9e19e14ee2b17150d2034a806e3463475ecd3480fdbbb4cc429866946579cc35

Analysis

max time kernel
95s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e19e14ee2b17150d2034a806e3463475ecd3480fdbbb4cc429866946579cc35.exe
Size

10.4MB
MD5

54f300439623be210d18730a4d74a1d2
SHA1

1e7d52398f2667c0e785f78afff90abdb67c90b0
SHA256

9e19e14ee2b17150d2034a806e3463475ecd3480fdbbb4cc429866946579cc35
SHA512

63518cbe5cf9cea2b8d21d4ca38af148b7d09726aaac266cea54a94d8a3b80ae95a8a99d335c2e6096aaa5b3e23e819919ac059867deeb0b12f53cfd87a4c850
SSDEEP

196608:XZGmuosR2/LGPLCXOKODxH5qFlXS47dV2MANpvrjVbEKGWIoS:XZGnosREJLODBWlX3d+NpvdHIo

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
3932	lmlpgvfbwt.exe
4436	lmlpgvfbwt.exe
1980	gazubqyctw.exe
4984	gazubqyctw.exe
3800	nxxippvaat.exe
5012	nxxippvaat.exe
4960	fmxlflkjca.exe
3872	fmxlflkjca.exe
1584	vffkobzale.exe
4708	vffkobzale.exe
2944	qamklclowk.exe
3124	qamklclowk.exe
3136	fffruqrxuj.exe
3132	fffruqrxuj.exe
3988	ktkpwjtsvi.exe
4800	ktkpwjtsvi.exe
2224	xrolpoqehv.exe
4820	xrolpoqehv.exe
1556	qvxrozqlud.exe
1660	qvxrozqlud.exe
1756	xsuaqzqsyt.exe
2024	xsuaqzqsyt.exe
3660	ftrwqxixjw.exe
3620	ftrwqxixjw.exe
2240	raenvctjqh.exe
1844	raenvctjqh.exe
4232	zxctrjrhpe.exe
1876	zxctrjrhpe.exe
3080	klqmesmnph.exe
816	klqmesmnph.exe
1440	uaegqbpaos.exe
1892	uaegqbpaos.exe
3220	mmzzpctsge.exe
1256	mmzzpctsge.exe
60	phqygeqcam.exe
4296	phqygeqcam.exe
5036	xfnmvlnizb.exe
964	xfnmvlnizb.exe
4408	ecsarlsgyy.exe
3488	ecsarlsgyy.exe
1724	msnbaroalz.exe
1636	msnbaroalz.exe
2108	rfkmsvniaq.exe
3184	rfkmsvniaq.exe
1516	rmsubfeefe.exe
5096	rmsubfeefe.exe
1156	whmllrybwu.exe
1956	whmllrybwu.exe
2212	gdygromynn.exe
4424	gdygromynn.exe
2488	ljcsiyiclo.exe
4780	ljcsiyiclo.exe
2824	bgndulenpf.exe
736	bgndulenpf.exe
4656	qsvtvateyj.exe
4716	qsvtvateyj.exe
4772	girebmcbdz.exe
3112	girebmcbdz.exe
1644	vnavwpbjbp.exe
2648	vnavwpbjbp.exe
400	gmpvfhnjev.exe
3580	gmpvfhnjev.exe
3620	gfbrzokaox.exe
516	gfbrzokaox.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
5004	9e19e14ee2b17150d2034a806e3463475ecd3480fdbbb4cc429866946579cc35.exe
1124	9e19e14ee2b17150d2034a806e3463475ecd3480fdbbb4cc429866946579cc35.exe
3932	lmlpgvfbwt.exe
4436	lmlpgvfbwt.exe
1980	gazubqyctw.exe
4984	gazubqyctw.exe
3800	nxxippvaat.exe
5012	nxxippvaat.exe
4960	fmxlflkjca.exe
3872	fmxlflkjca.exe
1584	vffkobzale.exe
4708	vffkobzale.exe
2944	qamklclowk.exe
3124	qamklclowk.exe
3136	fffruqrxuj.exe
3132	fffruqrxuj.exe
3988	ktkpwjtsvi.exe
4800	ktkpwjtsvi.exe
2224	xrolpoqehv.exe
4820	xrolpoqehv.exe
1556	qvxrozqlud.exe
1660	qvxrozqlud.exe
1756	xsuaqzqsyt.exe
2024	xsuaqzqsyt.exe
3660	ftrwqxixjw.exe
3620	ftrwqxixjw.exe
2240	raenvctjqh.exe
1844	raenvctjqh.exe
4232	zxctrjrhpe.exe
1876	zxctrjrhpe.exe
3080	klqmesmnph.exe
816	klqmesmnph.exe
1440	uaegqbpaos.exe
1892	uaegqbpaos.exe
3220	mmzzpctsge.exe
1256	mmzzpctsge.exe
60	phqygeqcam.exe
4296	phqygeqcam.exe
5036	xfnmvlnizb.exe
964	xfnmvlnizb.exe
4408	ecsarlsgyy.exe
3488	ecsarlsgyy.exe
1724	msnbaroalz.exe
1636	msnbaroalz.exe
2108	rfkmsvniaq.exe
3184	rfkmsvniaq.exe
1516	rmsubfeefe.exe
5096	rmsubfeefe.exe
1156	whmllrybwu.exe
1956	whmllrybwu.exe
2212	gdygromynn.exe
4424	gdygromynn.exe
2488	ljcsiyiclo.exe
4780	ljcsiyiclo.exe
2824	bgndulenpf.exe
736	bgndulenpf.exe
4656	qsvtvateyj.exe
4716	qsvtvateyj.exe
4772	girebmcbdz.exe
3112	girebmcbdz.exe
1644	vnavwpbjbp.exe
2648	vnavwpbjbp.exe
400	gmpvfhnjev.exe
3580	gmpvfhnjev.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xrolpoqehv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vnavwpbjbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bzvtqbazyj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvqcwnqkge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gmpvfhnjev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cncaffcsgt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	usxqckyqbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qamklclowk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bgndulenpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvqcwnqkge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xjvtyjngro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fmxlflkjca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vffkobzale.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmzzpctsge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gdygromynn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rmsubfeefe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pyfcifhzok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	khyhevqebn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xrolpoqehv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ajzsnaagkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dtbtequfcv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adrjzpqpwo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aelnjgdulw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fgbngqqwlb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dpecsvbxbz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xsuaqzqsyt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uaegqbpaos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adrjzpqpwo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	futlwobfvj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aelnjgdulw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	phqygeqcam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gmpvfhnjev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ajzsnaagkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bzvtqbazyj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nxxippvaat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	raenvctjqh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	klqmesmnph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmzzpctsge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qvxrozqlud.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	phqygeqcam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bgndulenpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ktkpwjtsvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whmllrybwu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dpecsvbxbz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kjsgqxhfcr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	futlwobfvj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e19e14ee2b17150d2034a806e3463475ecd3480fdbbb4cc429866946579cc35.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	klqmesmnph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	girebmcbdz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vnavwpbjbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gazubqyctw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnbaroalz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ljcsiyiclo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kjsgqxhfcr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vffkobzale.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cgovzmzixu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pmdspzimye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vtzhgyirbs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhhgefsryl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qamklclowk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ktkpwjtsvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xsuaqzqsyt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gdygromynn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rfkmsvniaq.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5004	9e19e14ee2b17150d2034a806e3463475ecd3480fdbbb4cc429866946579cc35.exe
5004	9e19e14ee2b17150d2034a806e3463475ecd3480fdbbb4cc429866946579cc35.exe
5004	9e19e14ee2b17150d2034a806e3463475ecd3480fdbbb4cc429866946579cc35.exe
5004	9e19e14ee2b17150d2034a806e3463475ecd3480fdbbb4cc429866946579cc35.exe
1124	9e19e14ee2b17150d2034a806e3463475ecd3480fdbbb4cc429866946579cc35.exe
1124	9e19e14ee2b17150d2034a806e3463475ecd3480fdbbb4cc429866946579cc35.exe
3932	lmlpgvfbwt.exe
3932	lmlpgvfbwt.exe
3932	lmlpgvfbwt.exe
3932	lmlpgvfbwt.exe
4436	lmlpgvfbwt.exe
4436	lmlpgvfbwt.exe
5004	9e19e14ee2b17150d2034a806e3463475ecd3480fdbbb4cc429866946579cc35.exe
5004	9e19e14ee2b17150d2034a806e3463475ecd3480fdbbb4cc429866946579cc35.exe
1980	gazubqyctw.exe
1980	gazubqyctw.exe
1980	gazubqyctw.exe
1980	gazubqyctw.exe
4984	gazubqyctw.exe
4984	gazubqyctw.exe
3800	nxxippvaat.exe
3800	nxxippvaat.exe
3800	nxxippvaat.exe
3800	nxxippvaat.exe
3932	lmlpgvfbwt.exe
3932	lmlpgvfbwt.exe
5012	nxxippvaat.exe
5012	nxxippvaat.exe
4960	fmxlflkjca.exe
4960	fmxlflkjca.exe
1980	gazubqyctw.exe
1980	gazubqyctw.exe
4960	fmxlflkjca.exe
4960	fmxlflkjca.exe
3872	fmxlflkjca.exe
3872	fmxlflkjca.exe
3800	nxxippvaat.exe
3800	nxxippvaat.exe
1584	vffkobzale.exe
1584	vffkobzale.exe
1584	vffkobzale.exe
1584	vffkobzale.exe
4708	vffkobzale.exe
4708	vffkobzale.exe
4960	fmxlflkjca.exe
4960	fmxlflkjca.exe
2944	qamklclowk.exe
2944	qamklclowk.exe
2944	qamklclowk.exe
2944	qamklclowk.exe
3124	qamklclowk.exe
3124	qamklclowk.exe
1584	vffkobzale.exe
1584	vffkobzale.exe
3136	fffruqrxuj.exe
3136	fffruqrxuj.exe
3136	fffruqrxuj.exe
3136	fffruqrxuj.exe
3132	fffruqrxuj.exe
3132	fffruqrxuj.exe
2944	qamklclowk.exe
2944	qamklclowk.exe
3988	ktkpwjtsvi.exe
3988	ktkpwjtsvi.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
5004	9e19e14ee2b17150d2034a806e3463475ecd3480fdbbb4cc429866946579cc35.exe
5004	9e19e14ee2b17150d2034a806e3463475ecd3480fdbbb4cc429866946579cc35.exe
1124	9e19e14ee2b17150d2034a806e3463475ecd3480fdbbb4cc429866946579cc35.exe
1124	9e19e14ee2b17150d2034a806e3463475ecd3480fdbbb4cc429866946579cc35.exe
3932	lmlpgvfbwt.exe
3932	lmlpgvfbwt.exe
4436	lmlpgvfbwt.exe
4436	lmlpgvfbwt.exe
1980	gazubqyctw.exe
1980	gazubqyctw.exe
4984	gazubqyctw.exe
4984	gazubqyctw.exe
3800	nxxippvaat.exe
3800	nxxippvaat.exe
5012	nxxippvaat.exe
5012	nxxippvaat.exe
4960	fmxlflkjca.exe
4960	fmxlflkjca.exe
3872	fmxlflkjca.exe
3872	fmxlflkjca.exe
1584	vffkobzale.exe
1584	vffkobzale.exe
4708	vffkobzale.exe
4708	vffkobzale.exe
2944	qamklclowk.exe
2944	qamklclowk.exe
3124	qamklclowk.exe
3124	qamklclowk.exe
3136	fffruqrxuj.exe
3136	fffruqrxuj.exe
3132	fffruqrxuj.exe
3132	fffruqrxuj.exe
3988	ktkpwjtsvi.exe
3988	ktkpwjtsvi.exe
4800	ktkpwjtsvi.exe
4800	ktkpwjtsvi.exe
2224	xrolpoqehv.exe
2224	xrolpoqehv.exe
4820	xrolpoqehv.exe
4820	xrolpoqehv.exe
1556	qvxrozqlud.exe
1556	qvxrozqlud.exe
1660	qvxrozqlud.exe
1660	qvxrozqlud.exe
1756	xsuaqzqsyt.exe
1756	xsuaqzqsyt.exe
2024	xsuaqzqsyt.exe
2024	xsuaqzqsyt.exe
3660	ftrwqxixjw.exe
3660	ftrwqxixjw.exe
3620	ftrwqxixjw.exe
3620	ftrwqxixjw.exe
2240	raenvctjqh.exe
2240	raenvctjqh.exe
1844	raenvctjqh.exe
1844	raenvctjqh.exe
4232	zxctrjrhpe.exe
4232	zxctrjrhpe.exe
1876	zxctrjrhpe.exe
1876	zxctrjrhpe.exe
3080	klqmesmnph.exe
3080	klqmesmnph.exe
816	klqmesmnph.exe
816	klqmesmnph.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 1124	5004	9e19e14ee2b17150d2034a806e3463475ecd3480fdbbb4cc429866946579cc35.exe	82
PID 5004 wrote to memory of 1124	5004	9e19e14ee2b17150d2034a806e3463475ecd3480fdbbb4cc429866946579cc35.exe	82
PID 5004 wrote to memory of 1124	5004	9e19e14ee2b17150d2034a806e3463475ecd3480fdbbb4cc429866946579cc35.exe	82
PID 5004 wrote to memory of 3932	5004	9e19e14ee2b17150d2034a806e3463475ecd3480fdbbb4cc429866946579cc35.exe	83
PID 5004 wrote to memory of 3932	5004	9e19e14ee2b17150d2034a806e3463475ecd3480fdbbb4cc429866946579cc35.exe	83
PID 5004 wrote to memory of 3932	5004	9e19e14ee2b17150d2034a806e3463475ecd3480fdbbb4cc429866946579cc35.exe	83
PID 3932 wrote to memory of 4436	3932	lmlpgvfbwt.exe	84
PID 3932 wrote to memory of 4436	3932	lmlpgvfbwt.exe	84
PID 3932 wrote to memory of 4436	3932	lmlpgvfbwt.exe	84
PID 3932 wrote to memory of 1980	3932	lmlpgvfbwt.exe	85
PID 3932 wrote to memory of 1980	3932	lmlpgvfbwt.exe	85
PID 3932 wrote to memory of 1980	3932	lmlpgvfbwt.exe	85
PID 1980 wrote to memory of 4984	1980	gazubqyctw.exe	86
PID 1980 wrote to memory of 4984	1980	gazubqyctw.exe	86
PID 1980 wrote to memory of 4984	1980	gazubqyctw.exe	86
PID 1980 wrote to memory of 3800	1980	gazubqyctw.exe	87
PID 1980 wrote to memory of 3800	1980	gazubqyctw.exe	87
PID 1980 wrote to memory of 3800	1980	gazubqyctw.exe	87
PID 3800 wrote to memory of 5012	3800	nxxippvaat.exe	88
PID 3800 wrote to memory of 5012	3800	nxxippvaat.exe	88
PID 3800 wrote to memory of 5012	3800	nxxippvaat.exe	88
PID 3800 wrote to memory of 4960	3800	nxxippvaat.exe	89
PID 3800 wrote to memory of 4960	3800	nxxippvaat.exe	89
PID 3800 wrote to memory of 4960	3800	nxxippvaat.exe	89
PID 4960 wrote to memory of 3872	4960	fmxlflkjca.exe	90
PID 4960 wrote to memory of 3872	4960	fmxlflkjca.exe	90
PID 4960 wrote to memory of 3872	4960	fmxlflkjca.exe	90
PID 4960 wrote to memory of 1584	4960	fmxlflkjca.exe	91
PID 4960 wrote to memory of 1584	4960	fmxlflkjca.exe	91
PID 4960 wrote to memory of 1584	4960	fmxlflkjca.exe	91
PID 1584 wrote to memory of 4708	1584	vffkobzale.exe	92
PID 1584 wrote to memory of 4708	1584	vffkobzale.exe	92
PID 1584 wrote to memory of 4708	1584	vffkobzale.exe	92
PID 1584 wrote to memory of 2944	1584	vffkobzale.exe	93
PID 1584 wrote to memory of 2944	1584	vffkobzale.exe	93
PID 1584 wrote to memory of 2944	1584	vffkobzale.exe	93
PID 2944 wrote to memory of 3124	2944	qamklclowk.exe	94
PID 2944 wrote to memory of 3124	2944	qamklclowk.exe	94
PID 2944 wrote to memory of 3124	2944	qamklclowk.exe	94
PID 2944 wrote to memory of 3136	2944	qamklclowk.exe	95
PID 2944 wrote to memory of 3136	2944	qamklclowk.exe	95
PID 2944 wrote to memory of 3136	2944	qamklclowk.exe	95
PID 3136 wrote to memory of 3132	3136	fffruqrxuj.exe	96
PID 3136 wrote to memory of 3132	3136	fffruqrxuj.exe	96
PID 3136 wrote to memory of 3132	3136	fffruqrxuj.exe	96
PID 3136 wrote to memory of 3988	3136	fffruqrxuj.exe	97
PID 3136 wrote to memory of 3988	3136	fffruqrxuj.exe	97
PID 3136 wrote to memory of 3988	3136	fffruqrxuj.exe	97
PID 3988 wrote to memory of 4800	3988	ktkpwjtsvi.exe	98
PID 3988 wrote to memory of 4800	3988	ktkpwjtsvi.exe	98
PID 3988 wrote to memory of 4800	3988	ktkpwjtsvi.exe	98
PID 3988 wrote to memory of 2224	3988	ktkpwjtsvi.exe	99
PID 3988 wrote to memory of 2224	3988	ktkpwjtsvi.exe	99
PID 3988 wrote to memory of 2224	3988	ktkpwjtsvi.exe	99
PID 2224 wrote to memory of 4820	2224	xrolpoqehv.exe	100
PID 2224 wrote to memory of 4820	2224	xrolpoqehv.exe	100
PID 2224 wrote to memory of 4820	2224	xrolpoqehv.exe	100
PID 2224 wrote to memory of 1556	2224	xrolpoqehv.exe	101
PID 2224 wrote to memory of 1556	2224	xrolpoqehv.exe	101
PID 2224 wrote to memory of 1556	2224	xrolpoqehv.exe	101
PID 1556 wrote to memory of 1660	1556	qvxrozqlud.exe	102
PID 1556 wrote to memory of 1660	1556	qvxrozqlud.exe	102
PID 1556 wrote to memory of 1660	1556	qvxrozqlud.exe	102
PID 1556 wrote to memory of 1756	1556	qvxrozqlud.exe	103

C:\Users\Admin\AppData\Local\Temp\9e19e14ee2b17150d2034a806e3463475ecd3480fdbbb4cc429866946579cc35.exe
"C:\Users\Admin\AppData\Local\Temp\9e19e14ee2b17150d2034a806e3463475ecd3480fdbbb4cc429866946579cc35.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Users\Admin\AppData\Local\Temp\9e19e14ee2b17150d2034a806e3463475ecd3480fdbbb4cc429866946579cc35.exe
  C:\Users\Admin\AppData\Local\Temp\9e19e14ee2b17150d2034a806e3463475ecd3480fdbbb4cc429866946579cc35.exe update lmlpgvfbwt.exe
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1124
- C:\Users\Admin\AppData\Local\Temp\lmlpgvfbwt.exe
  C:\Users\Admin\AppData\Local\Temp\lmlpgvfbwt.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3932
- - C:\Users\Admin\AppData\Local\Temp\lmlpgvfbwt.exe
    C:\Users\Admin\AppData\Local\Temp\lmlpgvfbwt.exe update gazubqyctw.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4436
- - C:\Users\Admin\AppData\Local\Temp\gazubqyctw.exe
    C:\Users\Admin\AppData\Local\Temp\gazubqyctw.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Users\Admin\AppData\Local\Temp\gazubqyctw.exe
      C:\Users\Admin\AppData\Local\Temp\gazubqyctw.exe update nxxippvaat.exe
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4984
  - - C:\Users\Admin\AppData\Local\Temp\nxxippvaat.exe
      C:\Users\Admin\AppData\Local\Temp\nxxippvaat.exe
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3800
    - - C:\Users\Admin\AppData\Local\Temp\nxxippvaat.exe
        
        C:\Users\Admin\AppData\Local\Temp\nxxippvaat.exe update fmxlflkjca.exe
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5012
    - - C:\Users\Admin\AppData\Local\Temp\fmxlflkjca.exe
        
        C:\Users\Admin\AppData\Local\Temp\fmxlflkjca.exe
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4960
      - C:\Users\Admin\AppData\Local\Temp\fmxlflkjca.exe
        
        C:\Users\Admin\AppData\Local\Temp\fmxlflkjca.exe update vffkobzale.exe
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3872
      - C:\Users\Admin\AppData\Local\Temp\vffkobzale.exe
        
        C:\Users\Admin\AppData\Local\Temp\vffkobzale.exe
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\vffkobzale.exe
        
        C:\Users\Admin\AppData\Local\Temp\vffkobzale.exe update qamklclowk.exe
        7⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\qamklclowk.exe
        
        C:\Users\Admin\AppData\Local\Temp\qamklclowk.exe
        7⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\qamklclowk.exe
        
        C:\Users\Admin\AppData\Local\Temp\qamklclowk.exe update fffruqrxuj.exe
        8⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\fffruqrxuj.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffruqrxuj.exe
        8⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\fffruqrxuj.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffruqrxuj.exe update ktkpwjtsvi.exe
        9⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\ktkpwjtsvi.exe
        
        C:\Users\Admin\AppData\Local\Temp\ktkpwjtsvi.exe
        9⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\ktkpwjtsvi.exe
        
        C:\Users\Admin\AppData\Local\Temp\ktkpwjtsvi.exe update xrolpoqehv.exe
        10⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\xrolpoqehv.exe
        
        C:\Users\Admin\AppData\Local\Temp\xrolpoqehv.exe
        10⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\xrolpoqehv.exe
        
        C:\Users\Admin\AppData\Local\Temp\xrolpoqehv.exe update qvxrozqlud.exe
        11⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\qvxrozqlud.exe
        
        C:\Users\Admin\AppData\Local\Temp\qvxrozqlud.exe
        11⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\qvxrozqlud.exe
        
        C:\Users\Admin\AppData\Local\Temp\qvxrozqlud.exe update xsuaqzqsyt.exe
        12⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\xsuaqzqsyt.exe
        
        C:\Users\Admin\AppData\Local\Temp\xsuaqzqsyt.exe
        12⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\xsuaqzqsyt.exe
        
        C:\Users\Admin\AppData\Local\Temp\xsuaqzqsyt.exe update ftrwqxixjw.exe
        13⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\ftrwqxixjw.exe
        
        C:\Users\Admin\AppData\Local\Temp\ftrwqxixjw.exe
        13⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\ftrwqxixjw.exe
        
        C:\Users\Admin\AppData\Local\Temp\ftrwqxixjw.exe update raenvctjqh.exe
        14⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\raenvctjqh.exe
        
        C:\Users\Admin\AppData\Local\Temp\raenvctjqh.exe
        14⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\raenvctjqh.exe
        
        C:\Users\Admin\AppData\Local\Temp\raenvctjqh.exe update zxctrjrhpe.exe
        15⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\zxctrjrhpe.exe
        
        C:\Users\Admin\AppData\Local\Temp\zxctrjrhpe.exe
        15⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\zxctrjrhpe.exe
        
        C:\Users\Admin\AppData\Local\Temp\zxctrjrhpe.exe update klqmesmnph.exe
        16⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\klqmesmnph.exe
        
        C:\Users\Admin\AppData\Local\Temp\klqmesmnph.exe
        16⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\klqmesmnph.exe
        
        C:\Users\Admin\AppData\Local\Temp\klqmesmnph.exe update uaegqbpaos.exe
        17⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\uaegqbpaos.exe
        
        C:\Users\Admin\AppData\Local\Temp\uaegqbpaos.exe
        17⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\uaegqbpaos.exe
        
        C:\Users\Admin\AppData\Local\Temp\uaegqbpaos.exe update mmzzpctsge.exe
        18⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\mmzzpctsge.exe
        
        C:\Users\Admin\AppData\Local\Temp\mmzzpctsge.exe
        18⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\mmzzpctsge.exe
        
        C:\Users\Admin\AppData\Local\Temp\mmzzpctsge.exe update phqygeqcam.exe
        19⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\phqygeqcam.exe
        
        C:\Users\Admin\AppData\Local\Temp\phqygeqcam.exe
        19⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\phqygeqcam.exe
        
        C:\Users\Admin\AppData\Local\Temp\phqygeqcam.exe update xfnmvlnizb.exe
        20⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\xfnmvlnizb.exe
        
        C:\Users\Admin\AppData\Local\Temp\xfnmvlnizb.exe
        20⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\xfnmvlnizb.exe
        
        C:\Users\Admin\AppData\Local\Temp\xfnmvlnizb.exe update ecsarlsgyy.exe
        21⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\ecsarlsgyy.exe
        
        C:\Users\Admin\AppData\Local\Temp\ecsarlsgyy.exe
        21⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\ecsarlsgyy.exe
        
        C:\Users\Admin\AppData\Local\Temp\ecsarlsgyy.exe update msnbaroalz.exe
        22⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\msnbaroalz.exe
        
        C:\Users\Admin\AppData\Local\Temp\msnbaroalz.exe
        22⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\msnbaroalz.exe
        
        C:\Users\Admin\AppData\Local\Temp\msnbaroalz.exe update rfkmsvniaq.exe
        23⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\rfkmsvniaq.exe
        
        C:\Users\Admin\AppData\Local\Temp\rfkmsvniaq.exe
        23⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\rfkmsvniaq.exe
        
        C:\Users\Admin\AppData\Local\Temp\rfkmsvniaq.exe update rmsubfeefe.exe
        24⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\rmsubfeefe.exe
        
        C:\Users\Admin\AppData\Local\Temp\rmsubfeefe.exe
        24⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\rmsubfeefe.exe
        
        C:\Users\Admin\AppData\Local\Temp\rmsubfeefe.exe update whmllrybwu.exe
        25⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\whmllrybwu.exe
        
        C:\Users\Admin\AppData\Local\Temp\whmllrybwu.exe
        25⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\whmllrybwu.exe
        
        C:\Users\Admin\AppData\Local\Temp\whmllrybwu.exe update gdygromynn.exe
        26⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\gdygromynn.exe
        
        C:\Users\Admin\AppData\Local\Temp\gdygromynn.exe
        26⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\gdygromynn.exe
        
        C:\Users\Admin\AppData\Local\Temp\gdygromynn.exe update ljcsiyiclo.exe
        27⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\ljcsiyiclo.exe
        
        C:\Users\Admin\AppData\Local\Temp\ljcsiyiclo.exe
        27⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\ljcsiyiclo.exe
        
        C:\Users\Admin\AppData\Local\Temp\ljcsiyiclo.exe update bgndulenpf.exe
        28⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\bgndulenpf.exe
        
        C:\Users\Admin\AppData\Local\Temp\bgndulenpf.exe
        28⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\bgndulenpf.exe
        
        C:\Users\Admin\AppData\Local\Temp\bgndulenpf.exe update qsvtvateyj.exe
        29⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\qsvtvateyj.exe
        
        C:\Users\Admin\AppData\Local\Temp\qsvtvateyj.exe
        29⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\qsvtvateyj.exe
        
        C:\Users\Admin\AppData\Local\Temp\qsvtvateyj.exe update girebmcbdz.exe
        30⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\girebmcbdz.exe
        
        C:\Users\Admin\AppData\Local\Temp\girebmcbdz.exe
        30⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\girebmcbdz.exe
        
        C:\Users\Admin\AppData\Local\Temp\girebmcbdz.exe update vnavwpbjbp.exe
        31⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\vnavwpbjbp.exe
        
        C:\Users\Admin\AppData\Local\Temp\vnavwpbjbp.exe
        31⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\vnavwpbjbp.exe
        
        C:\Users\Admin\AppData\Local\Temp\vnavwpbjbp.exe update gmpvfhnjev.exe
        32⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\gmpvfhnjev.exe
        
        C:\Users\Admin\AppData\Local\Temp\gmpvfhnjev.exe
        32⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\gmpvfhnjev.exe
        
        C:\Users\Admin\AppData\Local\Temp\gmpvfhnjev.exe update gfbrzokaox.exe
        33⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\gfbrzokaox.exe
        
        C:\Users\Admin\AppData\Local\Temp\gfbrzokaox.exe
        33⤵
        Executes dropped EXE
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\gfbrzokaox.exe
        
        C:\Users\Admin\AppData\Local\Temp\gfbrzokaox.exe update dpecsvbxbz.exe
        34⤵
        Executes dropped EXE
        
        PID:516
        
        C:\Users\Admin\AppData\Local\Temp\dpecsvbxbz.exe
        
        C:\Users\Admin\AppData\Local\Temp\dpecsvbxbz.exe
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:512
        
        C:\Users\Admin\AppData\Local\Temp\dpecsvbxbz.exe
        
        C:\Users\Admin\AppData\Local\Temp\dpecsvbxbz.exe update ajzsnaagkf.exe
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\ajzsnaagkf.exe
        
        C:\Users\Admin\AppData\Local\Temp\ajzsnaagkf.exe
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\ajzsnaagkf.exe
        
        C:\Users\Admin\AppData\Local\Temp\ajzsnaagkf.exe update dtbtequfcv.exe
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\dtbtequfcv.exe
        
        C:\Users\Admin\AppData\Local\Temp\dtbtequfcv.exe
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\dtbtequfcv.exe
        
        C:\Users\Admin\AppData\Local\Temp\dtbtequfcv.exe update vtzhgyirbs.exe
        37⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\vtzhgyirbs.exe
        
        C:\Users\Admin\AppData\Local\Temp\vtzhgyirbs.exe
        37⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\vtzhgyirbs.exe
        
        C:\Users\Admin\AppData\Local\Temp\vtzhgyirbs.exe update bzvtqbazyj.exe
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\bzvtqbazyj.exe
        
        C:\Users\Admin\AppData\Local\Temp\bzvtqbazyj.exe
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\bzvtqbazyj.exe
        
        C:\Users\Admin\AppData\Local\Temp\bzvtqbazyj.exe update adrjzpqpwo.exe
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\adrjzpqpwo.exe
        
        C:\Users\Admin\AppData\Local\Temp\adrjzpqpwo.exe
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\adrjzpqpwo.exe
        
        C:\Users\Admin\AppData\Local\Temp\adrjzpqpwo.exe update cvqcwnqkge.exe
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\cvqcwnqkge.exe
        
        C:\Users\Admin\AppData\Local\Temp\cvqcwnqkge.exe
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:336
        
        C:\Users\Admin\AppData\Local\Temp\cvqcwnqkge.exe
        
        C:\Users\Admin\AppData\Local\Temp\cvqcwnqkge.exe update aelnjgdulw.exe
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\aelnjgdulw.exe
        
        C:\Users\Admin\AppData\Local\Temp\aelnjgdulw.exe
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\aelnjgdulw.exe
        
        C:\Users\Admin\AppData\Local\Temp\aelnjgdulw.exe update futlwobfvj.exe
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\futlwobfvj.exe
        
        C:\Users\Admin\AppData\Local\Temp\futlwobfvj.exe
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\futlwobfvj.exe
        
        C:\Users\Admin\AppData\Local\Temp\futlwobfvj.exe update xjvtyjngro.exe
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\xjvtyjngro.exe
        
        C:\Users\Admin\AppData\Local\Temp\xjvtyjngro.exe
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\xjvtyjngro.exe
        
        C:\Users\Admin\AppData\Local\Temp\xjvtyjngro.exe update pyfcifhzok.exe
        44⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\pyfcifhzok.exe
        
        C:\Users\Admin\AppData\Local\Temp\pyfcifhzok.exe
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\pyfcifhzok.exe
        
        C:\Users\Admin\AppData\Local\Temp\pyfcifhzok.exe update fgbngqqwlb.exe
        45⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\fgbngqqwlb.exe
        
        C:\Users\Admin\AppData\Local\Temp\fgbngqqwlb.exe
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\fgbngqqwlb.exe
        
        C:\Users\Admin\AppData\Local\Temp\fgbngqqwlb.exe update kjsgqxhfcr.exe
        46⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\kjsgqxhfcr.exe
        
        C:\Users\Admin\AppData\Local\Temp\kjsgqxhfcr.exe
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\kjsgqxhfcr.exe
        
        C:\Users\Admin\AppData\Local\Temp\kjsgqxhfcr.exe update kfruqqjiae.exe
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\kfruqqjiae.exe
        
        C:\Users\Admin\AppData\Local\Temp\kfruqqjiae.exe
        47⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\kfruqqjiae.exe
        
        C:\Users\Admin\AppData\Local\Temp\kfruqqjiae.exe update cncaffcsgt.exe
        48⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\cncaffcsgt.exe
        
        C:\Users\Admin\AppData\Local\Temp\cncaffcsgt.exe
        48⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\cncaffcsgt.exe
        
        C:\Users\Admin\AppData\Local\Temp\cncaffcsgt.exe update cgovzmzixu.exe
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\cgovzmzixu.exe
        
        C:\Users\Admin\AppData\Local\Temp\cgovzmzixu.exe
        49⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\cgovzmzixu.exe
        
        C:\Users\Admin\AppData\Local\Temp\cgovzmzixu.exe update khyhevqebn.exe
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\khyhevqebn.exe
        
        C:\Users\Admin\AppData\Local\Temp\khyhevqebn.exe
        50⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\khyhevqebn.exe
        
        C:\Users\Admin\AppData\Local\Temp\khyhevqebn.exe update pmdspzimye.exe
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\pmdspzimye.exe
        
        C:\Users\Admin\AppData\Local\Temp\pmdspzimye.exe
        51⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\pmdspzimye.exe
        
        C:\Users\Admin\AppData\Local\Temp\pmdspzimye.exe update usxqckyqbg.exe
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\usxqckyqbg.exe
        
        C:\Users\Admin\AppData\Local\Temp\usxqckyqbg.exe
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\usxqckyqbg.exe
        
        C:\Users\Admin\AppData\Local\Temp\usxqckyqbg.exe update mhhgefsryl.exe
        53⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\mhhgefsryl.exe
        
        C:\Users\Admin\AppData\Local\Temp\mhhgefsryl.exe
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\mhhgefsryl.exe
        
        C:\Users\Admin\AppData\Local\Temp\mhhgefsryl.exe update ekxcdwfqid.exe
        54⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\ekxcdwfqid.exe
        
        C:\Users\Admin\AppData\Local\Temp\ekxcdwfqid.exe
        54⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\ekxcdwfqid.exe
        
        C:\Users\Admin\AppData\Local\Temp\ekxcdwfqid.exe update rqbnchbtge.exe
        55⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\rqbnchbtge.exe
        
        C:\Users\Admin\AppData\Local\Temp\rqbnchbtge.exe
        55⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\rqbnchbtge.exe
        
        C:\Users\Admin\AppData\Local\Temp\rqbnchbtge.exe update wdfgnlsbdv.exe
        56⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\wdfgnlsbdv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wdfgnlsbdv.exe
        56⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\wdfgnlsbdv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wdfgnlsbdv.exe update rzwreggyun.exe
        57⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\rzwreggyun.exe
        
        C:\Users\Admin\AppData\Local\Temp\rzwreggyun.exe
        57⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\rzwreggyun.exe
        
        C:\Users\Admin\AppData\Local\Temp\rzwreggyun.exe update zseuyvbhgp.exe
        58⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\zseuyvbhgp.exe
        
        C:\Users\Admin\AppData\Local\Temp\zseuyvbhgp.exe
        58⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\zseuyvbhgp.exe
        
        C:\Users\Admin\AppData\Local\Temp\zseuyvbhgp.exe update bgsikquids.exe
        59⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\bgsikquids.exe
        
        C:\Users\Admin\AppData\Local\Temp\bgsikquids.exe
        59⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\bgsikquids.exe
        
        C:\Users\Admin\AppData\Local\Temp\bgsikquids.exe update bzeeewryvt.exe
        60⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\bzeeewryvt.exe
        
        C:\Users\Admin\AppData\Local\Temp\bzeeewryvt.exe
        60⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\bzeeewryvt.exe
        
        C:\Users\Admin\AppData\Local\Temp\bzeeewryvt.exe update wjjksngbzy.exe
        61⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\wjjksngbzy.exe
        
        C:\Users\Admin\AppData\Local\Temp\wjjksngbzy.exe
        61⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\wjjksngbzy.exe
        
        C:\Users\Admin\AppData\Local\Temp\wjjksngbzy.exe update erinexulkq.exe
        62⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\erinexulkq.exe
        
        C:\Users\Admin\AppData\Local\Temp\erinexulkq.exe
        62⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\erinexulkq.exe
        
        C:\Users\Admin\AppData\Local\Temp\erinexulkq.exe update jelguokdtw.exe
        63⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\jelguokdtw.exe
        
        C:\Users\Admin\AppData\Local\Temp\jelguokdtw.exe
        63⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\jelguokdtw.exe
        
        C:\Users\Admin\AppData\Local\Temp\jelguokdtw.exe update rbwrgiywpm.exe
        64⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\rbwrgiywpm.exe
        
        C:\Users\Admin\AppData\Local\Temp\rbwrgiywpm.exe
        64⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\rbwrgiywpm.exe
        
        C:\Users\Admin\AppData\Local\Temp\rbwrgiywpm.exe update rrfaololub.exe
        65⤵
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\rrfaololub.exe
        
        C:\Users\Admin\AppData\Local\Temp\rrfaololub.exe
        65⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\rrfaololub.exe
        
        C:\Users\Admin\AppData\Local\Temp\rrfaololub.exe update bugnaihnkv.exe
        66⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\bugnaihnkv.exe
        
        C:\Users\Admin\AppData\Local\Temp\bugnaihnkv.exe
        66⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\bugnaihnkv.exe
        
        C:\Users\Admin\AppData\Local\Temp\bugnaihnkv.exe update rofljyxeby.exe
        67⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\rofljyxeby.exe
        
        C:\Users\Admin\AppData\Local\Temp\rofljyxeby.exe
        67⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\rofljyxeby.exe
        
        C:\Users\Admin\AppData\Local\Temp\rofljyxeby.exe update eftrjaplxt.exe
        68⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\eftrjaplxt.exe
        
        C:\Users\Admin\AppData\Local\Temp\eftrjaplxt.exe
        68⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\eftrjaplxt.exe
        
        C:\Users\Admin\AppData\Local\Temp\eftrjaplxt.exe update lnsvvjedit.exe
        69⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\lnsvvjedit.exe
        
        C:\Users\Admin\AppData\Local\Temp\lnsvvjedit.exe
        69⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\lnsvvjedit.exe
        
        C:\Users\Admin\AppData\Local\Temp\lnsvvjedit.exe update lrglxpxfyo.exe
        70⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\lrglxpxfyo.exe
        
        C:\Users\Admin\AppData\Local\Temp\lrglxpxfyo.exe
        70⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\lrglxpxfyo.exe
        
        C:\Users\Admin\AppData\Local\Temp\lrglxpxfyo.exe update gqfzdbmbwr.exe
        71⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\gqfzdbmbwr.exe
        
        C:\Users\Admin\AppData\Local\Temp\gqfzdbmbwr.exe
        71⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\gqfzdbmbwr.exe
        
        C:\Users\Admin\AppData\Local\Temp\gqfzdbmbwr.exe update itjkpmiqut.exe
        72⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\itjkpmiqut.exe
        
        C:\Users\Admin\AppData\Local\Temp\itjkpmiqut.exe
        72⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\itjkpmiqut.exe
        
        C:\Users\Admin\AppData\Local\Temp\itjkpmiqut.exe update teklnjhkft.exe
        73⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\teklnjhkft.exe
        
        C:\Users\Admin\AppData\Local\Temp\teklnjhkft.exe
        73⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\teklnjhkft.exe
        
        C:\Users\Admin\AppData\Local\Temp\teklnjhkft.exe update liszgveadw.exe
        74⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\liszgveadw.exe
        
        C:\Users\Admin\AppData\Local\Temp\liszgveadw.exe
        74⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\liszgveadw.exe
        
        C:\Users\Admin\AppData\Local\Temp\liszgveadw.exe update irnksnrkio.exe
        75⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\irnksnrkio.exe
        
        C:\Users\Admin\AppData\Local\Temp\irnksnrkio.exe
        75⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\irnksnrkio.exe
        
        C:\Users\Admin\AppData\Local\Temp\irnksnrkio.exe update qcxshbmwxc.exe
        76⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\qcxshbmwxc.exe
        
        C:\Users\Admin\AppData\Local\Temp\qcxshbmwxc.exe
        76⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\qcxshbmwxc.exe
        
        C:\Users\Admin\AppData\Local\Temp\qcxshbmwxc.exe update vibdgtiavv.exe
        77⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\vibdgtiavv.exe
        
        C:\Users\Admin\AppData\Local\Temp\vibdgtiavv.exe
        77⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\vibdgtiavv.exe
        
        C:\Users\Admin\AppData\Local\Temp\vibdgtiavv.exe update yhsrufweby.exe
        78⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\yhsrufweby.exe
        
        C:\Users\Admin\AppData\Local\Temp\yhsrufweby.exe
        78⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\yhsrufweby.exe
        
        C:\Users\Admin\AppData\Local\Temp\yhsrufweby.exe update cyaphnugdc.exe
        79⤵
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\cyaphnugdc.exe
        
        C:\Users\Admin\AppData\Local\Temp\cyaphnugdc.exe
        79⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\cyaphnugdc.exe
        
        C:\Users\Admin\AppData\Local\Temp\cyaphnugdc.exe update ahuviybzne.exe
        80⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\ahuviybzne.exe
        
        C:\Users\Admin\AppData\Local\Temp\ahuviybzne.exe
        80⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\ahuviybzne.exe
        
        C:\Users\Admin\AppData\Local\Temp\ahuviybzne.exe update dgujprpdlh.exe
        81⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\dgujprpdlh.exe
        
        C:\Users\Admin\AppData\Local\Temp\dgujprpdlh.exe
        81⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\dgujprpdlh.exe
        
        C:\Users\Admin\AppData\Local\Temp\dgujprpdlh.exe update yyypdamxql.exe
        82⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\yyypdamxql.exe
        
        C:\Users\Admin\AppData\Local\Temp\yyypdamxql.exe
        82⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\yyypdamxql.exe
        
        C:\Users\Admin\AppData\Local\Temp\yyypdamxql.exe update usrscnjcmd.exe
        83⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\usrscnjcmd.exe
        
        C:\Users\Admin\AppData\Local\Temp\usrscnjcmd.exe
        83⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\usrscnjcmd.exe
        
        C:\Users\Admin\AppData\Local\Temp\usrscnjcmd.exe update vsejeouckr.exe
        84⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\vsejeouckr.exe
        
        C:\Users\Admin\AppData\Local\Temp\vsejeouckr.exe
        84⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\vsejeouckr.exe
        
        C:\Users\Admin\AppData\Local\Temp\vsejeouckr.exe update vpcxmhvfje.exe
        85⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\vpcxmhvfje.exe
        
        C:\Users\Admin\AppData\Local\Temp\vpcxmhvfje.exe
        85⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\vpcxmhvfje.exe
        
        C:\Users\Admin\AppData\Local\Temp\vpcxmhvfje.exe update fpbvbuxnvv.exe
        86⤵
        
        PID:5020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fffruqrxuj.exe

Filesize
10.4MB

MD5
b57af43c3f6e6992b6a54767a2fefb6b

SHA1
deeaf02b9d0df9c37147d8e78516b068ac81e1e1

SHA256
f25dd81e9c9f55bbb3d3a472722f527ec10691a58befd931ad33c1d941b335bd

SHA512
3a91f7ce03043589d84fdbc6739511f293f6930412cd68da05ae0c383db86e9d09b359f4e698b9fa1d2609aaaae0863a07785cc3aa520dc9179a6ad9b2a43712

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmxlflkjca.exe

Filesize
10.4MB

MD5
7ca72c2daf2e1b953563e55a9299160f

SHA1
f8a95449876931c304629503850299ec8fce0f1e

SHA256
dca245bfb749f7fb9a94707f5a081ba7e371f27ecf08336249489d1452c736b4

SHA512
567ee55bf617ea0f51b9ed3f69aaa5887902afeaefb398a654c802f5dc0aa60a7d19220506b5f1aed861adbe0a44ba6ec55b97eae69d66157bfa7d21357c01f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ftrwqxixjw.exe

Filesize
10.4MB

MD5
18c06fd9393d2144f29ae5f1382114ec

SHA1
a371e2cf2da3306ad68e50b8aa943d28560929d5

SHA256
c1700017b8d921a76d0a8244fa7c648c82051bb6bd8b6d52e28c75f52f5690b7

SHA512
801b3480cdf62fb1fd0aab1d368457eacc97ef8b0fbbd3ef5cb399ca5341c6002d5afbae1aa94b56477af836f11804bd82d41ce16f887c31e76986202a3b0e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\gazubqyctw.exe

Filesize
10.4MB

MD5
c523de023336b78200363cf36dea8b0b

SHA1
ad988edb464da2704d08b828157a8d65a98b8605

SHA256
02f0834f775db62bce5037c4498b760f7765a89cf293879aab275ed1cd1b29a5

SHA512
e6bcc98ea6b29cad13cd7d4527f82cb7996808810403fc83fb721a21ea8f11cdcc9e736ca5931e15036f23d961f8c353ad383a98b4305073e20f50446a18a5ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\klqmesmnph.exe

Filesize
10.4MB

MD5
5dd3248017022f785ed05335909b168e

SHA1
f1d4b209a0b169bc22e91bbe7c82034c0f52589c

SHA256
8596659e380d07dccfbc76e631de1e6db901e0600052a4d478268a7e2b451e6e

SHA512
d521956f4bcbe39eefd1f4b22b054352e717f8901ce2c0eb242ccba381639bb22ff70d9bbf4ae592c2d66194a33bc0ac86abc1b860093a7c034376bbd8d1724a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ktkpwjtsvi.exe

Filesize
10.4MB

MD5
41c94e82bc395492dc721e51e5276bde

SHA1
f328b64beb597c5a0938b628fb723f65a90992ad

SHA256
f0016755744422b5ead035eff24d3f1f8dbb3c2e7475b9cf214686c7bebcaa1e

SHA512
4cb8d0522b1af04e19fc98b0994f249461be31ae4fcf9c366edd1982920da60729f68ec2d214b2700f15af053ffc6d370574020fbfb93c5fdcbbd9d7ac8a6d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmlpgvfbwt.exe

Filesize
10.4MB

MD5
5a9c5dfaca37eb1d763522cd8e153a61

SHA1
4c18637214f80a0cc49343b17481504415260ca3

SHA256
29e84cb6975b7f53296075f5e29a83d0fd4d996d07cf2dc6dbf448f4ffada100

SHA512
33e15fc820d0449ad0992a2ff7d4618e69b07c9aca6cb7660123a77fd2e93f91edcc16cd809594034c084042576cc553d019ffa33ae5cf2211fc59b384e281e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mmzzpctsge.exe

Filesize
10.4MB

MD5
524b3708879adc392703329b2f4c5811

SHA1
92f83ec16913f34f8f8ec925fea24935d9e786bf

SHA256
3c0c4070cd146a5013e85a8b530cb0e8b9b8e41ad67369ef822a6a95d8456e97

SHA512
46935f64c23eb5c29ab280926b16879e1526ee896538b3cd9cb2e1e0ce8baaa4421fef7ea40033d5bde1d6b0bbe403d25ed09f76544c499c088648cd82599040

Download Submit
C:\Users\Admin\AppData\Local\Temp\nxxippvaat.exe

Filesize
10.4MB

MD5
5bcea50eaf9696783b4599a61e0b1abb

SHA1
34b47b92806d53ebbbe7caaa1f47e2452f1232c4

SHA256
b0ee118209db23ca49527a46f3a97155db951337490f6a3fa3bc0af8b9f4ee7a

SHA512
451424ae6a40529a49f6e88797e18f45d876e5dd9ccca41bc93c80fc12ef548af1290b676501d29a258fb86e1658d2db290df29b4cf8393183d9ce95b0c94702

Download Submit
C:\Users\Admin\AppData\Local\Temp\phqygeqcam.exe

Filesize
10.4MB

MD5
ba0b312e58e9d50c8526741ccc454ef2

SHA1
3946579b7267a50648db9191e0fd434ca9b388ac

SHA256
1dc32319124195b5b1e734ace3a27947768ed765b3f44d2169e7d1155aef8f12

SHA512
0129dc98ba833bd37180afc205c51b9954a946a0f82190c3f2188c535405ce91268ed1cf2d8329c9793af90db4c07ac42f29c2e91088c2ba73bb85a61163dd8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qamklclowk.exe

Filesize
10.4MB

MD5
d048f6fda173488cc49b7664a988b031

SHA1
1975326ecdb3e73145bb478cbb4612537cf84442

SHA256
f127d38edc570908d608eba6ff318668681e49826cf33ec5a1b6e1825f73a20d

SHA512
2f15e81daa4b183d8c377adde4f39c73faa02222f613803870341da783eb3f85a6f1360a13bf1d414d539389dee95d41a402ca86b1262e880159eb301687c8c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\qvxrozqlud.exe

Filesize
10.4MB

MD5
0aa956a7cc386cd9951a797aa92814fa

SHA1
2b0ac98a87718708b75d323861364648d3041430

SHA256
604cec491a3194ae48e6055ff03d3277bc480d7bc7a1599ba7c7f40ee9dc8aa7

SHA512
fa17aa86b793a0f95a705c286803808766e899940e60d1ff12b99b9d0a518f8982f532faddda428f2b13ce347b9fe5340f623dce07dbfaa88715a8b689c715a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\raenvctjqh.exe

Filesize
10.4MB

MD5
35ae3aa5c3ae37c358f7b5d05d189f4a

SHA1
a84af5edddc116aab7896e179de88d37df636c9c

SHA256
226a19470a5efecab50fc13444d3e99479b5d58e0150962c11f691435c5a7691

SHA512
ec55d2de7861791c8d2ef8bdaca10218605ce35efae45f65412d498e5811e83a256fe11cac3ffa5f9af4272dd2f734bd50e55194930c2f18237dd3ef6461512b

Download Submit
C:\Users\Admin\AppData\Local\Temp\uaegqbpaos.exe

Filesize
10.4MB

MD5
005ef8046952a24175a7e00a581fff0f

SHA1
2351b7ac4aedac6874374e385cbddf9a495e0142

SHA256
0cb032cb03f4ca2adff1e96aa01620a35c2dd671d7a9408ae0200143c0d3a963

SHA512
107b09508562d0762ff8f0d8c1c9c2afea9bb99a1684994d818a42871e1253732f653ec3b1048a3a84acdcb717da8d22be655da948a9540575c96d5f46b93bb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
06ff9c21e0e2b883bce19bcb4212100c

SHA1
f845ddda9d9adeec44765c5f75cdbec4c6cb56a5

SHA256
a45e6c8d1ce4a3f1ae754fa4e7e0e8318064ee9f1692b91ad2f76451b34b2c95

SHA512
b30c7c900633104f61fd4a24b35c03505b7055ad290fd3aa8e1307c8f2522bfa54c94806f8ff1a89c052745be923068e65b61f1a091ea178a0a2f3cedc3e18e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
4e3fc640d6b42df4a917fa67b64436f1

SHA1
b4df41f4076c149a2699b55f5ee16552acfde440

SHA256
4f37991ab74c8e405fa657b489b6f2d420d043ced79e70b97cbea87a5f875fc1

SHA512
3e31123dd9e88dada3be3843c2343c93453e24e8c5c77acf5518b84da961d4c89fa71c9cdc0aa1ea6ca2f6b6f2a740b95cba1c6d453234d4dfa94a75e43837ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
0e23e4ddae8e7f5877a15ed0620e1531

SHA1
deb1e6739d588a561a4c04b6e78a2b0898dc73d8

SHA256
584fb29b07487fce4cf382d3d9e3fdaa06b60fd29aa8311a79ff6330d753cbe2

SHA512
3e61c49e3509e03f39cfdab4ce97aa4b6c586cfd3c3f1a912c0723b4eaceaf799220f127a51bffa18eacf0416b9cabd679c9b28a0b59fc28a65429d55f3cb0b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
dcbfef0e9e4dd1ed7d3f5c78d43c6b34

SHA1
3218c135dbb02c73362f594b71f53604c4b4d39b

SHA256
452d55abe61c899ba786b9eed80b8a6195dbee1f23d73eab1156c4dc80a5315f

SHA512
e71a14100cb2589391aa2298e7e5be0bc54987bcbf74a901d90ca12411f6ed3ff70ab963f296895eb8f2c5edbd4d0fd5371c574d8c9fac539030c37abe11d5f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
e03b0b5ee4c84e0f74e3c72303c1aef1

SHA1
d46330512c0831cecc8d76c86cfcfdf70754466a

SHA256
7b0ada55c65d4baf9c53ce59ca51045d9f3fbff8594cd8d9e742f1a65fecf0d1

SHA512
8aafc7277350d9aedbb2093d5b8dd77a8dde4156e26a905ad0c1a3e9c48f7194599291824aa5fa6bdca425c1a25929d18a5e34d350998e242b266a13facb375c

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
de3a5c08c5335a536583f7b9d9ecff7b

SHA1
c0931a86c2e3ecc5ab930c6d262050af531e82b6

SHA256
d56061c0084ac7134c7a86d9ccee34816ad98e4f6019f63fdf9ff23698c7ef6d

SHA512
4a230c5270a4559aa8c46ae71df6dec328bea50fadf50c747903b56b255380a89d4afdb4c195a33bb8b91bdc4f0ab62e2ae478c1ea07b0a1f584d2b09563765c

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
8cfa9808ff3daed84507c3008fa2e034

SHA1
1eaf04c1cb0c3447febcee6765de5038577dbc60

SHA256
b8646cf6fb3380b49e13257454b3912904f4aaa232df7457221b658fad99a0aa

SHA512
e9777d289aa0a7bc1a054647bd5051870dbb52abb4dccab69c9f0eab550891a6203140f5b439321f5577f762de8b9d1d638a3e060b40cb01e87725c2b1aec7b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
836001cdb82f7952fb75b3a93bc2afe1

SHA1
7f412466c1b409ac8b65faf13dc648639279404c

SHA256
2833a06c82047889775cbb5c797ac9362be281169b87cf5a9f486c27585adcc2

SHA512
36d01cda03231255f1f2d72caa6ae9c0fedb5c6a0fce39bbedaf4759ecf343f9607be23f7dca103170d9e44160a47e91b50123ac623020ebf119b17e036718f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
68a49b209eeb5d235f22e3785c5f3fc4

SHA1
48e79ee37b9176bf257cc26a7e30477f704796f4

SHA256
53e9a4fa4b62197b1e9c32416cf682101947a0c225ccbed2048ed7a105a75e66

SHA512
e887928cbb5735d563f690a8cfd2b981a06c7187497ed5e84413bd28356550776f954b6cb71a2e69e389c57ab7e975f99aa007ef00a263134efc6f65ef8ff9af

Download Submit
C:\Users\Admin\AppData\Local\Temp\vffkobzale.exe

Filesize
10.4MB

MD5
6a5306f8e9b563b3531e39171a8a6fb1

SHA1
a44bf136a753c65296445aa2e32a99dcfd68a2d0

SHA256
19f6d52d7cbc25fdbaa2cb5d1353591d5539b70c0de8aa389be23af79f56ba1a

SHA512
b620555d8fbd4379fe8da3240ee2cf2566769597cc210619cf82ebb0602889ea7e0b78759d7360918ddc83d582365d69b77d20d32244c2ce547639790d4416c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\xrolpoqehv.exe

Filesize
10.4MB

MD5
052c0e83b892cd33a49a71186fce4f9e

SHA1
4324e343d51f4b2d80ba294056342d2659c1584f

SHA256
d1fca09a7cc7c7a7781745628263302e31719c23ef91393c6c301aa28fc6b087

SHA512
48cfc4d346ed3b5fa2c260fb7fb69a37215a22e108b6789e859ad6103d3501481f5059bb00f84ce168f17b8b2a6aadc57f7a6ed0fce13dde6b4c2f6190b3b5be

Download Submit
C:\Users\Admin\AppData\Local\Temp\xsuaqzqsyt.exe

Filesize
10.4MB

MD5
913e8dd607842172257b9ff8e578467a

SHA1
014b52c234155a58698396bfc2c794e2ad24e92c

SHA256
5aea209ce7915758c1e8dc98e13e8ae8eeee9bbfb415444e0e1de3ef34a7f34e

SHA512
48dddf988e717cc9b500844f44b89ce4d7cbdba907c2adb12a9a17cde504f9f3957ee0011075c8dbabb8805e529f4ad0a01602358d009bb076e4f79bb444d01d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxctrjrhpe.exe

Filesize
10.4MB

MD5
a1caf6020b10ed8f2907e0a00f8ec542

SHA1
b13fe59250c2fd516b78ed7500e4fcd5d264d527

SHA256
72e9c49609075021c5714528ec9f5eea80751b92e5602ca5a56f1cdf3a14180d

SHA512
8217a0967ffb582b60292406e351640ec9789748f025f25a4dd28de11642b328e12d519e5fa53acbfe7f0e4fba8a199c5d265b88772037d67d0e67edfcbcdf75

Download Submit
memory/816-163-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1124-3-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/1124-5-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1124-4-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1124-7-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1556-105-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1584-49-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1660-108-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1756-116-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1844-143-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1876-154-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1980-21-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/1980-22-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2024-119-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2224-95-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/2224-96-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2240-138-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2944-59-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3080-160-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3124-62-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3132-74-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3132-73-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/3136-70-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3620-132-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3660-127-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3660-126-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/3800-30-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/3800-31-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3872-42-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/3872-43-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3932-12-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/3932-13-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3932-72-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3932-78-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3932-11-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3988-83-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3988-82-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/4232-149-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4436-16-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4436-15-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/4708-52-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4800-86-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4820-99-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4960-40-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4984-25-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4984-24-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/5004-65-0x00000000005D7000-0x0000000000C65000-memory.dmp

Filesize
6.6MB

Download
memory/5004-0-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/5004-55-0x00000000005D7000-0x0000000000C65000-memory.dmp

Filesize
6.6MB

Download
memory/5004-1-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/5004-2-0x00000000005D7000-0x0000000000C65000-memory.dmp

Filesize
6.6MB

Download
memory/5012-33-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/5012-34-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download