abf89fd2c23a31ad09fb49bfd573565f.exe
4568	f31b80fd0cc4265dae3be295940b5913abf89fd2c23a31ad09fb49bfd573565f.exe
4568	f31b80fd0cc4265dae3be295940b5913abf89fd2c23a31ad09fb49bfd573565f.exe
4568	f31b80fd0cc4265dae3be295940b5913abf89fd2c23a31ad09fb49bfd573565f.exe
532	f31b80fd0cc4265dae3be295940b5913abf89fd2c23a31ad09fb49bfd573565f.exe
532	f31b80fd0cc4265dae3be295940b5913abf89fd2c23a31ad09fb49bfd573565f.exe
4904	ixbueflita.exe
4904	ixbueflita.exe
4904	ixbueflita.exe
4904	ixbueflita.exe
2964	ixbueflita.exe
2964	ixbueflita.exe
2644	elskqqoihb.exe
2644	elskqqoihb.exe
2644	elskqqoihb.exe
2644	elskqqoihb.exe
5004	elskqqoihb.exe
5004	elskqqoihb.exe
340	bfoxosunwy.exe
340	bfoxosunwy.exe
340	bfoxosunwy.exe
340	bfoxosunwy.exe
2216	bfoxosunwy.exe
2216	bfoxosunwy.exe
4568	f31b80fd0cc4265dae3be295940b5913abf89fd2c23a31ad09fb49bfd573565f.exe
4568	f31b80fd0cc4265dae3be295940b5913abf89fd2c23a31ad09fb49bfd573565f.exe
2324	iqvqpuircu.exe
2324	iqvqpuircu.exe
2324	iqvqpuircu.exe
2324	iqvqpuircu.exe
4904	ixbueflita.exe
4904	ixbueflita.exe
4436	iqvqpuircu.exe
4436	iqvqpuircu.exe
2644	elskqqoihb.exe
2644	elskqqoihb.exe
3276	ygidhdjfya.exe
3276	ygidhdjfya.exe
3276	ygidhdjfya.exe
3276	ygidhdjfya.exe
2344	ygidhdjfya.exe
2344	ygidhdjfya.exe
340	bfoxosunwy.exe
340	bfoxosunwy.exe
2324	iqvqpuircu.exe
2324	iqvqpuircu.exe
4628	bqkrntymok.exe
4628	bqkrntymok.exe
4628	bqkrntymok.exe
4628	bqkrntymok.exe
1120	bqkrntymok.exe
1120	bqkrntymok.exe
3276	ygidhdjfya.exe
3276	ygidhdjfya.exe
3132	vivanujhdp.exe
3132	vivanujhdp.exe
3132	vivanujhdp.exe
3132	vivanujhdp.exe
1604	vivanujhdp.exe
1604	vivanujhdp.exe
4628	bqkrntymok.exe
4628	bqkrntymok.exe
2796	ioqlmefcbq.exe
2796	ioqlmefcbq.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4568	f31b80fd0cc4265dae3be295940b5913abf89fd2c23a31ad09fb49bfd573565f.exe
4568	f31b80fd0cc4265dae3be295940b5913abf89fd2c23a31ad09fb49bfd573565f.exe
532	f31b80fd0cc4265dae3be295940b5913abf89fd2c23a31ad09fb49bfd573565f.exe
532	f31b80fd0cc4265dae3be295940b5913abf89fd2c23a31ad09fb49bfd573565f.exe
4904	ixbueflita.exe
4904	ixbueflita.exe
2964	ixbueflita.exe
2964	ixbueflita.exe
2644	elskqqoihb.exe
2644	elskqqoihb.exe
5004	elskqqoihb.exe
5004	elskqqoihb.exe
340	bfoxosunwy.exe
340	bfoxosunwy.exe
2216	bfoxosunwy.exe
2216	bfoxosunwy.exe
2324	iqvqpuircu.exe
2324	iqvqpuircu.exe
4436	iqvqpuircu.exe
4436	iqvqpuircu.exe
3276	ygidhdjfya.exe
3276	ygidhdjfya.exe
2344	ygidhdjfya.exe
2344	ygidhdjfya.exe
4628	bqkrntymok.exe
4628	bqkrntymok.exe
1120	bqkrntymok.exe
1120	bqkrntymok.exe
3132	vivanujhdp.exe
3132	vivanujhdp.exe
1604	vivanujhdp.exe
1604	vivanujhdp.exe
2796	ioqlmefcbq.exe
2796	ioqlmefcbq.exe
3040	ioqlmefcbq.exe
3040	ioqlmefcbq.exe
4576	vjrccfeusp.exe
4576	vjrccfeusp.exe
4836	vjrccfeusp.exe
4836	vjrccfeusp.exe
1004	sloyjkavmt.exe
1004	sloyjkavmt.exe
4268	sloyjkavmt.exe
4268	sloyjkavmt.exe
2744	qjhontyuks.exe
2744	qjhontyuks.exe
1424	qjhontyuks.exe
1424	qjhontyuks.exe
3292	amhqsesbdu.exe
3292	amhqsesbdu.exe
4536	amhqsesbdu.exe
4536	amhqsesbdu.exe
1680	xvalmsuyog.exe
1680	xvalmsuyog.exe
456	xvalmsuyog.exe
456	xvalmsuyog.exe
4680	agopukcxbm.exe
4680	agopukcxbm.exe
4108	agopukcxbm.exe
4108	agopukcxbm.exe
4388	kjzgybjzvw.exe
4388	kjzgybjzvw.exe
1612	ptqcgkkfwu.exe
1612	ptqcgkkfwu.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4568 wrote to memory of 532	4568	f31b80fd0cc4265dae3be295940b5913abf89fd2c23a31ad09fb49bfd573565f.exe	87
PID 4568 wrote to memory of 532	4568	f31b80fd0cc4265dae3be295940b5913abf89fd2c23a31ad09fb49bfd573565f.exe	87
PID 4568 wrote to memory of 532	4568	f31b80fd0cc4265dae3be295940b5913abf89fd2c23a31ad09fb49bfd573565f.exe	87
PID 4568 wrote to memory of 4904	4568	f31b80fd0cc4265dae3be295940b5913abf89fd2c23a31ad09fb49bfd573565f.exe	156
PID 4568 wrote to memory of 4904	4568	f31b80fd0cc4265dae3be295940b5913abf89fd2c23a31ad09fb49bfd573565f.exe	156
PID 4568 wrote to memory of 4904	4568	f31b80fd0cc4265dae3be295940b5913abf89fd2c23a31ad09fb49bfd573565f.exe	156
PID 4904 wrote to memory of 2964	4904	ixbueflita.exe	90
PID 4904 wrote to memory of 2964	4904	ixbueflita.exe	90
PID 4904 wrote to memory of 2964	4904	ixbueflita.exe	90
PID 4904 wrote to memory of 2644	4904	ixbueflita.exe	91
PID 4904 wrote to memory of 2644	4904	ixbueflita.exe	91
PID 4904 wrote to memory of 2644	4904	ixbueflita.exe	91
PID 2644 wrote to memory of 5004	2644	elskqqoihb.exe	93
PID 2644 wrote to memory of 5004	2644	elskqqoihb.exe	93
PID 2644 wrote to memory of 5004	2644	elskqqoihb.exe	93
PID 2644 wrote to memory of 340	2644	elskqqoihb.exe	94
PID 2644 wrote to memory of 340	2644	elskqqoihb.exe	94
PID 2644 wrote to memory of 340	2644	elskqqoihb.exe	94
PID 340 wrote to memory of 2216	340	bfoxosunwy.exe	95
PID 340 wrote to memory of 2216	340	bfoxosunwy.exe	95
PID 340 wrote to memory of 2216	340	bfoxosunwy.exe	95
PID 340 wrote to memory of 2324	340	bfoxosunwy.exe	96
PID 340 wrote to memory of 2324	340	bfoxosunwy.exe	96
PID 340 wrote to memory of 2324	340	bfoxosunwy.exe	96
PID 2324 wrote to memory of 4436	2324	iqvqpuircu.exe	97
PID 2324 wrote to memory of 4436	2324	iqvqpuircu.exe	97
PID 2324 wrote to memory of 4436	2324	iqvqpuircu.exe	97
PID 2324 wrote to memory of 3276	2324	iqvqpuircu.exe	98
PID 2324 wrote to memory of 3276	2324	iqvqpuircu.exe	98
PID 2324 wrote to memory of 3276	2324	iqvqpuircu.exe	98
PID 3276 wrote to memory of 2344	3276	ygidhdjfya.exe	99
PID 3276 wrote to memory of 2344	3276	ygidhdjfya.exe	99
PID 3276 wrote to memory of 2344	3276	ygidhdjfya.exe	99
PID 3276 wrote to memory of 4628	3276	ygidhdjfya.exe	100
PID 3276 wrote to memory of 4628	3276	ygidhdjfya.exe	100
PID 3276 wrote to memory of 4628	3276	ygidhdjfya.exe	100
PID 4628 wrote to memory of 1120	4628	bqkrntymok.exe	154
PID 4628 wrote to memory of 1120	4628	bqkrntymok.exe	154
PID 4628 wrote to memory of 1120	4628	bqkrntymok.exe	154
PID 4628 wrote to memory of 3132	4628	bqkrntymok.exe	102
PID 4628 wrote to memory of 3132	4628	bqkrntymok.exe	102
PID 4628 wrote to memory of 3132	4628	bqkrntymok.exe	102
PID 3132 wrote to memory of 1604	3132	vivanujhdp.exe	103
PID 3132 wrote to memory of 1604	3132	vivanujhdp.exe	103
PID 3132 wrote to memory of 1604	3132	vivanujhdp.exe	103
PID 3132 wrote to memory of 2796	3132	vivanujhdp.exe	104
PID 3132 wrote to memory of 2796	3132	vivanujhdp.exe	104
PID 3132 wrote to memory of 2796	3132	vivanujhdp.exe	104
PID 2796 wrote to memory of 3040	2796	ioqlmefcbq.exe	105
PID 2796 wrote to memory of 3040	2796	ioqlmefcbq.exe	105
PID 2796 wrote to memory of 3040	2796	ioqlmefcbq.exe	105
PID 2796 wrote to memory of 4576	2796	ioqlmefcbq.exe	106
PID 2796 wrote to memory of 4576	2796	ioqlmefcbq.exe	106
PID 2796 wrote to memory of 4576	2796	ioqlmefcbq.exe	106
PID 4576 wrote to memory of 4836	4576	vjrccfeusp.exe	107
PID 4576 wrote to memory of 4836	4576	vjrccfeusp.exe	107
PID 4576 wrote to memory of 4836	4576	vjrccfeusp.exe	107
PID 4576 wrote to memory of 1004	4576	vjrccfeusp.exe	108
PID 4576 wrote to memory of 1004	4576	vjrccfeusp.exe	108
PID 4576 wrote to memory of 1004	4576	vjrccfeusp.exe	108
PID 1004 wrote to memory of 4268	1004	sloyjkavmt.exe	109
PID 1004 wrote to memory of 4268	1004	sloyjkavmt.exe	109
PID 1004 wrote to memory of 4268	1004	sloyjkavmt.exe	109
PID 1004 wrote to memory of 2744	1004	sloyjkavmt.exe	112

C:\Users\Admin\AppData\Local\Temp\f31b80fd0cc4265dae3be295940b5913abf89fd2c23a31ad09fb49bfd573565f.exe
"C:\Users\Admin\AppData\Local\Temp\f31b80fd0cc4265dae3be295940b5913abf89fd2c23a31ad09fb49bfd573565f.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Users\Admin\AppData\Local\Temp\f31b80fd0cc4265dae3be295940b5913abf89fd2c23a31ad09fb49bfd573565f.exe
  C:\Users\Admin\AppData\Local\Temp\f31b80fd0cc4265dae3be295940b5913abf89fd2c23a31ad09fb49bfd573565f.exe update ixbueflita.exe
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:532
- C:\Users\Admin\AppData\Local\Temp\ixbueflita.exe
  C:\Users\Admin\AppData\Local\Temp\ixbueflita.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4904
- - C:\Users\Admin\AppData\Local\Temp\ixbueflita.exe
    C:\Users\Admin\AppData\Local\Temp\ixbueflita.exe update elskqqoihb.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2964
- - C:\Users\Admin\AppData\Local\Temp\elskqqoihb.exe
    C:\Users\Admin\AppData\Local\Temp\elskqqoihb.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Users\Admin\AppData\Local\Temp\elskqqoihb.exe
      C:\Users\Admin\AppData\Local\Temp\elskqqoihb.exe update bfoxosunwy.exe
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:5004
  - - C:\Users\Admin\AppData\Local\Temp\bfoxosunwy.exe
      C:\Users\Admin\AppData\Local\Temp\bfoxosunwy.exe
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:340
    - - C:\Users\Admin\AppData\Local\Temp\bfoxosunwy.exe
        
        C:\Users\Admin\AppData\Local\Temp\bfoxosunwy.exe update iqvqpuircu.exe
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2216
    - - C:\Users\Admin\AppData\Local\Temp\iqvqpuircu.exe
        
        C:\Users\Admin\AppData\Local\Temp\iqvqpuircu.exe
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2324
      - C:\Users\Admin\AppData\Local\Temp\iqvqpuircu.exe
        
        C:\Users\Admin\AppData\Local\Temp\iqvqpuircu.exe update ygidhdjfya.exe
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4436
      - C:\Users\Admin\AppData\Local\Temp\ygidhdjfya.exe
        
        C:\Users\Admin\AppData\Local\Temp\ygidhdjfya.exe
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\ygidhdjfya.exe
        
        C:\Users\Admin\AppData\Local\Temp\ygidhdjfya.exe update bqkrntymok.exe
        7⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\bqkrntymok.exe
        
        C:\Users\Admin\AppData\Local\Temp\bqkrntymok.exe
        7⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\bqkrntymok.exe
        
        C:\Users\Admin\AppData\Local\Temp\bqkrntymok.exe update vivanujhdp.exe
        8⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\vivanujhdp.exe
        
        C:\Users\Admin\AppData\Local\Temp\vivanujhdp.exe
        8⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\vivanujhdp.exe
        
        C:\Users\Admin\AppData\Local\Temp\vivanujhdp.exe update ioqlmefcbq.exe
        9⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\ioqlmefcbq.exe
        
        C:\Users\Admin\AppData\Local\Temp\ioqlmefcbq.exe
        9⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\ioqlmefcbq.exe
        
        C:\Users\Admin\AppData\Local\Temp\ioqlmefcbq.exe update vjrccfeusp.exe
        10⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\vjrccfeusp.exe
        
        C:\Users\Admin\AppData\Local\Temp\vjrccfeusp.exe
        10⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\vjrccfeusp.exe
        
        C:\Users\Admin\AppData\Local\Temp\vjrccfeusp.exe update sloyjkavmt.exe
        11⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\sloyjkavmt.exe
        
        C:\Users\Admin\AppData\Local\Temp\sloyjkavmt.exe
        11⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\sloyjkavmt.exe
        
        C:\Users\Admin\AppData\Local\Temp\sloyjkavmt.exe update qjhontyuks.exe
        12⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\qjhontyuks.exe
        
        C:\Users\Admin\AppData\Local\Temp\qjhontyuks.exe
        12⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\qjhontyuks.exe
        
        C:\Users\Admin\AppData\Local\Temp\qjhontyuks.exe update amhqsesbdu.exe
        13⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\amhqsesbdu.exe
        
        C:\Users\Admin\AppData\Local\Temp\amhqsesbdu.exe
        13⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\amhqsesbdu.exe
        
        C:\Users\Admin\AppData\Local\Temp\amhqsesbdu.exe update xvalmsuyog.exe
        14⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\xvalmsuyog.exe
        
        C:\Users\Admin\AppData\Local\Temp\xvalmsuyog.exe
        14⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\xvalmsuyog.exe
        
        C:\Users\Admin\AppData\Local\Temp\xvalmsuyog.exe update agopukcxbm.exe
        15⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\agopukcxbm.exe
        
        C:\Users\Admin\AppData\Local\Temp\agopukcxbm.exe
        15⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\agopukcxbm.exe
        
        C:\Users\Admin\AppData\Local\Temp\agopukcxbm.exe update kjzgybjzvw.exe
        16⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\kjzgybjzvw.exe
        
        C:\Users\Admin\AppData\Local\Temp\kjzgybjzvw.exe
        16⤵
        Executes dropped EXE
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\kjzgybjzvw.exe
        
        C:\Users\Admin\AppData\Local\Temp\kjzgybjzvw.exe update ptqcgkkfwu.exe
        17⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\ptqcgkkfwu.exe
        
        C:\Users\Admin\AppData\Local\Temp\ptqcgkkfwu.exe
        17⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\ptqcgkkfwu.exe
        
        C:\Users\Admin\AppData\Local\Temp\ptqcgkkfwu.exe update uzwskwifoj.exe
        18⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\uzwskwifoj.exe
        
        C:\Users\Admin\AppData\Local\Temp\uzwskwifoj.exe
        18⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\uzwskwifoj.exe
        
        C:\Users\Admin\AppData\Local\Temp\uzwskwifoj.exe update cheubzmfzu.exe
        19⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\cheubzmfzu.exe
        
        C:\Users\Admin\AppData\Local\Temp\cheubzmfzu.exe
        19⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\cheubzmfzu.exe
        
        C:\Users\Admin\AppData\Local\Temp\cheubzmfzu.exe update uacikhzsfi.exe
        20⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\uacikhzsfi.exe
        
        C:\Users\Admin\AppData\Local\Temp\uacikhzsfi.exe
        20⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\uacikhzsfi.exe
        
        C:\Users\Admin\AppData\Local\Temp\uacikhzsfi.exe update rfirafhjej.exe
        21⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\rfirafhjej.exe
        
        C:\Users\Admin\AppData\Local\Temp\rfirafhjej.exe
        21⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\rfirafhjej.exe
        
        C:\Users\Admin\AppData\Local\Temp\rfirafhjej.exe update cnyfwfzakw.exe
        22⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\cnyfwfzakw.exe
        
        C:\Users\Admin\AppData\Local\Temp\cnyfwfzakw.exe
        22⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\cnyfwfzakw.exe
        
        C:\Users\Admin\AppData\Local\Temp\cnyfwfzakw.exe update wmadqxtznb.exe
        23⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\wmadqxtznb.exe
        
        C:\Users\Admin\AppData\Local\Temp\wmadqxtznb.exe
        23⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\wmadqxtznb.exe
        
        C:\Users\Admin\AppData\Local\Temp\wmadqxtznb.exe update unegwcpszn.exe
        24⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\unegwcpszn.exe
        
        C:\Users\Admin\AppData\Local\Temp\unegwcpszn.exe
        24⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\unegwcpszn.exe
        
        C:\Users\Admin\AppData\Local\Temp\unegwcpszn.exe update pfjmtlmvdr.exe
        25⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\pfjmtlmvdr.exe
        
        C:\Users\Admin\AppData\Local\Temp\pfjmtlmvdr.exe
        25⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\pfjmtlmvdr.exe
        
        C:\Users\Admin\AppData\Local\Temp\pfjmtlmvdr.exe update wuuywfaohi.exe
        26⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\wuuywfaohi.exe
        
        C:\Users\Admin\AppData\Local\Temp\wuuywfaohi.exe
        26⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\wuuywfaohi.exe
        
        C:\Users\Admin\AppData\Local\Temp\wuuywfaohi.exe update jmjoyuumrw.exe
        27⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\jmjoyuumrw.exe
        
        C:\Users\Admin\AppData\Local\Temp\jmjoyuumrw.exe
        27⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\jmjoyuumrw.exe
        
        C:\Users\Admin\AppData\Local\Temp\jmjoyuumrw.exe update wsmzxeqipx.exe
        28⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\wsmzxeqipx.exe
        
        C:\Users\Admin\AppData\Local\Temp\wsmzxeqipx.exe
        28⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\wsmzxeqipx.exe
        
        C:\Users\Admin\AppData\Local\Temp\wsmzxeqipx.exe update eswgaqzadf.exe
        29⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\eswgaqzadf.exe
        
        C:\Users\Admin\AppData\Local\Temp\eswgaqzadf.exe
        29⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\eswgaqzadf.exe
        
        C:\Users\Admin\AppData\Local\Temp\eswgaqzadf.exe update deszzzdzvr.exe
        30⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\deszzzdzvr.exe
        
        C:\Users\Admin\AppData\Local\Temp\deszzzdzvr.exe
        30⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\deszzzdzvr.exe
        
        C:\Users\Admin\AppData\Local\Temp\deszzzdzvr.exe update lbepwtxkug.exe
        31⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\lbepwtxkug.exe
        
        C:\Users\Admin\AppData\Local\Temp\lbepwtxkug.exe
        31⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\lbepwtxkug.exe
        
        C:\Users\Admin\AppData\Local\Temp\lbepwtxkug.exe update wxqldhlhla.exe
        32⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\wxqldhlhla.exe
        
        C:\Users\Admin\AppData\Local\Temp\wxqldhlhla.exe
        32⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\wxqldhlhla.exe
        
        C:\Users\Admin\AppData\Local\Temp\wxqldhlhla.exe update wqchowaycb.exe
        33⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\wqchowaycb.exe
        
        C:\Users\Admin\AppData\Local\Temp\wqchowaycb.exe
        33⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\wqchowaycb.exe
        
        C:\Users\Admin\AppData\Local\Temp\wqchowaycb.exe update yeqmiqtzze.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\yeqmiqtzze.exe
        
        C:\Users\Admin\AppData\Local\Temp\yeqmiqtzze.exe
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\yeqmiqtzze.exe
        
        C:\Users\Admin\AppData\Local\Temp\yeqmiqtzze.exe update dgjsqqmfki.exe
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\dgjsqqmfki.exe
        
        C:\Users\Admin\AppData\Local\Temp\dgjsqqmfki.exe
        35⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\dgjsqqmfki.exe
        
        C:\Users\Admin\AppData\Local\Temp\dgjsqqmfki.exe update yyozezbhon.exe
        36⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\yyozezbhon.exe
        
        C:\Users\Admin\AppData\Local\Temp\yyozezbhon.exe
        36⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\yyozezbhon.exe
        
        C:\Users\Admin\AppData\Local\Temp\yyozezbhon.exe update iyczdgzcad.exe
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\iyczdgzcad.exe
        
        C:\Users\Admin\AppData\Local\Temp\iyczdgzcad.exe
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\iyczdgzcad.exe
        
        C:\Users\Admin\AppData\Local\Temp\iyczdgzcad.exe update qkvvccshkp.exe
        38⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\qkvvccshkp.exe
        
        C:\Users\Admin\AppData\Local\Temp\qkvvccshkp.exe
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\qkvvccshkp.exe
        
        C:\Users\Admin\AppData\Local\Temp\qkvvccshkp.exe update nafyvdknoh.exe
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\nafyvdknoh.exe
        
        C:\Users\Admin\AppData\Local\Temp\nafyvdknoh.exe
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\nafyvdknoh.exe
        
        C:\Users\Admin\AppData\Local\Temp\nafyvdknoh.exe update artxwrmlhw.exe
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\artxwrmlhw.exe
        
        C:\Users\Admin\AppData\Local\Temp\artxwrmlhw.exe
        40⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\artxwrmlhw.exe
        
        C:\Users\Admin\AppData\Local\Temp\artxwrmlhw.exe update ypdpngvjxd.exe
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\ypdpngvjxd.exe
        
        C:\Users\Admin\AppData\Local\Temp\ypdpngvjxd.exe
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\ypdpngvjxd.exe
        
        C:\Users\Admin\AppData\Local\Temp\ypdpngvjxd.exe update vqxvoqkuzf.exe
        42⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\vqxvoqkuzf.exe
        
        C:\Users\Admin\AppData\Local\Temp\vqxvoqkuzf.exe
        42⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\vqxvoqkuzf.exe
        
        C:\Users\Admin\AppData\Local\Temp\vqxvoqkuzf.exe update gqlweyaplv.exe
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\gqlweyaplv.exe
        
        C:\Users\Admin\AppData\Local\Temp\gqlweyaplv.exe
        43⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\gqlweyaplv.exe
        
        C:\Users\Admin\AppData\Local\Temp\gqlweyaplv.exe update albpvlvmcn.exe
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\albpvlvmcn.exe
        
        C:\Users\Admin\AppData\Local\Temp\albpvlvmcn.exe
        44⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\albpvlvmcn.exe
        
        C:\Users\Admin\AppData\Local\Temp\albpvlvmcn.exe update dlbnesthob.exe
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\dlbnesthob.exe
        
        C:\Users\Admin\AppData\Local\Temp\dlbnesthob.exe
        45⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\dlbnesthob.exe
        
        C:\Users\Admin\AppData\Local\Temp\dlbnesthob.exe update abvwcfbwtm.exe
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\abvwcfbwtm.exe
        
        C:\Users\Admin\AppData\Local\Temp\abvwcfbwtm.exe
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\abvwcfbwtm.exe
        
        C:\Users\Admin\AppData\Local\Temp\abvwcfbwtm.exe update nhzibxwrrn.exe
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\nhzibxwrrn.exe
        
        C:\Users\Admin\AppData\Local\Temp\nhzibxwrrn.exe
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\nhzibxwrrn.exe
        
        C:\Users\Admin\AppData\Local\Temp\nhzibxwrrn.exe update igqwpjlvwp.exe
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\igqwpjlvwp.exe
        
        C:\Users\Admin\AppData\Local\Temp\igqwpjlvwp.exe
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\igqwpjlvwp.exe
        
        C:\Users\Admin\AppData\Local\Temp\igqwpjlvwp.exe update xpwrhhdbzs.exe
        49⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\xpwrhhdbzs.exe
        
        C:\Users\Admin\AppData\Local\Temp\xpwrhhdbzs.exe
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\xpwrhhdbzs.exe
        
        C:\Users\Admin\AppData\Local\Temp\xpwrhhdbzs.exe update nqtvhgvoku.exe
        50⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\nqtvhgvoku.exe
        
        C:\Users\Admin\AppData\Local\Temp\nqtvhgvoku.exe
        50⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\nqtvhgvoku.exe
        
        C:\Users\Admin\AppData\Local\Temp\nqtvhgvoku.exe update xegbiptcpz.exe
        51⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\xegbiptcpz.exe
        
        C:\Users\Admin\AppData\Local\Temp\xegbiptcpz.exe
        51⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\xegbiptcpz.exe
        
        C:\Users\Admin\AppData\Local\Temp\xegbiptcpz.exe update ptrwwklvhc.exe
        52⤵
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\ptrwwklvhc.exe
        
        C:\Users\Admin\AppData\Local\Temp\ptrwwklvhc.exe
        52⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\ptrwwklvhc.exe
        
        C:\Users\Admin\AppData\Local\Temp\ptrwwklvhc.exe update hatxzahfra.exe
        53⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\hatxzahfra.exe
        
        C:\Users\Admin\AppData\Local\Temp\hatxzahfra.exe
        53⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\hatxzahfra.exe
        
        C:\Users\Admin\AppData\Local\Temp\hatxzahfra.exe update rqfdhqioxp.exe
        54⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\rqfdhqioxp.exe
        
        C:\Users\Admin\AppData\Local\Temp\rqfdhqioxp.exe
        54⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\rqfdhqioxp.exe
        
        C:\Users\Admin\AppData\Local\Temp\rqfdhqioxp.exe update rjaemfdxjp.exe
        55⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\rjaemfdxjp.exe
        
        C:\Users\Admin\AppData\Local\Temp\rjaemfdxjp.exe
        55⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\rjaemfdxjp.exe
        
        C:\Users\Admin\AppData\Local\Temp\rjaemfdxjp.exe update zgxsaeivie.exe
        56⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\zgxsaeivie.exe
        
        C:\Users\Admin\AppData\Local\Temp\zgxsaeivie.exe
        56⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\zgxsaeivie.exe
        
        C:\Users\Admin\AppData\Local\Temp\zgxsaeivie.exe update pdsjxybggt.exe
        57⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\pdsjxybggt.exe
        
        C:\Users\Admin\AppData\Local\Temp\pdsjxybggt.exe
        57⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\pdsjxybggt.exe
        
        C:\Users\Admin\AppData\Local\Temp\pdsjxybggt.exe update etcmpzunlu.exe
        58⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\etcmpzunlu.exe
        
        C:\Users\Admin\AppData\Local\Temp\etcmpzunlu.exe
        58⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\etcmpzunlu.exe
        
        C:\Users\Admin\AppData\Local\Temp\etcmpzunlu.exe update rwusmniowi.exe
        59⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\rwusmniowi.exe
        
        C:\Users\Admin\AppData\Local\Temp\rwusmniowi.exe
        59⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\rwusmniowi.exe
        
        C:\Users\Admin\AppData\Local\Temp\rwusmniowi.exe update wqxozzjkiw.exe
        60⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\wqxozzjkiw.exe
        
        C:\Users\Admin\AppData\Local\Temp\wqxozzjkiw.exe
        60⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\wqxozzjkiw.exe
        
        C:\Users\Admin\AppData\Local\Temp\wqxozzjkiw.exe update tssfueimyk.exe
        61⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\tssfueimyk.exe
        
        C:\Users\Admin\AppData\Local\Temp\tssfueimyk.exe
        61⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\tssfueimyk.exe
        
        C:\Users\Admin\AppData\Local\Temp\tssfueimyk.exe update erinexulkq.exe
        62⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\erinexulkq.exe
        
        C:\Users\Admin\AppData\Local\Temp\erinexulkq.exe
        62⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\erinexulkq.exe
        
        C:\Users\Admin\AppData\Local\Temp\erinexulkq.exe update ogutegshhd.exe
        63⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\ogutegshhd.exe
        
        C:\Users\Admin\AppData\Local\Temp\ogutegshhd.exe
        63⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\ogutegshhd.exe
        
        C:\Users\Admin\AppData\Local\Temp\ogutegshhd.exe update rqvciqhclj.exe
        64⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\rqvciqhclj.exe
        
        C:\Users\Admin\AppData\Local\Temp\rqvciqhclj.exe
        64⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\rqvciqhclj.exe
        
        C:\Users\Admin\AppData\Local\Temp\rqvciqhclj.exe update qnskejcvpy.exe
        65⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\qnskejcvpy.exe
        
        C:\Users\Admin\AppData\Local\Temp\qnskejcvpy.exe
        65⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\qnskejcvpy.exe
        
        C:\Users\Admin\AppData\Local\Temp\qnskejcvpy.exe update irsyxnzlgc.exe
        66⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\irsyxnzlgc.exe
        
        C:\Users\Admin\AppData\Local\Temp\irsyxnzlgc.exe
        66⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\irsyxnzlgc.exe
        
        C:\Users\Admin\AppData\Local\Temp\irsyxnzlgc.exe update ykbcslmtre.exe
        67⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\ykbcslmtre.exe
        
        C:\Users\Admin\AppData\Local\Temp\ykbcslmtre.exe
        67⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\ykbcslmtre.exe
        
        C:\Users\Admin\AppData\Local\Temp\ykbcslmtre.exe update tgrvjyiyiv.exe
        68⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\tgrvjyiyiv.exe
        
        C:\Users\Admin\AppData\Local\Temp\tgrvjyiyiv.exe
        68⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tgrvjyiyiv.exe
        
        C:\Users\Admin\AppData\Local\Temp\tgrvjyiyiv.exe update vjugnbmnhx.exe
        69⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\vjugnbmnhx.exe
        
        C:\Users\Admin\AppData\Local\Temp\vjugnbmnhx.exe
        69⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\vjugnbmnhx.exe
        
        C:\Users\Admin\AppData\Local\Temp\vjugnbmnhx.exe update oyeuptatgk.exe
        70⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\oyeuptatgk.exe
        
        C:\Users\Admin\AppData\Local\Temp\oyeuptatgk.exe
        70⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\oyeuptatgk.exe
        
        C:\Users\Admin\AppData\Local\Temp\oyeuptatgk.exe update shwqpngnrg.exe
        71⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\shwqpngnrg.exe
        
        C:\Users\Admin\AppData\Local\Temp\shwqpngnrg.exe
        71⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\shwqpngnrg.exe
        
        C:\Users\Admin\AppData\Local\Temp\shwqpngnrg.exe update fnzboycixh.exe
        72⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\fnzboycixh.exe
        
        C:\Users\Admin\AppData\Local\Temp\fnzboycixh.exe
        72⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\fnzboycixh.exe
        
        C:\Users\Admin\AppData\Local\Temp\fnzboycixh.exe update vhhzpnrzgc.exe
        73⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\vhhzpnrzgc.exe
        
        C:\Users\Admin\AppData\Local\Temp\vhhzpnrzgc.exe
        73⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\vhhzpnrzgc.exe
        
        C:\Users\Admin\AppData\Local\Temp\vhhzpnrzgc.exe update qgjlvnqqmn.exe
        74⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\qgjlvnqqmn.exe
        
        C:\Users\Admin\AppData\Local\Temp\qgjlvnqqmn.exe
        74⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\qgjlvnqqmn.exe
        
        C:\Users\Admin\AppData\Local\Temp\qgjlvnqqmn.exe update qojtaekake.exe
        75⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\qojtaekake.exe
        
        C:\Users\Admin\AppData\Local\Temp\qojtaekake.exe
        75⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\qojtaekake.exe
        
        C:\Users\Admin\AppData\Local\Temp\qojtaekake.exe update nqnxhjhbdq.exe
        76⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\nqnxhjhbdq.exe
        
        C:\Users\Admin\AppData\Local\Temp\nqnxhjhbdq.exe
        76⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\nqnxhjhbdq.exe
        
        C:\Users\Admin\AppData\Local\Temp\nqnxhjhbdq.exe update sgwafrddit.exe
        77⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\sgwafrddit.exe
        
        C:\Users\Admin\AppData\Local\Temp\sgwafrddit.exe
        77⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\sgwafrddit.exe
        
        C:\Users\Admin\AppData\Local\Temp\sgwafrddit.exe update xubmyuvlfk.exe
        78⤵
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\xubmyuvlfk.exe
        
        C:\Users\Admin\AppData\Local\Temp\xubmyuvlfk.exe
        78⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\xubmyuvlfk.exe
        
        C:\Users\Admin\AppData\Local\Temp\xubmyuvlfk.exe update xyxcsbggvn.exe
        79⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\xyxcsbggvn.exe
        
        C:\Users\Admin\AppData\Local\Temp\xyxcsbggvn.exe
        79⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\xyxcsbggvn.exe
        
        C:\Users\Admin\AppData\Local\Temp\xyxcsbggvn.exe update fgunqexcse.exe
        80⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\fgunqexcse.exe
        
        C:\Users\Admin\AppData\Local\Temp\fgunqexcse.exe
        80⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\fgunqexcse.exe
        
        C:\Users\Admin\AppData\Local\Temp\fgunqexcse.exe update kxdyxutxwg.exe
        81⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\kxdyxutxwg.exe
        
        C:\Users\Admin\AppData\Local\Temp\kxdyxutxwg.exe
        81⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\kxdyxutxwg.exe
        
        C:\Users\Admin\AppData\Local\Temp\kxdyxutxwg.exe update cenrtcpohx.exe
        82⤵
        
        PID:3992

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:1120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\agopukcxbm.exe

Filesize
10.4MB

MD5
5ed76b7adbf42256d77c0d2cf524c60c

SHA1
7736b30676a0e8b11516baaf3da5ebe1e21142c7

SHA256
b5c2a16fbd650689b65b19471b2eca999d217a878ba12f3b3b12363e8c5a8c86

SHA512
afd9bbe3e33bd1ae50a00881a3e57d67f33c051af05cf8c34e7ebd87946590173fa26fbcab0d5ab0ac904d9155fd2f874698f05d83adb445d3645b6a110d19fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\amhqsesbdu.exe

Filesize
10.4MB

MD5
15f2e7d2a130d93a9d6f00abffc725fb

SHA1
ae32a1d500d5923c3030efb18e221237f52a7692

SHA256
885bdf29cc04ba76eb73bb40b47f3bda200b98155d15f2bfd166187fd2760f53

SHA512
8400b4abc0250a74aeac90f348de3c96769381dc204745bd142731c9b681c143eafc3f04b4a687d528a2160465935385ae702e373a674e0fab3756fb205360cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfoxosunwy.exe

Filesize
10.4MB

MD5
b3e96d2d6ef4ca8a8f986b2c3878bfe9

SHA1
aad4fab970b1be75293fc1d6b0b49663f9189ba5

SHA256
1934d33049eba5a62129e25e926c7689c42f6fbc799ea65b0191bee144d72adb

SHA512
7d7854415800d5a1d8aa86410f0b2572a24cb00fb2ad5de481fd648d7b1baab2bcbdb32eda4e75d4b0439eed76a3878cb3c4c5fb13dfb7e9b8b542a289053cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\bqkrntymok.exe

Filesize
10.4MB

MD5
c92cd4e868757e4787d616d2ef752b03

SHA1
24fd33c3e9f6cdd9e3007790f37a4a6510849cd7

SHA256
de605409e2ade8b7cebec126ae94577b1ac50e26704633cd211ffdc87d614290

SHA512
bd4f3b37c645ac33af2cd422b2ad98d476103a7dabf777f5783cc51bad3e0f4917844bbd1cfcee318ce2bf7743dfd1f0f07a974f4c3273a6f5f1e01ffa488b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\cheubzmfzu.exe

Filesize
10.4MB

MD5
9bcae994d8b3e2334f7aa22f6ce90f41

SHA1
5b93a2e1a2ac587b92cf958bd7fc1f5d2865a6a6

SHA256
ac08d7ead27e95143a20da8bb841c227323026986fad2074a125b43d390e7ada

SHA512
993e02899cdbb7ecc3ea9a6cae3f5ce2c8bf4cac9450ced504db5abaeb5e96f6ef3bf59395f25c4d9019c274c00089dd84b409412f70c85d09b9ce9a8ed290bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\elskqqoihb.exe

Filesize
10.4MB

MD5
94f3e35495f182336476b856dbe1bf7c

SHA1
3d146793aeba609c0eb32a203711daae546da837

SHA256
096590b30eaf6f973b558426be9509649d91769aa9dd013c99c157ebc5c8ddf4

SHA512
c58983cca4f16c60a04f0ff95c200c5ec7eb95692f10f46f375fa5012467930666ee65686c639112b0166de8cb34e4871fe1f4c80fe800590b198c2bccb50a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioqlmefcbq.exe

Filesize
10.4MB

MD5
258cab4988f0236be3438698c92e61d1

SHA1
4bb1310ac3f52595c2fbd77fd516d155a2d1a297

SHA256
bc5d0a36bf410f461c01e7f2545b2755ae107fabc339e13a2f86411abcfcf718

SHA512
4e5652dfd38745a4f1b8560892e6b320b71bb2e092114b513446be720f9d2e9044daec80214861c6088bb07a57938065c30a5315a5d9ed7b0c0ee686fdc9fa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqvqpuircu.exe

Filesize
10.4MB

MD5
1433a9917b56121170dfcc6732fb5dfc

SHA1
e84ca333040734c6ea8d0f85921ba7f11dd8c94a

SHA256
059a5069ad94330cc3ec2e6c132c1ae61196ddf663b67b9ef648823e4c1830e7

SHA512
0161c20458ed2351699dfc817c056817aa59852ed2da11cfc4b6b726e9dc8012fc7c61e85cf03496ffc025f157ad9625df08fffcdeaf805cff3cc57a987442b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ixbueflita.exe

Filesize
10.4MB

MD5
0a49ce1ffea082403add93492ee52957

SHA1
8d81fe96ced886f4ebb5ae9820cbce88403dc6f8

SHA256
f6ad39fb110fd6559d85f5c0b267b44cfe2261e05f0661e30be4d335d4e9288c

SHA512
6c5b0b60a422ba1fbcbdb167f2f8f247b7fc93f5a9846a07d0c26260cfd4c001a6e8020ab792d820657cc6cd4af86c4a9b95e5b45727a167e8a273b611184912

Download Submit
C:\Users\Admin\AppData\Local\Temp\kjzgybjzvw.exe

Filesize
10.4MB

MD5
ab01e41391add11b3ade1e34a0554219

SHA1
d73ddb762170d7ce23ac940cde5798d2f5ba2804

SHA256
85b90a55a2ecce145b163d28ebdb79485b0630426051cf9d98f47425c8d237a2

SHA512
58d8ac1163dc519891baaadb59780f04c8790f57377a6245b68141f6b3b79cd45068dfc723ef449f074eef8c52b541e5a6b56efa2999a3f38957bcf30d76999b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ptqcgkkfwu.exe

Filesize
10.4MB

MD5
63617e0214872544ad8e7ff8614f242e

SHA1
b35038374bd5fc772f00cd2277f3147010ffc19b

SHA256
9f16450e82992265a009146fa5ba1adf419961618759e9b41fb4ce22a4fc54fe

SHA512
d7ee83778fec5e94ebe668244824e804b9e539db7f78b8923a0d945de37c3d811d912a08ab89058070bd01673ec292aaad0dd16a8c0508e865df043ff13f9283

Download Submit
C:\Users\Admin\AppData\Local\Temp\qjhontyuks.exe

Filesize
10.4MB

MD5
4c2c783d9d357527cace55a660b7db02

SHA1
2b3270e075593b0ee6dcfd3cc01447e2e47b9beb

SHA256
b9b353b8426813c47f42da39212ff4a881372d61aaeebf0a4e1627c0b94111f5

SHA512
a82b567d60acec0ac43b9a5a98d572db6c1f3f06504eb1f0d6364bfe764693deddb201eb6ea1a2fc1f43f1440b3a9bf64e1eae3f6c5942e33c21f754f9d67b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\sloyjkavmt.exe

Filesize
10.4MB

MD5
9b73f72b74b4f40c8bb8bbabb37d2753

SHA1
f6d790c0c5f40dc180e0119e9eccb14cf0dda779

SHA256
98410411e1848e47e552516f9b387a9cc39bdc984cbd399e40e08c8e83b463e8

SHA512
29dda39f2029577ba87a6d2b33283a202491592f6f8d5b73cd32f9a7fbbb012b93cbe19bf6e051b78167acbe190f4520333539cd01d838a5089ef626a3dbd98e

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
0f65f06a74b24c2dcf33b9e0cc3ad17e

SHA1
7e7a6472fec3a20c9c0d6c8842675f02ae93c082

SHA256
a29541f2d4b7724e7996f6f6b977442959d1abd30ec72b12c878b7b18e19e5e9

SHA512
df9fbe03973b139f9d33fa76972f29637624f8fc8140909a65d2ae16e2ca686031456b0b05db00f4969a476fcc0865d28b0dd4e3b1e52d8676325cbd32f2b775

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
4d87e93023791ba5248e08fad9c14025

SHA1
083923c8c4e653bb4b0b78ad772bf02dab5fc9a8

SHA256
484c8aedf2f92dd37a24243acb7527279db204412534b2c78f8e90e95469d8b9

SHA512
9870c87b77c1c959d07fa1882d4e54720ea97644dd6d3ec0f5f2bda64392f5a77922c8bd56830f2fa57423255acb7a33d9834876f56bdf675eb78670c8182720

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
f1008654d492630f46d75e762dd24ff2

SHA1
6e04bc91cf9b3b71fbb95ea55e2dbfbd49e0cb32

SHA256
29edbfeacd9cfc964a1ede63b2948c621f5857e5c9912483629cfdf1002e3393

SHA512
410f9c9e5b7fd4a3fec0d34348a8d7ce94578473a4dd2c23941f7e9aa49e474c20adbd97a080e24a26466f9ffc0f5060fcf477ab4502eca9195f3d2d57eba689

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
4aea4924abdf65d0c4ec72a912ed0079

SHA1
67cdd617ebb4c2de4f2641e44cbbe186dafa7790

SHA256
87ac6de86899c88a922c3d358591a01f4bdd84a357267e495032b62d4ee50d4d

SHA512
c613565ac7cf3e863ef9da440a1d547e736c892c28ed3bc00470511a64622e4e764cf3d4674d91ec40a4326c3ea5ed3df9889e59153c893362d24f26f7801a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
1a1c908593a7cec49aa11a527ab38b40

SHA1
4a580e2fa9da097514898d7637969e764c4fe46d

SHA256
17d1d1d63d9c6c0c46285d7b886cba20e759ea3bf9f52b40aee24236cb920a05

SHA512
0340ca4eaf216d3ae5dcd95d9ad66c6f50f457538e5535bc989803f2cb8fbb7e95515f511a2e388011a7591634de04862b44ff4d30622f69a1f3c096d8591a6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
3a4656cd4756faf20bc62438d76eda42

SHA1
27251ab70892315481d361f15bb36db0336ceb02

SHA256
b61349c609ec2e30f44e511e0d8bb646179a3978c45d596223172c534c773e23

SHA512
7e03db49f49ca37f94cd67b08a32dc8816736d728787cb7655ec2c1150f98b75abdb58b105534a246cba62c94ae84f52c00ddecb80274c3eb52d1ef6a66be0ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
8462257f52a1f3d1599c5a4f5a4fd005

SHA1
e74635f7e8cd7c0c237238547f7de62c3d9a66f8

SHA256
a9480f5574eb0b9f92fc3a1fd5d761b9fb3a396ac2a53546749ecd411f68064d

SHA512
f56525ecbf849f1cd4c29eadb337021184bf3f397bc892657cff96f37065f1fcb3380fef672a4df7fa15fc5c23300d6bdf7f6865a1339a2b5f56f4b73a2bce8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
a275f9eaaec37855dd196b49708bdef1

SHA1
8c478a3a1e60c066172a06f4c9c57f0be097ebdc

SHA256
011d8276d747022794b192ee621e86606da344fe9f8ea0706fc8d09694fef5f6

SHA512
c6425e07e44989c2c69ac6c7acb60aae64070c8282cba0df54262a79d008fd2f0b4ace1ff90b490bc2e47fa98945d83a9d61de9ac96839a779de0f72a44f4324

Download Submit
C:\Users\Admin\AppData\Local\Temp\uzwskwifoj.exe

Filesize
10.4MB

MD5
73e4164e531286e3c219d856b8ec64a1

SHA1
aac248966793c7622e2c6ee6d697938380ab9d11

SHA256
f9da9073227f509a02f6f36e34fc3ff5f0c3461a468f2a21544755e6bfd04875

SHA512
3d654b19c4c2675b40808d4c80da5b10c7d3ab8a61962ab416a68e455044790bb1fed2b82926e1ed669dd7f2b90de36af14a8593ce2a0512ff8619ce79f17567

Download Submit
C:\Users\Admin\AppData\Local\Temp\vivanujhdp.exe

Filesize
10.4MB

MD5
86ffec615aa0f3e5e566551632b70757

SHA1
27c628d08567754e81858b12163f78cb437c4129

SHA256
176292cfa874ae87c2f356c4c46e269cd21af0432967ec5ca35feddeffa2057f

SHA512
fab27d9eb59d59253b6c28538989a13b7c65f04778cec8275a274d99a04bbb0641f4500f70852fb35e642ae05dac6706c3e35fc85b2cd0ee9369e873c0f47082

Download Submit
C:\Users\Admin\AppData\Local\Temp\vjrccfeusp.exe

Filesize
10.4MB

MD5
50fbb588a409f86f4e60dfde05233689

SHA1
2d733e2e167381d4d692010dd9f21de72495fa66

SHA256
796d5f6f482d50057228dd013b628e5ff184973b0f7ffcd1d02b926a29199a24

SHA512
1255968eabb44d13dc27e6376032586acfcffbecbc54d80c1782cc6198376d66c4b83596e7b4aa8e607286ea0e279472f9e0394cdebb258c131270f9b1a9eb4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xvalmsuyog.exe

Filesize
10.4MB

MD5
a39be573bd273b87b86be7cbc520bcff

SHA1
7580e4ef6f970e5d8a4355253f4fc2676e2b28b5

SHA256
d2dd4dc0e559ae5960c3f84e2232b5b210569abcfa4954bb74ec07ab4bf3fa52

SHA512
85f43db11b13177da696c0a4c90547c1294d4e52ddc1974710f9002211616a6f8869304c72a17b033f5d215ee69456d81958b57d9413e766a9ce1e60412a6b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygidhdjfya.exe

Filesize
10.4MB

MD5
cbcb2fcc68a6bc8e0a047df632444472

SHA1
d1261df11d1b1bc4d2a63f48c9c02b9321b25d5e

SHA256
3fa97cd1410356e5138ae5c85d0ccb72fe778e89421df756de59a8ce53dc8e55

SHA512
ba231a1efa06a8cd7fbdf6105178dd1b7a57b4d325a1b5a53b3e2c641a07379bbd56f8e80ac4a488885c3f695aab52c26df2e5025484013256805d60518d5a97

Download Submit
memory/340-30-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/340-31-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/456-140-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/532-3-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/532-4-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/532-5-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/532-7-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1004-104-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1120-61-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1424-118-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1604-70-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1612-167-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1680-137-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2216-34-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2324-40-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2324-39-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/2344-52-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2644-22-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2744-115-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2796-79-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2964-16-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2964-15-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/3040-85-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3132-67-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3276-48-0x0000000002950000-0x0000000002951000-memory.dmp

Filesize
4KB

Download
memory/3276-49-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3292-126-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4108-151-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4268-107-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4388-159-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4436-43-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4536-129-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4568-72-0x00000000005D7000-0x0000000000C65000-memory.dmp

Filesize
6.6MB

Download
memory/4568-2-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4568-1-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/4568-0-0x00000000005D7000-0x0000000000C65000-memory.dmp

Filesize
6.6MB

Download
memory/4568-73-0x00000000005D7000-0x0000000000C65000-memory.dmp

Filesize
6.6MB

Download
memory/4576-92-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/4576-93-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4628-57-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/4628-58-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4680-148-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4836-96-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4904-11-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/4904-13-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4904-12-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4904-82-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/5004-24-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/5004-25-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download