agenttesla | 1151ee875282f7d8b10efceb057cf61f1d2da7e0c641e2abeed84594769ee75a

Analysis

max time kernel
148s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-09-2024 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e89e23925742eaacc706435af0f57667_JaffaCakes118.exe
Size

709KB
MD5

e89e23925742eaacc706435af0f57667
SHA1

95c55e1fdd896c9d308622c07661f9cf3c4f48de
SHA256

1151ee875282f7d8b10efceb057cf61f1d2da7e0c641e2abeed84594769ee75a
SHA512

983a4fbc014ef8dbc2811764563d3017deed3d99e7cc2c31f6ac036c298977f330c5f75e052ee68a9adbbe037986220543fb9a5f52096b3b81d089b0f9688f0e
SSDEEP

12288:cIybkLlzbPalCqX/wHRmSOv4kKJTJaor2teoMPaJfRu/Y+L9xzr+zfSFh00:cItYcNiZKJTXrMePaJfRkY2toGX

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral1/memory/2604-16-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Executes dropped EXE 64 IoCs

pid	Process
2112	nfviepplrs.exe
2604	u25l069.exe
2724	nfviepplrs.exe
2128	u25l069.exe
2828	nfviepplrs.exe
2852	u25l069.exe
2788	nfviepplrs.exe
2764	u25l069.exe
2824	nfviepplrs.exe
2948	u25l069.exe
2800	nfviepplrs.exe
2844	u25l069.exe
2696	nfviepplrs.exe
1936	u25l069.exe
2292	nfviepplrs.exe
2000	u25l069.exe
1400	nfviepplrs.exe
1116	u25l069.exe
332	nfviepplrs.exe
1996	u25l069.exe
1000	nfviepplrs.exe
400	u25l069.exe
1836	nfviepplrs.exe
1712	u25l069.exe
2392	nfviepplrs.exe
2028	u25l069.exe
2008	nfviepplrs.exe
2808	u25l069.exe
2860	nfviepplrs.exe
2504	u25l069.exe
2072	nfviepplrs.exe
2516	u25l069.exe
2544	nfviepplrs.exe
2264	u25l069.exe
2032	nfviepplrs.exe
1904	u25l069.exe
2508	nfviepplrs.exe
1160	u25l069.exe
2320	nfviepplrs.exe
1608	u25l069.exe
1048	nfviepplrs.exe
968	u25l069.exe
1648	nfviepplrs.exe
1832	u25l069.exe
1772	nfviepplrs.exe
620	u25l069.exe
1236	nfviepplrs.exe
328	u25l069.exe
2060	nfviepplrs.exe
1944	u25l069.exe
976	nfviepplrs.exe
1512	u25l069.exe
2348	nfviepplrs.exe
2068	u25l069.exe
2976	nfviepplrs.exe
2480	u25l069.exe
3008	nfviepplrs.exe
3020	u25l069.exe
2200	nfviepplrs.exe
1676	u25l069.exe
2248	nfviepplrs.exe
1776	u25l069.exe
812	nfviepplrs.exe
2108	u25l069.exe

Loads dropped DLL 64 IoCs

pid	Process
2132	e89e23925742eaacc706435af0f57667_JaffaCakes118.exe
2112	nfviepplrs.exe
2112	nfviepplrs.exe
2724	nfviepplrs.exe
2724	nfviepplrs.exe
2828	nfviepplrs.exe
2828	nfviepplrs.exe
2788	nfviepplrs.exe
2788	nfviepplrs.exe
2824	nfviepplrs.exe
2824	nfviepplrs.exe
2800	nfviepplrs.exe
2800	nfviepplrs.exe
2696	nfviepplrs.exe
2696	nfviepplrs.exe
2292	nfviepplrs.exe
2292	nfviepplrs.exe
1400	nfviepplrs.exe
1400	nfviepplrs.exe
332	nfviepplrs.exe
332	nfviepplrs.exe
1000	nfviepplrs.exe
1000	nfviepplrs.exe
1836	nfviepplrs.exe
1836	nfviepplrs.exe
2392	nfviepplrs.exe
2392	nfviepplrs.exe
2008	nfviepplrs.exe
2008	nfviepplrs.exe
2860	nfviepplrs.exe
2860	nfviepplrs.exe
2072	nfviepplrs.exe
2072	nfviepplrs.exe
2544	nfviepplrs.exe
2544	nfviepplrs.exe
2032	nfviepplrs.exe
2032	nfviepplrs.exe
2508	nfviepplrs.exe
2508	nfviepplrs.exe
2320	nfviepplrs.exe
2320	nfviepplrs.exe
1048	nfviepplrs.exe
1048	nfviepplrs.exe
1648	nfviepplrs.exe
1648	nfviepplrs.exe
1772	nfviepplrs.exe
1772	nfviepplrs.exe
1236	nfviepplrs.exe
1236	nfviepplrs.exe
2060	nfviepplrs.exe
2060	nfviepplrs.exe
976	nfviepplrs.exe
976	nfviepplrs.exe
2348	nfviepplrs.exe
2348	nfviepplrs.exe
2976	nfviepplrs.exe
2976	nfviepplrs.exe
3008	nfviepplrs.exe
3008	nfviepplrs.exe
2200	nfviepplrs.exe
2200	nfviepplrs.exe
2248	nfviepplrs.exe
2248	nfviepplrs.exe
812	nfviepplrs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e89e23925742eaacc706435af0f57667_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfviepplrs.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2112	nfviepplrs.exe
2112	nfviepplrs.exe
2112	nfviepplrs.exe
2112	nfviepplrs.exe
2724	nfviepplrs.exe
2724	nfviepplrs.exe
2724	nfviepplrs.exe
2724	nfviepplrs.exe
2828	nfviepplrs.exe
2828	nfviepplrs.exe
2828	nfviepplrs.exe
2828	nfviepplrs.exe
2788	nfviepplrs.exe
2788	nfviepplrs.exe
2788	nfviepplrs.exe
2788	nfviepplrs.exe
2824	nfviepplrs.exe
2824	nfviepplrs.exe
2824	nfviepplrs.exe
2824	nfviepplrs.exe
2800	nfviepplrs.exe
2800	nfviepplrs.exe
2800	nfviepplrs.exe
2800	nfviepplrs.exe
2696	nfviepplrs.exe
2696	nfviepplrs.exe
2696	nfviepplrs.exe
2696	nfviepplrs.exe
2292	nfviepplrs.exe
2292	nfviepplrs.exe
2292	nfviepplrs.exe
2292	nfviepplrs.exe
1400	nfviepplrs.exe
1400	nfviepplrs.exe
1400	nfviepplrs.exe
1400	nfviepplrs.exe
332	nfviepplrs.exe
332	nfviepplrs.exe
332	nfviepplrs.exe
332	nfviepplrs.exe
1000	nfviepplrs.exe
1000	nfviepplrs.exe
1000	nfviepplrs.exe
1000	nfviepplrs.exe
1836	nfviepplrs.exe
1836	nfviepplrs.exe
1836	nfviepplrs.exe
1836	nfviepplrs.exe
2392	nfviepplrs.exe
2392	nfviepplrs.exe
2392	nfviepplrs.exe
2392	nfviepplrs.exe
2008	nfviepplrs.exe
2008	nfviepplrs.exe
2008	nfviepplrs.exe
2008	nfviepplrs.exe
2860	nfviepplrs.exe
2860	nfviepplrs.exe
2860	nfviepplrs.exe
2860	nfviepplrs.exe
2072	nfviepplrs.exe
2072	nfviepplrs.exe
2072	nfviepplrs.exe
2072	nfviepplrs.exe

Suspicious behavior: MapViewOfSection 49 IoCs

pid	Process
2112	nfviepplrs.exe
2724	nfviepplrs.exe
2828	nfviepplrs.exe
2788	nfviepplrs.exe
2824	nfviepplrs.exe
2800	nfviepplrs.exe
2696	nfviepplrs.exe
2292	nfviepplrs.exe
1400	nfviepplrs.exe
332	nfviepplrs.exe
1000	nfviepplrs.exe
1836	nfviepplrs.exe
2392	nfviepplrs.exe
2008	nfviepplrs.exe
2860	nfviepplrs.exe
2072	nfviepplrs.exe
2544	nfviepplrs.exe
2032	nfviepplrs.exe
2508	nfviepplrs.exe
2320	nfviepplrs.exe
1048	nfviepplrs.exe
1648	nfviepplrs.exe
1772	nfviepplrs.exe
1236	nfviepplrs.exe
2060	nfviepplrs.exe
976	nfviepplrs.exe
2348	nfviepplrs.exe
2976	nfviepplrs.exe
3008	nfviepplrs.exe
2200	nfviepplrs.exe
2248	nfviepplrs.exe
812	nfviepplrs.exe
1480	nfviepplrs.exe
2548	nfviepplrs.exe
1704	nfviepplrs.exe
1752	nfviepplrs.exe
2740	nfviepplrs.exe
2912	nfviepplrs.exe
2784	nfviepplrs.exe
2764	nfviepplrs.exe
2176	nfviepplrs.exe
2804	nfviepplrs.exe
2844	nfviepplrs.exe
2920	nfviepplrs.exe
3056	nfviepplrs.exe
2708	nfviepplrs.exe
680	nfviepplrs.exe
1508	nfviepplrs.exe
2864	nfviepplrs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2112	2132	e89e23925742eaacc706435af0f57667_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2112	2132	e89e23925742eaacc706435af0f57667_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2112	2132	e89e23925742eaacc706435af0f57667_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2112	2132	e89e23925742eaacc706435af0f57667_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2604	2112	nfviepplrs.exe	31
PID 2112 wrote to memory of 2604	2112	nfviepplrs.exe	31
PID 2112 wrote to memory of 2604	2112	nfviepplrs.exe	31
PID 2112 wrote to memory of 2604	2112	nfviepplrs.exe	31
PID 2112 wrote to memory of 2604	2112	nfviepplrs.exe	31
PID 2112 wrote to memory of 2724	2112	nfviepplrs.exe	32
PID 2112 wrote to memory of 2724	2112	nfviepplrs.exe	32
PID 2112 wrote to memory of 2724	2112	nfviepplrs.exe	32
PID 2112 wrote to memory of 2724	2112	nfviepplrs.exe	32
PID 2724 wrote to memory of 2128	2724	nfviepplrs.exe	33
PID 2724 wrote to memory of 2128	2724	nfviepplrs.exe	33
PID 2724 wrote to memory of 2128	2724	nfviepplrs.exe	33
PID 2724 wrote to memory of 2128	2724	nfviepplrs.exe	33
PID 2724 wrote to memory of 2128	2724	nfviepplrs.exe	33
PID 2724 wrote to memory of 2828	2724	nfviepplrs.exe	34
PID 2724 wrote to memory of 2828	2724	nfviepplrs.exe	34
PID 2724 wrote to memory of 2828	2724	nfviepplrs.exe	34
PID 2724 wrote to memory of 2828	2724	nfviepplrs.exe	34
PID 2828 wrote to memory of 2852	2828	nfviepplrs.exe	35
PID 2828 wrote to memory of 2852	2828	nfviepplrs.exe	35
PID 2828 wrote to memory of 2852	2828	nfviepplrs.exe	35
PID 2828 wrote to memory of 2852	2828	nfviepplrs.exe	35
PID 2828 wrote to memory of 2852	2828	nfviepplrs.exe	35
PID 2828 wrote to memory of 2788	2828	nfviepplrs.exe	36
PID 2828 wrote to memory of 2788	2828	nfviepplrs.exe	36
PID 2828 wrote to memory of 2788	2828	nfviepplrs.exe	36
PID 2828 wrote to memory of 2788	2828	nfviepplrs.exe	36
PID 2788 wrote to memory of 2764	2788	nfviepplrs.exe	37
PID 2788 wrote to memory of 2764	2788	nfviepplrs.exe	37
PID 2788 wrote to memory of 2764	2788	nfviepplrs.exe	37
PID 2788 wrote to memory of 2764	2788	nfviepplrs.exe	37
PID 2788 wrote to memory of 2764	2788	nfviepplrs.exe	37
PID 2788 wrote to memory of 2824	2788	nfviepplrs.exe	39
PID 2788 wrote to memory of 2824	2788	nfviepplrs.exe	39
PID 2788 wrote to memory of 2824	2788	nfviepplrs.exe	39
PID 2788 wrote to memory of 2824	2788	nfviepplrs.exe	39
PID 2824 wrote to memory of 2948	2824	nfviepplrs.exe	40
PID 2824 wrote to memory of 2948	2824	nfviepplrs.exe	40
PID 2824 wrote to memory of 2948	2824	nfviepplrs.exe	40
PID 2824 wrote to memory of 2948	2824	nfviepplrs.exe	40
PID 2824 wrote to memory of 2948	2824	nfviepplrs.exe	40
PID 2824 wrote to memory of 2800	2824	nfviepplrs.exe	41
PID 2824 wrote to memory of 2800	2824	nfviepplrs.exe	41
PID 2824 wrote to memory of 2800	2824	nfviepplrs.exe	41
PID 2824 wrote to memory of 2800	2824	nfviepplrs.exe	41
PID 2800 wrote to memory of 2844	2800	nfviepplrs.exe	42
PID 2800 wrote to memory of 2844	2800	nfviepplrs.exe	42
PID 2800 wrote to memory of 2844	2800	nfviepplrs.exe	42
PID 2800 wrote to memory of 2844	2800	nfviepplrs.exe	42
PID 2800 wrote to memory of 2844	2800	nfviepplrs.exe	42
PID 2800 wrote to memory of 2696	2800	nfviepplrs.exe	43
PID 2800 wrote to memory of 2696	2800	nfviepplrs.exe	43
PID 2800 wrote to memory of 2696	2800	nfviepplrs.exe	43
PID 2800 wrote to memory of 2696	2800	nfviepplrs.exe	43
PID 2696 wrote to memory of 1936	2696	nfviepplrs.exe	44
PID 2696 wrote to memory of 1936	2696	nfviepplrs.exe	44
PID 2696 wrote to memory of 1936	2696	nfviepplrs.exe	44
PID 2696 wrote to memory of 1936	2696	nfviepplrs.exe	44
PID 2696 wrote to memory of 1936	2696	nfviepplrs.exe	44
PID 2696 wrote to memory of 2292	2696	nfviepplrs.exe	45

C:\Users\Admin\AppData\Local\Temp\e89e23925742eaacc706435af0f57667_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e89e23925742eaacc706435af0f57667_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
  C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
    C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
    3⤵
    - Executes dropped EXE
    PID:2604
- - C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
    C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
      C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
      4⤵
      Executes dropped EXE
      PID:2128
  - - C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
      C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2828
    - - C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        5⤵
        Executes dropped EXE
        
        PID:2852
    - - C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        6⤵
        Executes dropped EXE
        
        PID:2764
      - C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        7⤵
        Executes dropped EXE
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        8⤵
        Executes dropped EXE
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        9⤵
        Executes dropped EXE
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        10⤵
        Executes dropped EXE
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        11⤵
        Executes dropped EXE
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        12⤵
        Executes dropped EXE
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        13⤵
        Executes dropped EXE
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        14⤵
        Executes dropped EXE
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        15⤵
        Executes dropped EXE
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        16⤵
        Executes dropped EXE
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        17⤵
        Executes dropped EXE
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        18⤵
        Executes dropped EXE
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        19⤵
        Executes dropped EXE
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        20⤵
        Executes dropped EXE
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        21⤵
        Executes dropped EXE
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        22⤵
        Executes dropped EXE
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        23⤵
        Executes dropped EXE
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        24⤵
        Executes dropped EXE
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        25⤵
        Executes dropped EXE
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        26⤵
        Executes dropped EXE
        
        PID:328
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        27⤵
        Executes dropped EXE
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        28⤵
        Executes dropped EXE
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        29⤵
        Executes dropped EXE
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        30⤵
        Executes dropped EXE
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        31⤵
        Executes dropped EXE
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        32⤵
        Executes dropped EXE
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        33⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        34⤵
        Executes dropped EXE
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        34⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        35⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        35⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        36⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        36⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        37⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        37⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        38⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        38⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        39⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        39⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        40⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        40⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        41⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        41⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        42⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        42⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        43⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        43⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        44⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        44⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        45⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        45⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        46⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        46⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        47⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        47⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        48⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        48⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        49⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        49⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        50⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        50⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe
        
        C:\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei
        51⤵
        
        PID:1400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Nla\epzgrd.oj

Filesize
285KB

MD5
863b66523fbc4450ae132faea9e0686f

SHA1
89a08cfc68787638158bb65d3f6c36cf0a624d4c

SHA256
bda4b5788ce715a548690e2ff258e4b29c2b36375eef8a673800e01d83345c57

SHA512
40c5582f1c15393a1fce6511a9193167e928ad336090fabe4a10295eb2a790b43a5d9cf92da113ce957926576210566fe842ac5fc81f7de08f5ad6c491cd6f72

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nla\qiobz.vei

Filesize
252KB

MD5
e49b470009e7e7c86fb1714e2b9a918e

SHA1
a8a4fe82175f1351d226a874361d084d67198aa2

SHA256
25c160905644fb9705cd20e27f455968e70893089bd5fdb7ac8f4d6d4b6f0408

SHA512
4fa35c615673bc00035a7a1b11e497696e35ee996474d712a2c01f52569793082f980049c3eb1cbd5f94e32c6fa3b5058e53cc9bd153e6883af6b1c3e079b103

Download Submit
\Users\Admin\AppData\Local\Temp\Nla\nfviepplrs.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\Nla\u25l069.exe

Filesize
872KB

MD5
221567466782aa578f0dab4523f17eb3

SHA1
e55e0798ff6e861bb1f9fabeaa293ef2e799515e

SHA256
9d10d8583c2282e85c33a619455bf7254edd11c86bf6e772e7c20254f155b462

SHA512
1c34144e7c53e28cf26c43a2f876d83a99cf6481f8523c86e06af35e1287fab23165d25c26fc2772c40a79274d92edd40865591de408a66467703a0c87b1ae9d

Download Submit
memory/2112-8-0x0000000000300000-0x0000000000302000-memory.dmp

Filesize
8KB

Download
memory/2604-16-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download