29db7e7ce42132041e294942b505d2002c21b4a7e35b80dce7b86c1b07718806

Analysis

max time kernel
47s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29db7e7ce42132041e294942b505d2002c21b4a7e35b80dce7b86c1b07718806.exe
Size

10.4MB
MD5

b97c6ddb02c5e166fde82e27adc8ac4b
SHA1

4de2132cad7ebf73ccb053aa6333c7fc96ae934e
SHA256

29db7e7ce42132041e294942b505d2002c21b4a7e35b80dce7b86c1b07718806
SHA512

8f2746c2a888a080f43235e8085561da73740c47b7a2a7c47750657b1419f58341ea0d701584325c045125c82c4bb180ad9386d3849755d24df9d3490ca4627c
SSDEEP

196608:XZGmu6sR2/LGPLCXOKODxH5qFlXS47dV2MANpvrjVbEKGWIoS:XZGn6sREJLODBWlX3d+NpvdHIo

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 17 IoCs

pid	Process
2808	qmrgtwfjjw.exe
2888	qmrgtwfjjw.exe
2824	idquxidesl.exe
2792	idquxidesl.exe
2612	rccavxqagn.exe
516	rccavxqagn.exe
1136	oysinazhxx.exe
816	oysinazhxx.exe
1428	iybbzorbqf.exe
2336	iybbzorbqf.exe
2128	pdsxpxcppb.exe
548	pdsxpxcppb.exe
2416	fdllledokk.exe
460	fdllledokk.exe
2192	wwashbazlt.exe
1044	wwashbazlt.exe
3012	sybudmgdae.exe

Loads dropped DLL 17 IoCs

pid	Process
2740	29db7e7ce42132041e294942b505d2002c21b4a7e35b80dce7b86c1b07718806.exe
2808	qmrgtwfjjw.exe
2808	qmrgtwfjjw.exe
2824	idquxidesl.exe
2824	idquxidesl.exe
2612	rccavxqagn.exe
2612	rccavxqagn.exe
1136	oysinazhxx.exe
1136	oysinazhxx.exe
1428	iybbzorbqf.exe
1428	iybbzorbqf.exe
2128	pdsxpxcppb.exe
2128	pdsxpxcppb.exe
2416	fdllledokk.exe
2416	fdllledokk.exe
2192	wwashbazlt.exe
2192	wwashbazlt.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 19 IoCs

pid	Process
2740	29db7e7ce42132041e294942b505d2002c21b4a7e35b80dce7b86c1b07718806.exe
1624	29db7e7ce42132041e294942b505d2002c21b4a7e35b80dce7b86c1b07718806.exe
2808	qmrgtwfjjw.exe
2888	qmrgtwfjjw.exe
2824	idquxidesl.exe
2792	idquxidesl.exe
2612	rccavxqagn.exe
516	rccavxqagn.exe
1136	oysinazhxx.exe
816	oysinazhxx.exe
1428	iybbzorbqf.exe
2336	iybbzorbqf.exe
2128	pdsxpxcppb.exe
548	pdsxpxcppb.exe
2416	fdllledokk.exe
460	fdllledokk.exe
2192	wwashbazlt.exe
1044	wwashbazlt.exe
3012	sybudmgdae.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wwashbazlt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sybudmgdae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oysinazhxx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iybbzorbqf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdllledokk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rccavxqagn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iybbzorbqf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdsxpxcppb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdllledokk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wwashbazlt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29db7e7ce42132041e294942b505d2002c21b4a7e35b80dce7b86c1b07718806.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	idquxidesl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rccavxqagn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdsxpxcppb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29db7e7ce42132041e294942b505d2002c21b4a7e35b80dce7b86c1b07718806.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	idquxidesl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oysinazhxx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qmrgtwfjjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qmrgtwfjjw.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2740	29db7e7ce42132041e294942b505d2002c21b4a7e35b80dce7b86c1b07718806.exe
2740	29db7e7ce42132041e294942b505d2002c21b4a7e35b80dce7b86c1b07718806.exe
1624	29db7e7ce42132041e294942b505d2002c21b4a7e35b80dce7b86c1b07718806.exe
2808	qmrgtwfjjw.exe
2808	qmrgtwfjjw.exe
2888	qmrgtwfjjw.exe
2824	idquxidesl.exe
2824	idquxidesl.exe
2740	29db7e7ce42132041e294942b505d2002c21b4a7e35b80dce7b86c1b07718806.exe
2792	idquxidesl.exe
2808	qmrgtwfjjw.exe
2612	rccavxqagn.exe
2612	rccavxqagn.exe
2824	idquxidesl.exe
516	rccavxqagn.exe
1136	oysinazhxx.exe
1136	oysinazhxx.exe
2612	rccavxqagn.exe
816	oysinazhxx.exe
1428	iybbzorbqf.exe
1428	iybbzorbqf.exe
1136	oysinazhxx.exe
2336	iybbzorbqf.exe
2128	pdsxpxcppb.exe
2128	pdsxpxcppb.exe
1428	iybbzorbqf.exe
548	pdsxpxcppb.exe
2416	fdllledokk.exe
2416	fdllledokk.exe
2128	pdsxpxcppb.exe
460	fdllledokk.exe
2192	wwashbazlt.exe
2192	wwashbazlt.exe
2416	fdllledokk.exe
1044	wwashbazlt.exe
3012	sybudmgdae.exe

Suspicious use of SetWindowsHookEx 38 IoCs

pid	Process
2740	29db7e7ce42132041e294942b505d2002c21b4a7e35b80dce7b86c1b07718806.exe
2740	29db7e7ce42132041e294942b505d2002c21b4a7e35b80dce7b86c1b07718806.exe
1624	29db7e7ce42132041e294942b505d2002c21b4a7e35b80dce7b86c1b07718806.exe
1624	29db7e7ce42132041e294942b505d2002c21b4a7e35b80dce7b86c1b07718806.exe
2808	qmrgtwfjjw.exe
2808	qmrgtwfjjw.exe
2888	qmrgtwfjjw.exe
2888	qmrgtwfjjw.exe
2824	idquxidesl.exe
2824	idquxidesl.exe
2792	idquxidesl.exe
2792	idquxidesl.exe
2612	rccavxqagn.exe
2612	rccavxqagn.exe
516	rccavxqagn.exe
516	rccavxqagn.exe
1136	oysinazhxx.exe
1136	oysinazhxx.exe
816	oysinazhxx.exe
816	oysinazhxx.exe
1428	iybbzorbqf.exe
1428	iybbzorbqf.exe
2336	iybbzorbqf.exe
2336	iybbzorbqf.exe
2128	pdsxpxcppb.exe
2128	pdsxpxcppb.exe
548	pdsxpxcppb.exe
548	pdsxpxcppb.exe
2416	fdllledokk.exe
2416	fdllledokk.exe
460	fdllledokk.exe
460	fdllledokk.exe
2192	wwashbazlt.exe
2192	wwashbazlt.exe
1044	wwashbazlt.exe
1044	wwashbazlt.exe
3012	sybudmgdae.exe
3012	sybudmgdae.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 1624	2740	29db7e7ce42132041e294942b505d2002c21b4a7e35b80dce7b86c1b07718806.exe	30
PID 2740 wrote to memory of 1624	2740	29db7e7ce42132041e294942b505d2002c21b4a7e35b80dce7b86c1b07718806.exe	30
PID 2740 wrote to memory of 1624	2740	29db7e7ce42132041e294942b505d2002c21b4a7e35b80dce7b86c1b07718806.exe	30
PID 2740 wrote to memory of 1624	2740	29db7e7ce42132041e294942b505d2002c21b4a7e35b80dce7b86c1b07718806.exe	30
PID 2740 wrote to memory of 2808	2740	29db7e7ce42132041e294942b505d2002c21b4a7e35b80dce7b86c1b07718806.exe	31
PID 2740 wrote to memory of 2808	2740	29db7e7ce42132041e294942b505d2002c21b4a7e35b80dce7b86c1b07718806.exe	31
PID 2740 wrote to memory of 2808	2740	29db7e7ce42132041e294942b505d2002c21b4a7e35b80dce7b86c1b07718806.exe	31
PID 2740 wrote to memory of 2808	2740	29db7e7ce42132041e294942b505d2002c21b4a7e35b80dce7b86c1b07718806.exe	31
PID 2808 wrote to memory of 2888	2808	qmrgtwfjjw.exe	32
PID 2808 wrote to memory of 2888	2808	qmrgtwfjjw.exe	32
PID 2808 wrote to memory of 2888	2808	qmrgtwfjjw.exe	32
PID 2808 wrote to memory of 2888	2808	qmrgtwfjjw.exe	32
PID 2808 wrote to memory of 2824	2808	qmrgtwfjjw.exe	33
PID 2808 wrote to memory of 2824	2808	qmrgtwfjjw.exe	33
PID 2808 wrote to memory of 2824	2808	qmrgtwfjjw.exe	33
PID 2808 wrote to memory of 2824	2808	qmrgtwfjjw.exe	33
PID 2824 wrote to memory of 2792	2824	idquxidesl.exe	34
PID 2824 wrote to memory of 2792	2824	idquxidesl.exe	34
PID 2824 wrote to memory of 2792	2824	idquxidesl.exe	34
PID 2824 wrote to memory of 2792	2824	idquxidesl.exe	34
PID 2824 wrote to memory of 2612	2824	idquxidesl.exe	35
PID 2824 wrote to memory of 2612	2824	idquxidesl.exe	35
PID 2824 wrote to memory of 2612	2824	idquxidesl.exe	35
PID 2824 wrote to memory of 2612	2824	idquxidesl.exe	35
PID 2612 wrote to memory of 516	2612	rccavxqagn.exe	36
PID 2612 wrote to memory of 516	2612	rccavxqagn.exe	36
PID 2612 wrote to memory of 516	2612	rccavxqagn.exe	36
PID 2612 wrote to memory of 516	2612	rccavxqagn.exe	36
PID 2612 wrote to memory of 1136	2612	rccavxqagn.exe	37
PID 2612 wrote to memory of 1136	2612	rccavxqagn.exe	37
PID 2612 wrote to memory of 1136	2612	rccavxqagn.exe	37
PID 2612 wrote to memory of 1136	2612	rccavxqagn.exe	37
PID 1136 wrote to memory of 816	1136	oysinazhxx.exe	38
PID 1136 wrote to memory of 816	1136	oysinazhxx.exe	38
PID 1136 wrote to memory of 816	1136	oysinazhxx.exe	38
PID 1136 wrote to memory of 816	1136	oysinazhxx.exe	38
PID 1136 wrote to memory of 1428	1136	oysinazhxx.exe	39
PID 1136 wrote to memory of 1428	1136	oysinazhxx.exe	39
PID 1136 wrote to memory of 1428	1136	oysinazhxx.exe	39
PID 1136 wrote to memory of 1428	1136	oysinazhxx.exe	39
PID 1428 wrote to memory of 2336	1428	iybbzorbqf.exe	40
PID 1428 wrote to memory of 2336	1428	iybbzorbqf.exe	40
PID 1428 wrote to memory of 2336	1428	iybbzorbqf.exe	40
PID 1428 wrote to memory of 2336	1428	iybbzorbqf.exe	40
PID 1428 wrote to memory of 2128	1428	iybbzorbqf.exe	41
PID 1428 wrote to memory of 2128	1428	iybbzorbqf.exe	41
PID 1428 wrote to memory of 2128	1428	iybbzorbqf.exe	41
PID 1428 wrote to memory of 2128	1428	iybbzorbqf.exe	41
PID 2128 wrote to memory of 548	2128	pdsxpxcppb.exe	42
PID 2128 wrote to memory of 548	2128	pdsxpxcppb.exe	42
PID 2128 wrote to memory of 548	2128	pdsxpxcppb.exe	42
PID 2128 wrote to memory of 548	2128	pdsxpxcppb.exe	42
PID 2128 wrote to memory of 2416	2128	pdsxpxcppb.exe	43
PID 2128 wrote to memory of 2416	2128	pdsxpxcppb.exe	43
PID 2128 wrote to memory of 2416	2128	pdsxpxcppb.exe	43
PID 2128 wrote to memory of 2416	2128	pdsxpxcppb.exe	43
PID 2416 wrote to memory of 460	2416	fdllledokk.exe	44
PID 2416 wrote to memory of 460	2416	fdllledokk.exe	44
PID 2416 wrote to memory of 460	2416	fdllledokk.exe	44
PID 2416 wrote to memory of 460	2416	fdllledokk.exe	44
PID 2416 wrote to memory of 2192	2416	fdllledokk.exe	45
PID 2416 wrote to memory of 2192	2416	fdllledokk.exe	45
PID 2416 wrote to memory of 2192	2416	fdllledokk.exe	45
PID 2416 wrote to memory of 2192	2416	fdllledokk.exe	45

C:\Users\Admin\AppData\Local\Temp\29db7e7ce42132041e294942b505d2002c21b4a7e35b80dce7b86c1b07718806.exe
"C:\Users\Admin\AppData\Local\Temp\29db7e7ce42132041e294942b505d2002c21b4a7e35b80dce7b86c1b07718806.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Users\Admin\AppData\Local\Temp\29db7e7ce42132041e294942b505d2002c21b4a7e35b80dce7b86c1b07718806.exe
  C:\Users\Admin\AppData\Local\Temp\29db7e7ce42132041e294942b505d2002c21b4a7e35b80dce7b86c1b07718806.exe update qmrgtwfjjw.exe
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1624
- C:\Users\Admin\AppData\Local\Temp\qmrgtwfjjw.exe
  C:\Users\Admin\AppData\Local\Temp\qmrgtwfjjw.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\qmrgtwfjjw.exe
    C:\Users\Admin\AppData\Local\Temp\qmrgtwfjjw.exe update idquxidesl.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2888
- - C:\Users\Admin\AppData\Local\Temp\idquxidesl.exe
    C:\Users\Admin\AppData\Local\Temp\idquxidesl.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Users\Admin\AppData\Local\Temp\idquxidesl.exe
      C:\Users\Admin\AppData\Local\Temp\idquxidesl.exe update rccavxqagn.exe
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2792
  - - C:\Users\Admin\AppData\Local\Temp\rccavxqagn.exe
      C:\Users\Admin\AppData\Local\Temp\rccavxqagn.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Users\Admin\AppData\Local\Temp\rccavxqagn.exe
        
        C:\Users\Admin\AppData\Local\Temp\rccavxqagn.exe update oysinazhxx.exe
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:516
    - - C:\Users\Admin\AppData\Local\Temp\oysinazhxx.exe
        
        C:\Users\Admin\AppData\Local\Temp\oysinazhxx.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1136
      - C:\Users\Admin\AppData\Local\Temp\oysinazhxx.exe
        
        C:\Users\Admin\AppData\Local\Temp\oysinazhxx.exe update iybbzorbqf.exe
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:816
      - C:\Users\Admin\AppData\Local\Temp\iybbzorbqf.exe
        
        C:\Users\Admin\AppData\Local\Temp\iybbzorbqf.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\iybbzorbqf.exe
        
        C:\Users\Admin\AppData\Local\Temp\iybbzorbqf.exe update pdsxpxcppb.exe
        7⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\pdsxpxcppb.exe
        
        C:\Users\Admin\AppData\Local\Temp\pdsxpxcppb.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\pdsxpxcppb.exe
        
        C:\Users\Admin\AppData\Local\Temp\pdsxpxcppb.exe update fdllledokk.exe
        8⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\fdllledokk.exe
        
        C:\Users\Admin\AppData\Local\Temp\fdllledokk.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\fdllledokk.exe
        
        C:\Users\Admin\AppData\Local\Temp\fdllledokk.exe update wwashbazlt.exe
        9⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:460
        
        C:\Users\Admin\AppData\Local\Temp\wwashbazlt.exe
        
        C:\Users\Admin\AppData\Local\Temp\wwashbazlt.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\wwashbazlt.exe
        
        C:\Users\Admin\AppData\Local\Temp\wwashbazlt.exe update sybudmgdae.exe
        10⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\sybudmgdae.exe
        
        C:\Users\Admin\AppData\Local\Temp\sybudmgdae.exe
        10⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\sybudmgdae.exe
        
        C:\Users\Admin\AppData\Local\Temp\sybudmgdae.exe update cudszgemqo.exe
        11⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\cudszgemqo.exe
        
        C:\Users\Admin\AppData\Local\Temp\cudszgemqo.exe
        11⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\cudszgemqo.exe
        
        C:\Users\Admin\AppData\Local\Temp\cudszgemqo.exe update thzjxnmmek.exe
        12⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\thzjxnmmek.exe
        
        C:\Users\Admin\AppData\Local\Temp\thzjxnmmek.exe
        12⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\thzjxnmmek.exe
        
        C:\Users\Admin\AppData\Local\Temp\thzjxnmmek.exe update bpqozhduth.exe
        13⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\bpqozhduth.exe
        
        C:\Users\Admin\AppData\Local\Temp\bpqozhduth.exe
        13⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\bpqozhduth.exe
        
        C:\Users\Admin\AppData\Local\Temp\bpqozhduth.exe update aqtmqukpbz.exe
        14⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\aqtmqukpbz.exe
        
        C:\Users\Admin\AppData\Local\Temp\aqtmqukpbz.exe
        14⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\aqtmqukpbz.exe
        
        C:\Users\Admin\AppData\Local\Temp\aqtmqukpbz.exe update kcnnuphavq.exe
        15⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\kcnnuphavq.exe
        
        C:\Users\Admin\AppData\Local\Temp\kcnnuphavq.exe
        15⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\kcnnuphavq.exe
        
        C:\Users\Admin\AppData\Local\Temp\kcnnuphavq.exe update bvqermryul.exe
        16⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\bvqermryul.exe
        
        C:\Users\Admin\AppData\Local\Temp\bvqermryul.exe
        16⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\bvqermryul.exe
        
        C:\Users\Admin\AppData\Local\Temp\bvqermryul.exe update rfmvqkwpsl.exe
        17⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\rfmvqkwpsl.exe
        
        C:\Users\Admin\AppData\Local\Temp\rfmvqkwpsl.exe
        17⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\rfmvqkwpsl.exe
        
        C:\Users\Admin\AppData\Local\Temp\rfmvqkwpsl.exe update fzzqrksofl.exe
        18⤵
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\fzzqrksofl.exe
        
        C:\Users\Admin\AppData\Local\Temp\fzzqrksofl.exe
        18⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\fzzqrksofl.exe
        
        C:\Users\Admin\AppData\Local\Temp\fzzqrksofl.exe update gotzqcwwli.exe
        19⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\gotzqcwwli.exe
        
        C:\Users\Admin\AppData\Local\Temp\gotzqcwwli.exe
        19⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\gotzqcwwli.exe
        
        C:\Users\Admin\AppData\Local\Temp\gotzqcwwli.exe update elxdszngte.exe
        20⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\elxdszngte.exe
        
        C:\Users\Admin\AppData\Local\Temp\elxdszngte.exe
        20⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\elxdszngte.exe
        
        C:\Users\Admin\AppData\Local\Temp\elxdszngte.exe update zktmryoqad.exe
        21⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\zktmryoqad.exe
        
        C:\Users\Admin\AppData\Local\Temp\zktmryoqad.exe
        21⤵
        
        PID:460
        
        C:\Users\Admin\AppData\Local\Temp\zktmryoqad.exe
        
        C:\Users\Admin\AppData\Local\Temp\zktmryoqad.exe update skqqzosthh.exe
        22⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\skqqzosthh.exe
        
        C:\Users\Admin\AppData\Local\Temp\skqqzosthh.exe
        22⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\skqqzosthh.exe
        
        C:\Users\Admin\AppData\Local\Temp\skqqzosthh.exe update xxceibqnop.exe
        23⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\xxceibqnop.exe
        
        C:\Users\Admin\AppData\Local\Temp\xxceibqnop.exe
        23⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\xxceibqnop.exe
        
        C:\Users\Admin\AppData\Local\Temp\xxceibqnop.exe update useixumqhn.exe
        24⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\useixumqhn.exe
        
        C:\Users\Admin\AppData\Local\Temp\useixumqhn.exe
        24⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\useixumqhn.exe
        
        C:\Users\Admin\AppData\Local\Temp\useixumqhn.exe update buwzdrmgaq.exe
        25⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\buwzdrmgaq.exe
        
        C:\Users\Admin\AppData\Local\Temp\buwzdrmgaq.exe
        25⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\buwzdrmgaq.exe
        
        C:\Users\Admin\AppData\Local\Temp\buwzdrmgaq.exe update ryraiojqnh.exe
        26⤵
        
        PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bpqozhduth.exe

Filesize
10.4MB

MD5
4e927b991aec8324b80234737693e004

SHA1
914f11d487c7ba1dbb98d87b4bc705a3ecca23d1

SHA256
fb942079e551fdd71d0d4df8b2342e45e9b48d09fa1e096a034c1dba14863aac

SHA512
5ba4d20c978be209b3209b24f87a6aa57151eae7bb6724695a47b2d1ab5670db067a940a4aaa5c6e1d4c0461d742b13df7809d04200a61c5b49cad2ec8e02348

Download Submit
C:\Users\Admin\AppData\Local\Temp\cudszgemqo.exe

Filesize
10.4MB

MD5
cfd83227744b84f1665444bc24585185

SHA1
b6ff7dc897f27afb0f8d13f15411a9bf7eab5c6c

SHA256
2449ba0aef1364dbddbecec59c68a7928dab31086f5180fa55e454aba8982ee7

SHA512
6a66c8562e32535c273eeae85433384e6350fdf6a2d2a642b72bb7f0bb49adb258f7286e112048332edf99b3e376528f507504f6a1062542afb1617f1155a6ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\fdllledokk.exe

Filesize
10.4MB

MD5
79453eb60bc71c1674bba25a3e7efd2c

SHA1
6740b529da7837564abdc7ed9ccf329dbacb52f0

SHA256
ae4beeb6f926109094577f17cc0f76e54c095021a385222cbd898e939437e578

SHA512
fcf2afac9867c92e9de89cafbc8ba4c3f43f4039ea70ab5fb0f40029b82103bd5ad56dac1bcb38e12050396ee36a0ba3f6f1d10b0e3734db57a20660cf290141

Download Submit
C:\Users\Admin\AppData\Local\Temp\idquxidesl.exe

Filesize
10.4MB

MD5
3bbdfd80c5c6fb7c5f760a45dab6f21c

SHA1
efaeb2ff0a71f0b02632fb5d02e3a6d1ef300717

SHA256
dcd94d7630eaf3fdeeeee1c1ca776067e8fdeacf41ff87dddbf51fe0e1fb60ed

SHA512
f6d68946a13ede066beab5be4d77d1441f9513179f2215a7cc741b5e38baff9ac8b807f68873b5fa007c7ba0aa1c45bec9a4d2deb4bd94aa2dd8dd1d7eb9eb48

Download Submit
C:\Users\Admin\AppData\Local\Temp\iybbzorbqf.exe

Filesize
10.4MB

MD5
e1ad316abce41a350c2e617da6c9136c

SHA1
e710ebee8dad4d5fb45f6e158325171f3032ab46

SHA256
ce8843922d36774b0baae87d20a550ede1aba6b01b8c021dfd05bde946ef3f43

SHA512
23a10d1963e07b28e9fdb455f0b49261cfd28088d0aff4fd0807ce62cbf92ade51ecde614e3a73da3d600489bea7960b000b02ee8f8d8c7a847665b7117cfcd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\oysinazhxx.exe

Filesize
10.4MB

MD5
77a390138752557e75d9c8a63e629f8f

SHA1
d408c2e8d9e351b4f81e95e349f6782aff13ef80

SHA256
24ec93d40be1054d0e1b7ca38298749d646b119d55b9672a209ca3fd0aeffd0e

SHA512
7feeb7151c42e4290bae90c43e7de0c04b1889d9b763e49980df599d1302578dfff3d500eb2c4f1dcf639b6018ed7c16062f45fcaa0e529a10f1640251d4eaac

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdsxpxcppb.exe

Filesize
10.4MB

MD5
f856285bec9c0e3e8ed6e5b1cb85db48

SHA1
484182be435f61cd2b0037bca83115e243ae2149

SHA256
fe0392ad1b391145716ac80c34a85ab3664cf34b790a0241467ced8b1b46a346

SHA512
88e1e143d356b1c9954be17559b44bcf7d2ae5b92ff5f48121cddf7902486dcda40d9ec046e25ee0f3126ffcca8f1c88e14134b8ce208ea9bd6cff7fdf76201d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rccavxqagn.exe

Filesize
10.4MB

MD5
455f8b7043794882e12ded7367059d7c

SHA1
4905af043eb9f7226e054dbd3a19cc998f9e3a11

SHA256
813e1e6bbd5a6d6ec5944a2530e0d49005e504876f9955fb19479342ebd5935e

SHA512
93bbc01b1982bb09872c3a208b33eb224128ea6a0d32441ca082c28b213e65dda7045816cf2f5d0f235213aa7ec4c0a523b4a469ba1e778c6697c3116d3f0140

Download Submit
C:\Users\Admin\AppData\Local\Temp\thzjxnmmek.exe

Filesize
10.4MB

MD5
c5d6270fd15dbdbba25abd2ee7724dc7

SHA1
c3495f49fb7b31666dc7dfd1b44f342eadb85583

SHA256
2fedce6898dfd7ffe79335bfc8f146ac2b4d5ace018dbaa28d0e9870e480b977

SHA512
0892c71a16078b23b20df902b83373966d545c76778ce1cef0c3f18ee9afb2f42734e6a84639217891ac8feb4fffea9997e4192e0664d3d6d5297b3a8b8ccd34

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
b0b2a79823812fcd6ee4dff20745ff75

SHA1
8ffc8716b8a394ebdcb49f0bc6fc4e2eefb3d9ad

SHA256
fa4d024792fc9486e5cb79f9225f70040f0e04531fa8e10dc07224e626dfecbe

SHA512
2e2535038761799c65dc26e5712a8290b1bd8dc08839b556e3b9ddeb8766f02b55051af7a0c7253f6eb5fb2e4959d66b9347d970d9b282afe74f683b9c4063d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
bba7fc052431f0fb616bf3c117f5ba57

SHA1
4e5beb94d3b3704bdb7baf884045b5e8d6b08f8f

SHA256
ff41ddd9157262d25440dea943a94952a190250a1145a4b90066909d54e99939

SHA512
390d91bdb7dd3f5d54ecc053509b5ed929facea80a2bfed1d656921a7456c1f4fc11e41a84766a67c401576b80a83d2d923c71332d9d0a3bf2f862da185fdb57

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
8822ed3109d9c0f42189de3a5d195ef4

SHA1
01407eb748690d4e7a9ff4fba41485859ad37c6c

SHA256
64e46212782056723ebaf8d057b599d1e2743ab05669a9d4375e84366c9c8cef

SHA512
6bf1f49575f2c0c66a548085bc74d96d30154e3d05ce98905b235f4f1c5ced7eee05fa94ea9bcd7dfb94935b48e426c75f241608faa971798853453d34423f38

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
79460aa7d3097c9f955d8dfc367cad90

SHA1
6bb41d8243c7b0e4d46792f52af347d1d7cd1063

SHA256
7eac64eec9af25c9505e40dc4b81e75a068d2690761fcb12c8cd8d8579903401

SHA512
635f675c5099884f6cab67eaad3ad67c7bfbe2aa81c9a98fa8cb9f56e59632e29e824674219e7665a4b24da117801d6a2429a990b5a91eb88aaa891d703507ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
2d726e6d11225f5f1787fa5390a403c0

SHA1
f93931a258119a7245dff167ccee98aab433ce06

SHA256
7f83bc7b3b1b52358d1753aaa52835d952451d726a766fadfa185635562aef80

SHA512
071f015c5c0fb276fb28fe73bbe0363873032dbc33bee0ece6f1c547748489a6cb278fc8ce4618bfd8eeb7cba6e39239da7569a60921b3d718224a0389ed31f7

Download Submit
\Users\Admin\AppData\Local\Temp\qmrgtwfjjw.exe

Filesize
10.4MB

MD5
8d8085f0dcba96030e3f3c1047f28aee

SHA1
33701e0a46709b7acff28daa2a40386ab362447f

SHA256
95745ced2c65465be640e84b2d1a9ba045bcd5e7af1445b35fff7f74b4fb9ed4

SHA512
409e446f1e7d53577b4e6820f3b3a235c175a16a39e34f8a1b33f722d0d566225ada1d0d07a90c4292122712829aa0ed7d4e78135334294f9a7ea704e224e6e8

Download Submit
\Users\Admin\AppData\Local\Temp\sybudmgdae.exe

Filesize
10.4MB

MD5
641bf3f077db30c22ed1144a3edb06b7

SHA1
1cf41cbf888417be0da454e9592bc194974985bb

SHA256
afc1c846ac4886ab2c3556ba093ef170ff9264df60ca6f2e43e0b33e0679496f

SHA512
b9842efc32ee8581c86883037fffe11ea5b9d91a54788d2e073447bc7a661055f29544f64a04d8d2df548be5ae7c05f02098cc2febe962946a41caf23a515654

Download Submit
\Users\Admin\AppData\Local\Temp\wwashbazlt.exe

Filesize
10.4MB

MD5
849cab71ba677ec457858bcdea3c61ea

SHA1
fcea97cfc18608d81b2dc845dfef01b68b509817

SHA256
1fb23ebd33c0f74f25ab52c6698b6a7e662d06462aa96822c5b6aa1edf4197e4

SHA512
655c5b6c2f3913d4fa5678620dc5ca61a87468334776126a89b8c82e19af8cc694a17ab2e1b654869577e09be11350f10b05af5a9f5163d39ca0447982bc9af2

Download Submit
memory/516-68-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/816-87-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1136-79-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1624-12-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1624-15-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1624-13-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2612-60-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2740-4-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2740-70-0x00000000005D7000-0x0000000000C65000-memory.dmp

Filesize
6.6MB

Download
memory/2740-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2740-6-0x00000000005D7000-0x0000000000C65000-memory.dmp

Filesize
6.6MB

Download
memory/2740-107-0x00000000005D7000-0x0000000000C65000-memory.dmp

Filesize
6.6MB

Download
memory/2740-5-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2740-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2792-49-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2792-47-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2792-50-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2808-24-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2808-21-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2808-23-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2824-42-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2888-32-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2888-29-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2888-31-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download