790891fa61cedb0d56cccdeac4f04f0b571222177952e6950930b14b45196fbb

Analysis

max time kernel
95s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

790891fa61cedb0d56cccdeac4f04f0b571222177952e6950930b14b45196fbb.exe
Size

10.4MB
MD5

88937cbffb71f57ee4f0286ae738e345
SHA1

308ef17257528b978b95100629ca59933e50a464
SHA256

790891fa61cedb0d56cccdeac4f04f0b571222177952e6950930b14b45196fbb
SHA512

1c851321ec14b4824b8bb1848cfa2552018c4f7aabd398f37505896a900254791fd6ff835e7e55397fff8d46248d71aaec3449a8515df6b88fd2445811873641
SSDEEP

196608:XZGmuqsR2/LGPLCXOKODxH5qFlXS47dV2MANpvrjVbEKGWIoS:XZGnqsREJLODBWlX3d+NpvdHIo

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
3876	rcmcjmwzsa.exe
3004	rcmcjmwzsa.exe
3184	bjznntbqmx.exe
756	bjznntbqmx.exe
4496	luqdmwncbg.exe
1156	luqdmwncbg.exe
4820	tybvpowrrc.exe
640	tybvpowrrc.exe
4036	yatolojgzh.exe
3552	yatolojgzh.exe
1824	oiqzjsruwy.exe
4840	oiqzjsruwy.exe
4216	nywyzmgjjz.exe
868	nywyzmgjjz.exe
1876	wrjmwocfyh.exe
3548	wrjmwocfyh.exe
3512	vsdlugkskr.exe
4432	vsdlugkskr.exe
2284	tqwuyghzrq.exe
4348	tqwuyghzrq.exe
2268	vuzscgotka.exe
4344	vuzscgotka.exe
3476	ytbewmjfrn.exe
2408	ytbewmjfrn.exe
3084	dndvxymcik.exe
3520	dndvxymcik.exe
4052	itjdvwlsol.exe
4764	itjdvwlsol.exe
1192	nkzhjklity.exe
1980	nkzhjklity.exe
3076	qkatdqpuzl.exe
4740	qkatdqpuzl.exe
4940	hrltzhlekb.exe
4472	hrltzhlekb.exe
1848	nivkrweyjk.exe
3828	nivkrweyjk.exe
4816	crzjdetvfe.exe
1736	crzjdetvfe.exe
1124	cgjxxopjwr.exe
3024	cgjxxopjwr.exe
3624	hycgjysmkm.exe
3740	hycgjysmkm.exe
4452	rtmsbhbxjp.exe
4000	rtmsbhbxjp.exe
2160	rjnassrlne.exe
948	rjnassrlne.exe
4868	rrujpjlvtd.exe
4568	rrujpjlvtd.exe
5104	uflaafsvto.exe
4980	uflaafsvto.exe
4188	mjutnrmcmq.exe
2408	mjutnrmcmq.exe
2992	eqxujziuxg.exe
3736	eqxujziuxg.exe
376	bwbfbdacmf.exe
4880	bwbfbdacmf.exe
4480	ezpgfspexn.exe
3140	ezpgfspexn.exe
2116	mwmutsncek.exe
1984	mwmutsncek.exe
1640	bxkytqnipm.exe
1912	bxkytqnipm.exe
2268	tbrlmukffq.exe
3828	tbrlmukffq.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
4068	790891fa61cedb0d56cccdeac4f04f0b571222177952e6950930b14b45196fbb.exe
3664	790891fa61cedb0d56cccdeac4f04f0b571222177952e6950930b14b45196fbb.exe
3876	rcmcjmwzsa.exe
3004	rcmcjmwzsa.exe
3184	bjznntbqmx.exe
756	bjznntbqmx.exe
4496	luqdmwncbg.exe
1156	luqdmwncbg.exe
4820	tybvpowrrc.exe
640	tybvpowrrc.exe
4036	yatolojgzh.exe
3552	yatolojgzh.exe
1824	oiqzjsruwy.exe
4840	oiqzjsruwy.exe
4216	nywyzmgjjz.exe
868	nywyzmgjjz.exe
1876	wrjmwocfyh.exe
3548	wrjmwocfyh.exe
3512	vsdlugkskr.exe
4432	vsdlugkskr.exe
2284	tqwuyghzrq.exe
4348	tqwuyghzrq.exe
2268	vuzscgotka.exe
4344	vuzscgotka.exe
3476	ytbewmjfrn.exe
2408	ytbewmjfrn.exe
3084	dndvxymcik.exe
3520	dndvxymcik.exe
4052	itjdvwlsol.exe
4764	itjdvwlsol.exe
1192	nkzhjklity.exe
1980	nkzhjklity.exe
3076	qkatdqpuzl.exe
4740	qkatdqpuzl.exe
4940	hrltzhlekb.exe
4472	hrltzhlekb.exe
1848	nivkrweyjk.exe
3828	nivkrweyjk.exe
4816	crzjdetvfe.exe
1736	crzjdetvfe.exe
1124	cgjxxopjwr.exe
3024	cgjxxopjwr.exe
3624	hycgjysmkm.exe
3740	hycgjysmkm.exe
4452	rtmsbhbxjp.exe
4000	rtmsbhbxjp.exe
2160	rjnassrlne.exe
948	rjnassrlne.exe
4868	rrujpjlvtd.exe
4568	rrujpjlvtd.exe
5104	uflaafsvto.exe
4980	uflaafsvto.exe
4188	mjutnrmcmq.exe
2408	mjutnrmcmq.exe
2992	eqxujziuxg.exe
3736	eqxujziuxg.exe
376	bwbfbdacmf.exe
4880	bwbfbdacmf.exe
4480	ezpgfspexn.exe
3140	ezpgfspexn.exe
2116	mwmutsncek.exe
1984	mwmutsncek.exe
1640	bxkytqnipm.exe
1912	bxkytqnipm.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rjnassrlne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tbrlmukffq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hycgjysmkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lhitfwqakk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	deprecwqen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	luqdmwncbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tybvpowrrc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ytbewmjfrn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cgjxxopjwr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	txziezmces.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ideswnfyqz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jtpjutjfcy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ltywfljruv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dilhyaitui.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ideswnfyqz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pjgrxpztso.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rrujpjlvtd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uflaafsvto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hycgjysmkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bjznntbqmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tybvpowrrc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dndvxymcik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eqxujziuxg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vzstotaahy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rcmcjmwzsa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rtmsbhbxjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	deprecwqen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vuzscgotka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bwbfbdacmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ezpgfspexn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dsfrpfsrfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wrjmwocfyh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ezpgfspexn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ylbduywmvq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yatolojgzh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oiqzjsruwy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nywyzmgjjz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tqwuyghzrq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qkatdqpuzl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uflaafsvto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vzstotaahy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yatolojgzh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cgjxxopjwr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mwmutsncek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mwmutsncek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qkatdqpuzl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crzjdetvfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crzjdetvfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mjutnrmcmq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bozocphkxc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ltywfljruv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fjvusspxuf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vsdlugkskr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	itjdvwlsol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jswyjjxuwq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dilhyaitui.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fjvusspxuf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vuzscgotka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hrltzhlekb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bjznntbqmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rjnassrlne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hrltzhlekb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vsdlugkskr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tqwuyghzrq.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4068	790891fa61cedb0d56cccdeac4f04f0b571222177952e6950930b14b45196fbb.exe
4068	790891fa61cedb0d56cccdeac4f04f0b571222177952e6950930b14b45196fbb.exe
4068	790891fa61cedb0d56cccdeac4f04f0b571222177952e6950930b14b45196fbb.exe
4068	790891fa61cedb0d56cccdeac4f04f0b571222177952e6950930b14b45196fbb.exe
3664	790891fa61cedb0d56cccdeac4f04f0b571222177952e6950930b14b45196fbb.exe
3664	790891fa61cedb0d56cccdeac4f04f0b571222177952e6950930b14b45196fbb.exe
3876	rcmcjmwzsa.exe
3876	rcmcjmwzsa.exe
3876	rcmcjmwzsa.exe
3876	rcmcjmwzsa.exe
3004	rcmcjmwzsa.exe
3004	rcmcjmwzsa.exe
3184	bjznntbqmx.exe
3184	bjznntbqmx.exe
3184	bjznntbqmx.exe
3184	bjznntbqmx.exe
756	bjznntbqmx.exe
756	bjznntbqmx.exe
4496	luqdmwncbg.exe
4496	luqdmwncbg.exe
4496	luqdmwncbg.exe
4496	luqdmwncbg.exe
4068	790891fa61cedb0d56cccdeac4f04f0b571222177952e6950930b14b45196fbb.exe
4068	790891fa61cedb0d56cccdeac4f04f0b571222177952e6950930b14b45196fbb.exe
1156	luqdmwncbg.exe
1156	luqdmwncbg.exe
3876	rcmcjmwzsa.exe
3876	rcmcjmwzsa.exe
4820	tybvpowrrc.exe
4820	tybvpowrrc.exe
4820	tybvpowrrc.exe
4820	tybvpowrrc.exe
640	tybvpowrrc.exe
640	tybvpowrrc.exe
3184	bjznntbqmx.exe
3184	bjznntbqmx.exe
4036	yatolojgzh.exe
4036	yatolojgzh.exe
4496	luqdmwncbg.exe
4496	luqdmwncbg.exe
4036	yatolojgzh.exe
4036	yatolojgzh.exe
3552	yatolojgzh.exe
3552	yatolojgzh.exe
4820	tybvpowrrc.exe
4820	tybvpowrrc.exe
1824	oiqzjsruwy.exe
1824	oiqzjsruwy.exe
1824	oiqzjsruwy.exe
1824	oiqzjsruwy.exe
4840	oiqzjsruwy.exe
4840	oiqzjsruwy.exe
4036	yatolojgzh.exe
4036	yatolojgzh.exe
4216	nywyzmgjjz.exe
4216	nywyzmgjjz.exe
4216	nywyzmgjjz.exe
4216	nywyzmgjjz.exe
868	nywyzmgjjz.exe
868	nywyzmgjjz.exe
1824	oiqzjsruwy.exe
1824	oiqzjsruwy.exe
1876	wrjmwocfyh.exe
1876	wrjmwocfyh.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4068	790891fa61cedb0d56cccdeac4f04f0b571222177952e6950930b14b45196fbb.exe
4068	790891fa61cedb0d56cccdeac4f04f0b571222177952e6950930b14b45196fbb.exe
3664	790891fa61cedb0d56cccdeac4f04f0b571222177952e6950930b14b45196fbb.exe
3664	790891fa61cedb0d56cccdeac4f04f0b571222177952e6950930b14b45196fbb.exe
3876	rcmcjmwzsa.exe
3876	rcmcjmwzsa.exe
3004	rcmcjmwzsa.exe
3004	rcmcjmwzsa.exe
3184	bjznntbqmx.exe
3184	bjznntbqmx.exe
756	bjznntbqmx.exe
756	bjznntbqmx.exe
4496	luqdmwncbg.exe
4496	luqdmwncbg.exe
1156	luqdmwncbg.exe
1156	luqdmwncbg.exe
4820	tybvpowrrc.exe
4820	tybvpowrrc.exe
640	tybvpowrrc.exe
640	tybvpowrrc.exe
4036	yatolojgzh.exe
4036	yatolojgzh.exe
3552	yatolojgzh.exe
3552	yatolojgzh.exe
1824	oiqzjsruwy.exe
1824	oiqzjsruwy.exe
4840	oiqzjsruwy.exe
4840	oiqzjsruwy.exe
4216	nywyzmgjjz.exe
4216	nywyzmgjjz.exe
868	nywyzmgjjz.exe
868	nywyzmgjjz.exe
1876	wrjmwocfyh.exe
1876	wrjmwocfyh.exe
3548	wrjmwocfyh.exe
3548	wrjmwocfyh.exe
3512	vsdlugkskr.exe
3512	vsdlugkskr.exe
4432	vsdlugkskr.exe
4432	vsdlugkskr.exe
2284	tqwuyghzrq.exe
2284	tqwuyghzrq.exe
4348	tqwuyghzrq.exe
4348	tqwuyghzrq.exe
2268	vuzscgotka.exe
2268	vuzscgotka.exe
4344	vuzscgotka.exe
4344	vuzscgotka.exe
3476	ytbewmjfrn.exe
3476	ytbewmjfrn.exe
2408	ytbewmjfrn.exe
2408	ytbewmjfrn.exe
3084	dndvxymcik.exe
3084	dndvxymcik.exe
3520	dndvxymcik.exe
3520	dndvxymcik.exe
4052	itjdvwlsol.exe
4052	itjdvwlsol.exe
4764	itjdvwlsol.exe
4764	itjdvwlsol.exe
1192	nkzhjklity.exe
1192	nkzhjklity.exe
1980	nkzhjklity.exe
1980	nkzhjklity.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 3664	4068	790891fa61cedb0d56cccdeac4f04f0b571222177952e6950930b14b45196fbb.exe	82
PID 4068 wrote to memory of 3664	4068	790891fa61cedb0d56cccdeac4f04f0b571222177952e6950930b14b45196fbb.exe	82
PID 4068 wrote to memory of 3664	4068	790891fa61cedb0d56cccdeac4f04f0b571222177952e6950930b14b45196fbb.exe	82
PID 4068 wrote to memory of 3876	4068	790891fa61cedb0d56cccdeac4f04f0b571222177952e6950930b14b45196fbb.exe	83
PID 4068 wrote to memory of 3876	4068	790891fa61cedb0d56cccdeac4f04f0b571222177952e6950930b14b45196fbb.exe	83
PID 4068 wrote to memory of 3876	4068	790891fa61cedb0d56cccdeac4f04f0b571222177952e6950930b14b45196fbb.exe	83
PID 3876 wrote to memory of 3004	3876	rcmcjmwzsa.exe	84
PID 3876 wrote to memory of 3004	3876	rcmcjmwzsa.exe	84
PID 3876 wrote to memory of 3004	3876	rcmcjmwzsa.exe	84
PID 3876 wrote to memory of 3184	3876	rcmcjmwzsa.exe	85
PID 3876 wrote to memory of 3184	3876	rcmcjmwzsa.exe	85
PID 3876 wrote to memory of 3184	3876	rcmcjmwzsa.exe	85
PID 3184 wrote to memory of 756	3184	bjznntbqmx.exe	86
PID 3184 wrote to memory of 756	3184	bjznntbqmx.exe	86
PID 3184 wrote to memory of 756	3184	bjznntbqmx.exe	86
PID 3184 wrote to memory of 4496	3184	bjznntbqmx.exe	87
PID 3184 wrote to memory of 4496	3184	bjznntbqmx.exe	87
PID 3184 wrote to memory of 4496	3184	bjznntbqmx.exe	87
PID 4496 wrote to memory of 1156	4496	luqdmwncbg.exe	88
PID 4496 wrote to memory of 1156	4496	luqdmwncbg.exe	88
PID 4496 wrote to memory of 1156	4496	luqdmwncbg.exe	88
PID 4496 wrote to memory of 4820	4496	luqdmwncbg.exe	89
PID 4496 wrote to memory of 4820	4496	luqdmwncbg.exe	89
PID 4496 wrote to memory of 4820	4496	luqdmwncbg.exe	89
PID 4820 wrote to memory of 640	4820	tybvpowrrc.exe	90
PID 4820 wrote to memory of 640	4820	tybvpowrrc.exe	90
PID 4820 wrote to memory of 640	4820	tybvpowrrc.exe	90
PID 4820 wrote to memory of 4036	4820	tybvpowrrc.exe	91
PID 4820 wrote to memory of 4036	4820	tybvpowrrc.exe	91
PID 4820 wrote to memory of 4036	4820	tybvpowrrc.exe	91
PID 4036 wrote to memory of 3552	4036	yatolojgzh.exe	92
PID 4036 wrote to memory of 3552	4036	yatolojgzh.exe	92
PID 4036 wrote to memory of 3552	4036	yatolojgzh.exe	92
PID 4036 wrote to memory of 1824	4036	yatolojgzh.exe	93
PID 4036 wrote to memory of 1824	4036	yatolojgzh.exe	93
PID 4036 wrote to memory of 1824	4036	yatolojgzh.exe	93
PID 1824 wrote to memory of 4840	1824	oiqzjsruwy.exe	94
PID 1824 wrote to memory of 4840	1824	oiqzjsruwy.exe	94
PID 1824 wrote to memory of 4840	1824	oiqzjsruwy.exe	94
PID 1824 wrote to memory of 4216	1824	oiqzjsruwy.exe	95
PID 1824 wrote to memory of 4216	1824	oiqzjsruwy.exe	95
PID 1824 wrote to memory of 4216	1824	oiqzjsruwy.exe	95
PID 4216 wrote to memory of 868	4216	nywyzmgjjz.exe	96
PID 4216 wrote to memory of 868	4216	nywyzmgjjz.exe	96
PID 4216 wrote to memory of 868	4216	nywyzmgjjz.exe	96
PID 4216 wrote to memory of 1876	4216	nywyzmgjjz.exe	97
PID 4216 wrote to memory of 1876	4216	nywyzmgjjz.exe	97
PID 4216 wrote to memory of 1876	4216	nywyzmgjjz.exe	97
PID 1876 wrote to memory of 3548	1876	wrjmwocfyh.exe	98
PID 1876 wrote to memory of 3548	1876	wrjmwocfyh.exe	98
PID 1876 wrote to memory of 3548	1876	wrjmwocfyh.exe	98
PID 1876 wrote to memory of 3512	1876	wrjmwocfyh.exe	99
PID 1876 wrote to memory of 3512	1876	wrjmwocfyh.exe	99
PID 1876 wrote to memory of 3512	1876	wrjmwocfyh.exe	99
PID 3512 wrote to memory of 4432	3512	vsdlugkskr.exe	100
PID 3512 wrote to memory of 4432	3512	vsdlugkskr.exe	100
PID 3512 wrote to memory of 4432	3512	vsdlugkskr.exe	100
PID 3512 wrote to memory of 2284	3512	vsdlugkskr.exe	103
PID 3512 wrote to memory of 2284	3512	vsdlugkskr.exe	103
PID 3512 wrote to memory of 2284	3512	vsdlugkskr.exe	103
PID 2284 wrote to memory of 4348	2284	tqwuyghzrq.exe	104
PID 2284 wrote to memory of 4348	2284	tqwuyghzrq.exe	104
PID 2284 wrote to memory of 4348	2284	tqwuyghzrq.exe	104
PID 2284 wrote to memory of 2268	2284	tqwuyghzrq.exe	154

C:\Users\Admin\AppData\Local\Temp\790891fa61cedb0d56cccdeac4f04f0b571222177952e6950930b14b45196fbb.exe
"C:\Users\Admin\AppData\Local\Temp\790891fa61cedb0d56cccdeac4f04f0b571222177952e6950930b14b45196fbb.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Users\Admin\AppData\Local\Temp\790891fa61cedb0d56cccdeac4f04f0b571222177952e6950930b14b45196fbb.exe
  C:\Users\Admin\AppData\Local\Temp\790891fa61cedb0d56cccdeac4f04f0b571222177952e6950930b14b45196fbb.exe update rcmcjmwzsa.exe
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3664
- C:\Users\Admin\AppData\Local\Temp\rcmcjmwzsa.exe
  C:\Users\Admin\AppData\Local\Temp\rcmcjmwzsa.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Users\Admin\AppData\Local\Temp\rcmcjmwzsa.exe
    C:\Users\Admin\AppData\Local\Temp\rcmcjmwzsa.exe update bjznntbqmx.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3004
- - C:\Users\Admin\AppData\Local\Temp\bjznntbqmx.exe
    C:\Users\Admin\AppData\Local\Temp\bjznntbqmx.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3184
  - - C:\Users\Admin\AppData\Local\Temp\bjznntbqmx.exe
      C:\Users\Admin\AppData\Local\Temp\bjznntbqmx.exe update luqdmwncbg.exe
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:756
  - - C:\Users\Admin\AppData\Local\Temp\luqdmwncbg.exe
      C:\Users\Admin\AppData\Local\Temp\luqdmwncbg.exe
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4496
    - - C:\Users\Admin\AppData\Local\Temp\luqdmwncbg.exe
        
        C:\Users\Admin\AppData\Local\Temp\luqdmwncbg.exe update tybvpowrrc.exe
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1156
    - - C:\Users\Admin\AppData\Local\Temp\tybvpowrrc.exe
        
        C:\Users\Admin\AppData\Local\Temp\tybvpowrrc.exe
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4820
      - C:\Users\Admin\AppData\Local\Temp\tybvpowrrc.exe
        
        C:\Users\Admin\AppData\Local\Temp\tybvpowrrc.exe update yatolojgzh.exe
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:640
      - C:\Users\Admin\AppData\Local\Temp\yatolojgzh.exe
        
        C:\Users\Admin\AppData\Local\Temp\yatolojgzh.exe
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\yatolojgzh.exe
        
        C:\Users\Admin\AppData\Local\Temp\yatolojgzh.exe update oiqzjsruwy.exe
        7⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\oiqzjsruwy.exe
        
        C:\Users\Admin\AppData\Local\Temp\oiqzjsruwy.exe
        7⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\oiqzjsruwy.exe
        
        C:\Users\Admin\AppData\Local\Temp\oiqzjsruwy.exe update nywyzmgjjz.exe
        8⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\nywyzmgjjz.exe
        
        C:\Users\Admin\AppData\Local\Temp\nywyzmgjjz.exe
        8⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\nywyzmgjjz.exe
        
        C:\Users\Admin\AppData\Local\Temp\nywyzmgjjz.exe update wrjmwocfyh.exe
        9⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\wrjmwocfyh.exe
        
        C:\Users\Admin\AppData\Local\Temp\wrjmwocfyh.exe
        9⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\wrjmwocfyh.exe
        
        C:\Users\Admin\AppData\Local\Temp\wrjmwocfyh.exe update vsdlugkskr.exe
        10⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\vsdlugkskr.exe
        
        C:\Users\Admin\AppData\Local\Temp\vsdlugkskr.exe
        10⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\vsdlugkskr.exe
        
        C:\Users\Admin\AppData\Local\Temp\vsdlugkskr.exe update tqwuyghzrq.exe
        11⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\tqwuyghzrq.exe
        
        C:\Users\Admin\AppData\Local\Temp\tqwuyghzrq.exe
        11⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\tqwuyghzrq.exe
        
        C:\Users\Admin\AppData\Local\Temp\tqwuyghzrq.exe update vuzscgotka.exe
        12⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\vuzscgotka.exe
        
        C:\Users\Admin\AppData\Local\Temp\vuzscgotka.exe
        12⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\vuzscgotka.exe
        
        C:\Users\Admin\AppData\Local\Temp\vuzscgotka.exe update ytbewmjfrn.exe
        13⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\ytbewmjfrn.exe
        
        C:\Users\Admin\AppData\Local\Temp\ytbewmjfrn.exe
        13⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\ytbewmjfrn.exe
        
        C:\Users\Admin\AppData\Local\Temp\ytbewmjfrn.exe update dndvxymcik.exe
        14⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\dndvxymcik.exe
        
        C:\Users\Admin\AppData\Local\Temp\dndvxymcik.exe
        14⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\dndvxymcik.exe
        
        C:\Users\Admin\AppData\Local\Temp\dndvxymcik.exe update itjdvwlsol.exe
        15⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\itjdvwlsol.exe
        
        C:\Users\Admin\AppData\Local\Temp\itjdvwlsol.exe
        15⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\itjdvwlsol.exe
        
        C:\Users\Admin\AppData\Local\Temp\itjdvwlsol.exe update nkzhjklity.exe
        16⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\nkzhjklity.exe
        
        C:\Users\Admin\AppData\Local\Temp\nkzhjklity.exe
        16⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\nkzhjklity.exe
        
        C:\Users\Admin\AppData\Local\Temp\nkzhjklity.exe update qkatdqpuzl.exe
        17⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\qkatdqpuzl.exe
        
        C:\Users\Admin\AppData\Local\Temp\qkatdqpuzl.exe
        17⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\qkatdqpuzl.exe
        
        C:\Users\Admin\AppData\Local\Temp\qkatdqpuzl.exe update hrltzhlekb.exe
        18⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\hrltzhlekb.exe
        
        C:\Users\Admin\AppData\Local\Temp\hrltzhlekb.exe
        18⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\hrltzhlekb.exe
        
        C:\Users\Admin\AppData\Local\Temp\hrltzhlekb.exe update nivkrweyjk.exe
        19⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\nivkrweyjk.exe
        
        C:\Users\Admin\AppData\Local\Temp\nivkrweyjk.exe
        19⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\nivkrweyjk.exe
        
        C:\Users\Admin\AppData\Local\Temp\nivkrweyjk.exe update crzjdetvfe.exe
        20⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\crzjdetvfe.exe
        
        C:\Users\Admin\AppData\Local\Temp\crzjdetvfe.exe
        20⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\crzjdetvfe.exe
        
        C:\Users\Admin\AppData\Local\Temp\crzjdetvfe.exe update cgjxxopjwr.exe
        21⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\cgjxxopjwr.exe
        
        C:\Users\Admin\AppData\Local\Temp\cgjxxopjwr.exe
        21⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\cgjxxopjwr.exe
        
        C:\Users\Admin\AppData\Local\Temp\cgjxxopjwr.exe update hycgjysmkm.exe
        22⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\hycgjysmkm.exe
        
        C:\Users\Admin\AppData\Local\Temp\hycgjysmkm.exe
        22⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\hycgjysmkm.exe
        
        C:\Users\Admin\AppData\Local\Temp\hycgjysmkm.exe update rtmsbhbxjp.exe
        23⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\rtmsbhbxjp.exe
        
        C:\Users\Admin\AppData\Local\Temp\rtmsbhbxjp.exe
        23⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\rtmsbhbxjp.exe
        
        C:\Users\Admin\AppData\Local\Temp\rtmsbhbxjp.exe update rjnassrlne.exe
        24⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\rjnassrlne.exe
        
        C:\Users\Admin\AppData\Local\Temp\rjnassrlne.exe
        24⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\rjnassrlne.exe
        
        C:\Users\Admin\AppData\Local\Temp\rjnassrlne.exe update rrujpjlvtd.exe
        25⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\rrujpjlvtd.exe
        
        C:\Users\Admin\AppData\Local\Temp\rrujpjlvtd.exe
        25⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\rrujpjlvtd.exe
        
        C:\Users\Admin\AppData\Local\Temp\rrujpjlvtd.exe update uflaafsvto.exe
        26⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\uflaafsvto.exe
        
        C:\Users\Admin\AppData\Local\Temp\uflaafsvto.exe
        26⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\uflaafsvto.exe
        
        C:\Users\Admin\AppData\Local\Temp\uflaafsvto.exe update mjutnrmcmq.exe
        27⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\mjutnrmcmq.exe
        
        C:\Users\Admin\AppData\Local\Temp\mjutnrmcmq.exe
        27⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\mjutnrmcmq.exe
        
        C:\Users\Admin\AppData\Local\Temp\mjutnrmcmq.exe update eqxujziuxg.exe
        28⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\eqxujziuxg.exe
        
        C:\Users\Admin\AppData\Local\Temp\eqxujziuxg.exe
        28⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\eqxujziuxg.exe
        
        C:\Users\Admin\AppData\Local\Temp\eqxujziuxg.exe update bwbfbdacmf.exe
        29⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\bwbfbdacmf.exe
        
        C:\Users\Admin\AppData\Local\Temp\bwbfbdacmf.exe
        29⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\bwbfbdacmf.exe
        
        C:\Users\Admin\AppData\Local\Temp\bwbfbdacmf.exe update ezpgfspexn.exe
        30⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\ezpgfspexn.exe
        
        C:\Users\Admin\AppData\Local\Temp\ezpgfspexn.exe
        30⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\ezpgfspexn.exe
        
        C:\Users\Admin\AppData\Local\Temp\ezpgfspexn.exe update mwmutsncek.exe
        31⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\mwmutsncek.exe
        
        C:\Users\Admin\AppData\Local\Temp\mwmutsncek.exe
        31⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\mwmutsncek.exe
        
        C:\Users\Admin\AppData\Local\Temp\mwmutsncek.exe update bxkytqnipm.exe
        32⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\bxkytqnipm.exe
        
        C:\Users\Admin\AppData\Local\Temp\bxkytqnipm.exe
        32⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\bxkytqnipm.exe
        
        C:\Users\Admin\AppData\Local\Temp\bxkytqnipm.exe update tbrlmukffq.exe
        33⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\tbrlmukffq.exe
        
        C:\Users\Admin\AppData\Local\Temp\tbrlmukffq.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\tbrlmukffq.exe
        
        C:\Users\Admin\AppData\Local\Temp\tbrlmukffq.exe update txqzumdied.exe
        34⤵
        Executes dropped EXE
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\txqzumdied.exe
        
        C:\Users\Admin\AppData\Local\Temp\txqzumdied.exe
        34⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\txqzumdied.exe
        
        C:\Users\Admin\AppData\Local\Temp\txqzumdied.exe update jswyjjxuwq.exe
        35⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\jswyjjxuwq.exe
        
        C:\Users\Admin\AppData\Local\Temp\jswyjjxuwq.exe
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\jswyjjxuwq.exe
        
        C:\Users\Admin\AppData\Local\Temp\jswyjjxuwq.exe update eypljohdtj.exe
        36⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\eypljohdtj.exe
        
        C:\Users\Admin\AppData\Local\Temp\eypljohdtj.exe
        36⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\eypljohdtj.exe
        
        C:\Users\Admin\AppData\Local\Temp\eypljohdtj.exe update bozocphkxc.exe
        37⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\bozocphkxc.exe
        
        C:\Users\Admin\AppData\Local\Temp\bozocphkxc.exe
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\bozocphkxc.exe
        
        C:\Users\Admin\AppData\Local\Temp\bozocphkxc.exe update qpdfincygg.exe
        38⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\qpdfincygg.exe
        
        C:\Users\Admin\AppData\Local\Temp\qpdfincygg.exe
        38⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\qpdfincygg.exe
        
        C:\Users\Admin\AppData\Local\Temp\qpdfincygg.exe update lhitfwqakk.exe
        39⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\lhitfwqakk.exe
        
        C:\Users\Admin\AppData\Local\Temp\lhitfwqakk.exe
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\lhitfwqakk.exe
        
        C:\Users\Admin\AppData\Local\Temp\lhitfwqakk.exe update jtpjutjfcy.exe
        40⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\jtpjutjfcy.exe
        
        C:\Users\Admin\AppData\Local\Temp\jtpjutjfcy.exe
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\jtpjutjfcy.exe
        
        C:\Users\Admin\AppData\Local\Temp\jtpjutjfcy.exe update dsfrpfsrfc.exe
        41⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\dsfrpfsrfc.exe
        
        C:\Users\Admin\AppData\Local\Temp\dsfrpfsrfc.exe
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\dsfrpfsrfc.exe
        
        C:\Users\Admin\AppData\Local\Temp\dsfrpfsrfc.exe update txziezmces.exe
        42⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\txziezmces.exe
        
        C:\Users\Admin\AppData\Local\Temp\txziezmces.exe
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\txziezmces.exe
        
        C:\Users\Admin\AppData\Local\Temp\txziezmces.exe update ltywfljruv.exe
        43⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\ltywfljruv.exe
        
        C:\Users\Admin\AppData\Local\Temp\ltywfljruv.exe
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\ltywfljruv.exe
        
        C:\Users\Admin\AppData\Local\Temp\ltywfljruv.exe update deprecwqen.exe
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\deprecwqen.exe
        
        C:\Users\Admin\AppData\Local\Temp\deprecwqen.exe
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\deprecwqen.exe
        
        C:\Users\Admin\AppData\Local\Temp\deprecwqen.exe update dilhyaitui.exe
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\dilhyaitui.exe
        
        C:\Users\Admin\AppData\Local\Temp\dilhyaitui.exe
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\dilhyaitui.exe
        
        C:\Users\Admin\AppData\Local\Temp\dilhyaitui.exe update ideswnfyqz.exe
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\ideswnfyqz.exe
        
        C:\Users\Admin\AppData\Local\Temp\ideswnfyqz.exe
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\ideswnfyqz.exe
        
        C:\Users\Admin\AppData\Local\Temp\ideswnfyqz.exe update ylbduywmvq.exe
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\ylbduywmvq.exe
        
        C:\Users\Admin\AppData\Local\Temp\ylbduywmvq.exe
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\ylbduywmvq.exe
        
        C:\Users\Admin\AppData\Local\Temp\ylbduywmvq.exe update fjvusspxuf.exe
        48⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\fjvusspxuf.exe
        
        C:\Users\Admin\AppData\Local\Temp\fjvusspxuf.exe
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\fjvusspxuf.exe
        
        C:\Users\Admin\AppData\Local\Temp\fjvusspxuf.exe update ffscgdljqu.exe
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\ffscgdljqu.exe
        
        C:\Users\Admin\AppData\Local\Temp\ffscgdljqu.exe
        49⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\ffscgdljqu.exe
        
        C:\Users\Admin\AppData\Local\Temp\ffscgdljqu.exe update vzstotaahy.exe
        50⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\vzstotaahy.exe
        
        C:\Users\Admin\AppData\Local\Temp\vzstotaahy.exe
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\vzstotaahy.exe
        
        C:\Users\Admin\AppData\Local\Temp\vzstotaahy.exe update pjgrxpztso.exe
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\pjgrxpztso.exe
        
        C:\Users\Admin\AppData\Local\Temp\pjgrxpztso.exe
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\pjgrxpztso.exe
        
        C:\Users\Admin\AppData\Local\Temp\pjgrxpztso.exe update qygptnfzjr.exe
        52⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\qygptnfzjr.exe
        
        C:\Users\Admin\AppData\Local\Temp\qygptnfzjr.exe
        52⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\qygptnfzjr.exe
        
        C:\Users\Admin\AppData\Local\Temp\qygptnfzjr.exe update pvdqhybkny.exe
        53⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\pvdqhybkny.exe
        
        C:\Users\Admin\AppData\Local\Temp\pvdqhybkny.exe
        53⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\pvdqhybkny.exe
        
        C:\Users\Admin\AppData\Local\Temp\pvdqhybkny.exe update niioljykfv.exe
        54⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\niioljykfv.exe
        
        C:\Users\Admin\AppData\Local\Temp\niioljykfv.exe
        54⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\niioljykfv.exe
        
        C:\Users\Admin\AppData\Local\Temp\niioljykfv.exe update ppacsvmocy.exe
        55⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\ppacsvmocy.exe
        
        C:\Users\Admin\AppData\Local\Temp\ppacsvmocy.exe
        55⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\ppacsvmocy.exe
        
        C:\Users\Admin\AppData\Local\Temp\ppacsvmocy.exe update xatqaqfsuc.exe
        56⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\xatqaqfsuc.exe
        
        C:\Users\Admin\AppData\Local\Temp\xatqaqfsuc.exe
        56⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\xatqaqfsuc.exe
        
        C:\Users\Admin\AppData\Local\Temp\xatqaqfsuc.exe update hsjrdwjimc.exe
        57⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\hsjrdwjimc.exe
        
        C:\Users\Admin\AppData\Local\Temp\hsjrdwjimc.exe
        57⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\hsjrdwjimc.exe
        
        C:\Users\Admin\AppData\Local\Temp\hsjrdwjimc.exe update uvakgcbscj.exe
        58⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\uvakgcbscj.exe
        
        C:\Users\Admin\AppData\Local\Temp\uvakgcbscj.exe
        58⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\uvakgcbscj.exe
        
        C:\Users\Admin\AppData\Local\Temp\uvakgcbscj.exe update ksjveqjisy.exe
        59⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\ksjveqjisy.exe
        
        C:\Users\Admin\AppData\Local\Temp\ksjveqjisy.exe
        59⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\ksjveqjisy.exe
        
        C:\Users\Admin\AppData\Local\Temp\ksjveqjisy.exe update ctfduyhdwp.exe
        60⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\ctfduyhdwp.exe
        
        C:\Users\Admin\AppData\Local\Temp\ctfduyhdwp.exe
        60⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\ctfduyhdwp.exe
        
        C:\Users\Admin\AppData\Local\Temp\ctfduyhdwp.exe update mkueeruciv.exe
        61⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\mkueeruciv.exe
        
        C:\Users\Admin\AppData\Local\Temp\mkueeruciv.exe
        61⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\mkueeruciv.exe
        
        C:\Users\Admin\AppData\Local\Temp\mkueeruciv.exe update kfbcunnhrj.exe
        62⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\kfbcunnhrj.exe
        
        C:\Users\Admin\AppData\Local\Temp\kfbcunnhrj.exe
        62⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\kfbcunnhrj.exe
        
        C:\Users\Admin\AppData\Local\Temp\kfbcunnhrj.exe update mwsvrmfkjz.exe
        63⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\mwsvrmfkjz.exe
        
        C:\Users\Admin\AppData\Local\Temp\mwsvrmfkjz.exe
        63⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\mwsvrmfkjz.exe
        
        C:\Users\Admin\AppData\Local\Temp\mwsvrmfkjz.exe update cqatruvbsu.exe
        64⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\cqatruvbsu.exe
        
        C:\Users\Admin\AppData\Local\Temp\cqatruvbsu.exe
        64⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\cqatruvbsu.exe
        
        C:\Users\Admin\AppData\Local\Temp\cqatruvbsu.exe update zzwfeuplxv.exe
        65⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\zzwfeuplxv.exe
        
        C:\Users\Admin\AppData\Local\Temp\zzwfeuplxv.exe
        65⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\zzwfeuplxv.exe
        
        C:\Users\Admin\AppData\Local\Temp\zzwfeuplxv.exe update kofngqbeua.exe
        66⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\kofngqbeua.exe
        
        C:\Users\Admin\AppData\Local\Temp\kofngqbeua.exe
        66⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\kofngqbeua.exe
        
        C:\Users\Admin\AppData\Local\Temp\kofngqbeua.exe update zpcdmgwake.exe
        67⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\zpcdmgwake.exe
        
        C:\Users\Admin\AppData\Local\Temp\zpcdmgwake.exe
        67⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\zpcdmgwake.exe
        
        C:\Users\Admin\AppData\Local\Temp\zpcdmgwake.exe update wuzoqdknal.exe
        68⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\wuzoqdknal.exe
        
        C:\Users\Admin\AppData\Local\Temp\wuzoqdknal.exe
        68⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\wuzoqdknal.exe
        
        C:\Users\Admin\AppData\Local\Temp\wuzoqdknal.exe update yecpitflkb.exe
        69⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\yecpitflkb.exe
        
        C:\Users\Admin\AppData\Local\Temp\yecpitflkb.exe
        69⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\yecpitflkb.exe
        
        C:\Users\Admin\AppData\Local\Temp\yecpitflkb.exe update mgcneaundp.exe
        70⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\mgcneaundp.exe
        
        C:\Users\Admin\AppData\Local\Temp\mgcneaundp.exe
        70⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\mgcneaundp.exe
        
        C:\Users\Admin\AppData\Local\Temp\mgcneaundp.exe update rbwdfuwjue.exe
        71⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\rbwdfuwjue.exe
        
        C:\Users\Admin\AppData\Local\Temp\rbwdfuwjue.exe
        71⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\rbwdfuwjue.exe
        
        C:\Users\Admin\AppData\Local\Temp\rbwdfuwjue.exe update ooccbxmrmu.exe
        72⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\ooccbxmrmu.exe
        
        C:\Users\Admin\AppData\Local\Temp\ooccbxmrmu.exe
        72⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\ooccbxmrmu.exe
        
        C:\Users\Admin\AppData\Local\Temp\ooccbxmrmu.exe update oszypdddxv.exe
        73⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\oszypdddxv.exe
        
        C:\Users\Admin\AppData\Local\Temp\oszypdddxv.exe
        73⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\oszypdddxv.exe
        
        C:\Users\Admin\AppData\Local\Temp\oszypdddxv.exe update jnglvrtqto.exe
        74⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\jnglvrtqto.exe
        
        C:\Users\Admin\AppData\Local\Temp\jnglvrtqto.exe
        74⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\jnglvrtqto.exe
        
        C:\Users\Admin\AppData\Local\Temp\jnglvrtqto.exe update gamwzgodqw.exe
        75⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\gamwzgodqw.exe
        
        C:\Users\Admin\AppData\Local\Temp\gamwzgodqw.exe
        75⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\gamwzgodqw.exe
        
        C:\Users\Admin\AppData\Local\Temp\gamwzgodqw.exe update yoxsmjgwhh.exe
        76⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\yoxsmjgwhh.exe
        
        C:\Users\Admin\AppData\Local\Temp\yoxsmjgwhh.exe
        76⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\yoxsmjgwhh.exe
        
        C:\Users\Admin\AppData\Local\Temp\yoxsmjgwhh.exe update gahaaxbifm.exe
        77⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\gahaaxbifm.exe
        
        C:\Users\Admin\AppData\Local\Temp\gahaaxbifm.exe
        77⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\gahaaxbifm.exe
        
        C:\Users\Admin\AppData\Local\Temp\gahaaxbifm.exe update nugyjnrzoq.exe
        78⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\nugyjnrzoq.exe
        
        C:\Users\Admin\AppData\Local\Temp\nugyjnrzoq.exe
        78⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\nugyjnrzoq.exe
        
        C:\Users\Admin\AppData\Local\Temp\nugyjnrzoq.exe update drcukgichd.exe
        79⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\drcukgichd.exe
        
        C:\Users\Admin\AppData\Local\Temp\drcukgichd.exe
        79⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\drcukgichd.exe
        
        C:\Users\Admin\AppData\Local\Temp\drcukgichd.exe update whoizwjmms.exe
        80⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\whoizwjmms.exe
        
        C:\Users\Admin\AppData\Local\Temp\whoizwjmms.exe
        80⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\whoizwjmms.exe
        
        C:\Users\Admin\AppData\Local\Temp\whoizwjmms.exe update dlhotmmhsp.exe
        81⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\dlhotmmhsp.exe
        
        C:\Users\Admin\AppData\Local\Temp\dlhotmmhsp.exe
        81⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\dlhotmmhsp.exe
        
        C:\Users\Admin\AppData\Local\Temp\dlhotmmhsp.exe update darcvwivkd.exe
        82⤵
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\darcvwivkd.exe
        
        C:\Users\Admin\AppData\Local\Temp\darcvwivkd.exe
        82⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\darcvwivkd.exe
        
        C:\Users\Admin\AppData\Local\Temp\darcvwivkd.exe update bckjdwtavh.exe
        83⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\bckjdwtavh.exe
        
        C:\Users\Admin\AppData\Local\Temp\bckjdwtavh.exe
        83⤵
        
        PID:4076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bjznntbqmx.exe

Filesize
10.4MB

MD5
b4327818e30f08c242d3b04712142eb8

SHA1
ecd7a4a18a66a0298d76f96e744cc8381ac3f816

SHA256
0349122a847c253a49d2462391a6e426ccb046fa631d6d81ef9981b9aabb9413

SHA512
24c322fc663883650205bcc04f60a51fc402a0f778f4781135e72826718617dff628e0257744af880bf19d653496301de81ce0c19563f5e62d6276af01863417

Download Submit
C:\Users\Admin\AppData\Local\Temp\dndvxymcik.exe

Filesize
10.4MB

MD5
6015732467f14bf8ffadc82c3a486b0c

SHA1
aa8e8b0b4ae0e1febc5c38409756ca5a97b43bf2

SHA256
779f96e0320c7357d9a920e6e82945ac51ff071fc4d54b7cf3cb45dbf97bdbcc

SHA512
490e9756466edd41839eacbdda2a60b55f1dfa534351266787be878365fb7038320c4245b1d0a3387189c05159dee513741eb5fac81f43d099db018fa94d1819

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrltzhlekb.exe

Filesize
10.4MB

MD5
c38aeafb5e853c6ed51af03ef7965b76

SHA1
f26e31c168d31974136392fd79031b015a65c7ee

SHA256
8f375564e76bdc53f5684c49dd2ffb6419baec56eb51c8dd506b3f6b1cb21c7a

SHA512
b948e895f231a520ee242e0f36253a530a3b6cd27ec4585027a82536e9eb0bc53ae56538482a63954eb4bea2ceb37ef87d9c54ed0d42d2b895b35d5522326953

Download Submit
C:\Users\Admin\AppData\Local\Temp\itjdvwlsol.exe

Filesize
10.4MB

MD5
3f13ba460fb258e6728b4beb6b5cdd9a

SHA1
7b3adce069a3f702e71f7aae5d62b3b2b017e3ca

SHA256
a13e41f757938ea0294008f22318d1e61856a379d1ec2402f5aee2c0ed2dd8c4

SHA512
4fc2f904726622a904289cb10a53d12efe8e89976bed6502154b9944bcb57c71130910068a6882c2de9439e2847e73f72ce49f5cfd92e4b4c95973c53ebd7771

Download Submit
C:\Users\Admin\AppData\Local\Temp\luqdmwncbg.exe

Filesize
10.4MB

MD5
f3f5dc71114c5163f36cd8977d6cf8e3

SHA1
133a9d911d7b22d24ec79e825d600e7a6fdac5fb

SHA256
1c2bf5485e695b5d310e3250b3e34493fd7cd772d6e8a3e80c0760bfae64e178

SHA512
26eefaf1f088737aa87f649d1b84c1cbe3f0160dc1fdb1f04f9ccf937f6606c5f76066d7eaa8a1d10ab64b34398757be9b20dd4765339237da92b6536855a3fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nivkrweyjk.exe

Filesize
10.4MB

MD5
f2cb7ec8cc39669939713c69fbea39dd

SHA1
2e17165703b00794ddcebc5354b0c233aaeacba3

SHA256
0df0e456b36a7fa7966c00fc2367de343bce30f1c30e53694f3b94c00108b6c1

SHA512
4c3a17389ebc6974222681129f7b3ba2c998db9d990e26dfd8ff7c38bb61fd023cb34b327d65b9e5b9f30816899e2333d2ef355a79f18393acb33b106776aa72

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkzhjklity.exe

Filesize
10.4MB

MD5
53c571a85084deeceb9c5fcb8f8bd910

SHA1
dc8ffc96e2a8aa125138b170a6ff2e7068e557ef

SHA256
a1a5e58ecd131652621f69ef0ecce21fdcd3f08c8b8884e5f5163405453a6264

SHA512
effee3396f9fc0ebbb36a83b4af1987e484fe502fb0e3b57cf6f00818b3fdc7402705f0580204f493c1845a1afc7ccf28f51495e24745767795cd33cae2f8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nywyzmgjjz.exe

Filesize
10.4MB

MD5
f8726528882ed2a227fc2dd65d343820

SHA1
4565c1a02ad25928aa1a3790979896157ab28588

SHA256
51a2fd997e0d7c916121d7357a1e78bc19a82bbf26de49c187171ae882d78b62

SHA512
4db427532e2a9e7b19dc896743eadd48371a6f13cdff2869b05fb90b715a4b37e748f7e87ff7dce58a742987d201842926e5ba9f9372b0496b1b98d19b7d56e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\oiqzjsruwy.exe

Filesize
10.4MB

MD5
ca0e80708a82b21d879e04656d02facb

SHA1
81471b5a5007e9a53f9702af9a1211000ae4084f

SHA256
640824cf3f7d83ba2122a5059a00ceae17c5ecd69f0d47debe371d0d185fa710

SHA512
b7f08db04ca3703f857722b4fabb1bf3385b022dd181bbbae23f3fdc868ac7b02392e53b44290a623b0cf2651e1c1f55b67e0bb82c94ddd56f5882dca5206875

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkatdqpuzl.exe

Filesize
10.4MB

MD5
a927995436d7d03ac6f44231094c933c

SHA1
0d48c9dc7335d0c34b98ae5fc1f964286f2bc79b

SHA256
183cc19fbb2f5d039e394e3cf8d32cb1c3612fe663dbe05ab1b8cf3cc08f0bfe

SHA512
dcf08b9ca5cf815a43bfb2a4578fd01b1cd9f506352842dd791fc439c83a28993ddfa02bf3fc87106443edc9d163c1050be6aa47cecc8b0d64ca3faa792d69f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcmcjmwzsa.exe

Filesize
10.4MB

MD5
6d71f2e60ec487c7b6092cb0b05715b2

SHA1
98b56bd051dded39c75a89196491610887be33ea

SHA256
8433df6776c9e9a36a872ac75325b3d314aedd6eb0de9c86dd6a99fc5228026e

SHA512
250fbad67f71e9633c2c7abd3677fd2bfef69d2242a55a2642c57e92a5b49d028f8ea09ebae1b87ff94bfc3de6f6c32d48e79efa48b878fd4bbf417f281e1956

Download Submit
C:\Users\Admin\AppData\Local\Temp\tqwuyghzrq.exe

Filesize
10.4MB

MD5
506cf5fda304d8227350c93648100032

SHA1
b918e60ef43677da26ab745d7d340cf252bf027d

SHA256
9fb97b29003352d50d8e0f38c225d153849c6749d332866b5c60b6dea275309e

SHA512
91b1528a51c3b3a13167e7eb07a89de9187dc45e055dc55d543dcc178defa5b45d29954773eb08c4292fa43277550e1ad15d4be6d4417e980886777148893d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\tybvpowrrc.exe

Filesize
10.4MB

MD5
73db3d5ce3652cf41d04c8e3b60e3a16

SHA1
0ed0df33389a6ceb199180102566ea97e85df5fa

SHA256
267aff462645c031eb86e9334fc29631a173e940478643018c7e66ef5d1ecd34

SHA512
bcaded52130d53a468c1374d77c78050b2da6eb8705761006197a802f27c3f11b45759efd75cbdb0befec1a363467428ccf8cee570e0fc17f08c248b56ad8b7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
9a306620117bfd32179e1414e4ef3ff1

SHA1
eeaae33056febb041b8306ed16ddd46521cf394d

SHA256
5499ce261342066396b5a6aff9ff251184834e62edef3c52c805a88e7a6dbf12

SHA512
103c0fa199332d46ab89de94fbbb27a5e6778c85218270c13448430fde1a44a97d7f004d537bcb86b6a08101a94f87cf4de6513528c1ed416b142aba4e0e9de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
819cb106ab427de6a2d6004f328129a3

SHA1
eda3db23848c99bc6b208d0ce87e27693de66211

SHA256
91e3bb775f1c88ff33269b5ee9b1f07c19396e69213e93375ac9d32314ec1990

SHA512
a72686ab7653d379c20b594f5b07148a36c82cf1f7f2b521b2689af7d6088c76e7e8af49df71a41e356b93bfe3409f674bd6bdbffda4fbab7f022f9d6e844b91

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
05df42bb4c0855517368861f67563bde

SHA1
6d12636b26927868c7a0a84cb8af1334b7302f89

SHA256
625053ca6a39f83e24782a0d94a36df96efed85823716c66b24ea0d512627caf

SHA512
cdedb0a8748fdc9a7f8aad1e5c64cf793fdbbf73acb31acd511510b9e6de7a2601058c4d253ddf998e3e02de5cf113a1a5c18429ee609f1e43ae72f41918792c

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
3874259a64af6cf78cf95b731e7eac76

SHA1
15433ad932b406ae1b32df10c6ab50ab2d8ad50a

SHA256
795fb9953429097c27b05737e605c383523419289acfdca913d2b373e24f0fa4

SHA512
aa1ebb9c610cb576505dc890801d7c3f29c2692ba7d6dc502a0e362970dee0dc8f48c16045a0a9dbba69519189ad1e288fdd290897d92ebd3fb53a595052e64b

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
60ef700947f7ab7146c29be6224677fb

SHA1
07a8a872b73912644856e952a1d815cdb0fdb8e0

SHA256
3193c1fd128874cf46c3d52e903930af23a61213605e9c75ac3e067e633c4745

SHA512
c332cac43c81d57ee2d3aaeb07cded57ca1834cbc263243667033890dc2feff5ecab22dad54b932e7c31f216fe90361a54ea5897ddc481b28db7d8fd73f07201

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
091655061d184c4097f48843a8ff3b8a

SHA1
be2a3fa94036bb71aa0b23d9623479c7cbaeca1e

SHA256
4a0e7d2a8423806c04580c3470b587441afc7548654ac89d55e159b99e0074c4

SHA512
faf3c7ab17431d3027a1494496cde0595f77609ed36bb6e4df8b70f2db1ad496a4fdfa1455b77810b0ed0936d9151dbf16c8c8e017d12dd5d3ba090cd2e20909

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
1a180a4766f061811de36a5128b0e207

SHA1
98d3556062217ccea3d14c986771c478b222e963

SHA256
f6e9d1310d7e3fce4fdd3f0d0bce5f5068385593aad7c3065e028d5c2ff7def5

SHA512
90561608d2de8526377ae7d477a8eb103328dabc6c67c3af5263b3cd9c7d92809df6066691e21f98dcc92acb79266c2e796b71998529ef5ca303cd33815acb95

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
6c28a2630167fa964e58dd3a6ceff8df

SHA1
7e24c18587d1673f5c4aa91ba81c2851cb5f11ec

SHA256
48cbdee92a245d64e6895622d37e2c6240ece420e802a1d58a3bc0270f1b9412

SHA512
67ac3c9ee37847acb58bcff1c3ed9d8901096b13abb65eb61808fac1a04ee03989b70da54af700a4b4b7f7facb981afd2b6ec3a9fa859e5e50f10442548fdd81

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsdlugkskr.exe

Filesize
10.4MB

MD5
f88473aee7bfa687e7b267faf3bb016f

SHA1
1a3a5ea0625f4fba5b62ce52bcd0e3a3cf2015f6

SHA256
ec87cd5810fb97914c4c0485df15a860ea7e6ee43f3061dd563094ec0af4dc48

SHA512
18f6dc33918b597b90a8e7c7afd0632c0058b4f88b989e7e04e4410e32355fa00ae59ccca6bd67265a755be02748ecb01cbf1b124371b1a13577072248d94ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vuzscgotka.exe

Filesize
10.4MB

MD5
025bad50b51f9b2207c68879d9e0803b

SHA1
e1be70a1fcf915cadd87fcf8fc5d71c7a0aed390

SHA256
8f06b01140d4bb62a3158e711adfbe185911147b68e292540441e6e2e0ef6032

SHA512
9495427f96626d2cc9b035069b542d39472cdb4aa108d853c2718f74034ae1df49721e42d2f0b13a44a8b252ba3a91ade2033b0f8cf74fc27fee5903c7fc61a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wrjmwocfyh.exe

Filesize
10.4MB

MD5
f690aa11d669afb5ee2455fc42ee3317

SHA1
54d5a6313716f53203a24b32dd61268c7d40a798

SHA256
5ef428f3d4ccca3bddccb2b60e6cedbbffd5f72e0440b108305fe52c6f32a08f

SHA512
5e5355106ee3d3a52edd8f48f2c6c7389b55ae50a587028dd053061f6708e43d7853c2e8bbed0d95d2437002b41dcc3b774d150bc559310fd917b5d351ed60a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\yatolojgzh.exe

Filesize
10.4MB

MD5
70341ab756ce1b658cd32a658e4da612

SHA1
4800f182b510a27445fda66b845a37c43b99ca69

SHA256
e09ee20731ce547b0fb3cc6c19dfea839757e4ba70c38b86c673a74ef0b28bdd

SHA512
06726843c9fc4ec9a8aec14823c6a8008abe94d41a15e8bce85382187157a10c1cd75f59d04fd0155d3f5c98c3ac4fb9358e1d0b535825e0883e496e4e6b155a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytbewmjfrn.exe

Filesize
10.4MB

MD5
8f4d6b14e6556db0a40693733367a2ea

SHA1
38f01505693f25b2ebd6031967083d1c9f20f86f

SHA256
5ecd3f858aa90da049c2b1d2d630e96ffea681e12d32c3e5ac3607111cf3bdaf

SHA512
3bb3e878cd6dd95e5bc2a161ea6445f1a185888307b060087b0da563284ae826a84deef614de4fd73030f411b59f800c22c63bc5180e0ed5421a7a216730f7b1

Download Submit
memory/640-43-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/756-25-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/756-24-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/868-71-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1156-34-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1192-160-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1824-58-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1876-80-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1980-163-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2268-116-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2284-105-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2408-130-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3004-16-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3004-15-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/3084-138-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3184-21-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/3184-22-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3476-127-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3512-94-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3520-141-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3548-83-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3552-52-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3552-51-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/3664-7-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3664-4-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3664-3-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/3664-5-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3876-73-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3876-13-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3876-12-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3876-11-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/3876-87-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4036-49-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4052-149-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4068-76-0x00000000005D7000-0x0000000000C65000-memory.dmp

Filesize
6.6MB

Download
memory/4068-63-0x00000000005D7000-0x0000000000C65000-memory.dmp

Filesize
6.6MB

Download
memory/4068-0-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/4068-2-0x00000000005D7000-0x0000000000C65000-memory.dmp

Filesize
6.6MB

Download
memory/4068-1-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4216-68-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4344-119-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4348-110-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4432-96-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/4432-97-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4496-30-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/4496-31-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4764-152-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4820-40-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4820-39-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/4840-61-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download