d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a

Analysis

max time kernel
111s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
15/10/2024, 04:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe
Size

10.4MB
MD5

67121f5f3172b5479abe0eaae1aa0168
SHA1

883b46d2bbfeaebfc2d9f719428e8bd6be60aafc
SHA256

d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a
SHA512

567917c39ed328f66c8e644474ba909c147e4b7df433bffc49be064378de38162229f892c3bc18fa99e34267171d49b5b5b66ac30ab57c7df92365dbdfbd38a4
SSDEEP

196608:XZGmuasR2/LGPLCXOKODxH5qFlXS47dV2MANpvrjVbEKGWIoS:XZGnasREJLODBWlX3d+NpvdHIo

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 55 IoCs

pid	Process
1728	suelozdesl.exe
1780	suelozdesl.exe
2760	jdctlcimvf.exe
3016	jdctlcimvf.exe
2812	bzzwhyckwm.exe
2808	bzzwhyckwm.exe
1144	esbkkizytq.exe
1044	esbkkizytq.exe
344	jncvtvhggl.exe
1968	jncvtvhggl.exe
1948	gqstqnpwxv.exe
348	gqstqnpwxv.exe
2000	dpjrionoot.exe
1988	dpjrionoot.exe
2244	hzhvpflkcm.exe
1188	hzhvpflkcm.exe
1916	aefwvcrpss.exe
1624	aefwvcrpss.exe
800	psbuzrrepl.exe
1468	psbuzrrepl.exe
2220	xeuvmtmpjx.exe
1808	xeuvmtmpjx.exe
728	zmqzuvfbnd.exe
1720	zmqzuvfbnd.exe
928	syopeybpti.exe
652	syopeybpti.exe
3068	hjfqtlpopn.exe
2324	hjfqtlpopn.exe
2472	hpmctxfrmp.exe
740	hpmctxfrmp.exe
2872	hivmnsgiab.exe
2620	hivmnsgiab.exe
2700	oexzedryny.exe
2808	oexzedryny.exe
2656	zaykmxsvbj.exe
2896	zaykmxsvbj.exe
2924	jhkhewzvbh.exe
3000	jhkhewzvbh.exe
764	rohpgovgwi.exe
2624	rohpgovgwi.exe
1080	dvhqhhvrjm.exe
1492	dvhqhhvrjm.exe
1800	lzsdqayhwb.exe
2096	lzsdqayhwb.exe
1976	ytytbekrja.exe
2344	ytytbekrja.exe
844	iacqudkqjy.exe
2008	iacqudkqjy.exe
2976	koftpeyjdt.exe
840	koftpeyjdt.exe
1256	rvalbtibkv.exe
1300	rvalbtibkv.exe
1932	tyblpwbhma.exe
1980	tyblpwbhma.exe
800	uqnmxgqskj.exe

Loads dropped DLL 55 IoCs

pid	Process
2992	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe
1728	suelozdesl.exe
1728	suelozdesl.exe
2760	jdctlcimvf.exe
2760	jdctlcimvf.exe
2812	bzzwhyckwm.exe
2812	bzzwhyckwm.exe
1144	esbkkizytq.exe
1144	esbkkizytq.exe
344	jncvtvhggl.exe
344	jncvtvhggl.exe
1948	gqstqnpwxv.exe
1948	gqstqnpwxv.exe
2000	dpjrionoot.exe
2000	dpjrionoot.exe
2244	hzhvpflkcm.exe
2244	hzhvpflkcm.exe
1916	aefwvcrpss.exe
1916	aefwvcrpss.exe
800	psbuzrrepl.exe
800	psbuzrrepl.exe
2220	xeuvmtmpjx.exe
2220	xeuvmtmpjx.exe
728	zmqzuvfbnd.exe
728	zmqzuvfbnd.exe
928	syopeybpti.exe
928	syopeybpti.exe
3068	hjfqtlpopn.exe
1644	fylwjfttpr.exe
2472	hpmctxfrmp.exe
2472	hpmctxfrmp.exe
2872	hivmnsgiab.exe
2872	hivmnsgiab.exe
2700	oexzedryny.exe
2700	oexzedryny.exe
2656	zaykmxsvbj.exe
2656	zaykmxsvbj.exe
2924	jhkhewzvbh.exe
2924	jhkhewzvbh.exe
764	rohpgovgwi.exe
764	rohpgovgwi.exe
1080	dvhqhhvrjm.exe
1080	dvhqhhvrjm.exe
1800	lzsdqayhwb.exe
1800	lzsdqayhwb.exe
1976	ytytbekrja.exe
1976	ytytbekrja.exe
844	iacqudkqjy.exe
844	iacqudkqjy.exe
2976	koftpeyjdt.exe
2976	koftpeyjdt.exe
1256	rvalbtibkv.exe
1256	rvalbtibkv.exe
1932	tyblpwbhma.exe
1932	tyblpwbhma.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 58 IoCs

pid	Process
2992	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe
2456	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe
1728	suelozdesl.exe
1780	suelozdesl.exe
2760	jdctlcimvf.exe
3016	jdctlcimvf.exe
2812	bzzwhyckwm.exe
2808	bzzwhyckwm.exe
1144	esbkkizytq.exe
1044	esbkkizytq.exe
344	jncvtvhggl.exe
1968	jncvtvhggl.exe
1948	gqstqnpwxv.exe
348	gqstqnpwxv.exe
2000	dpjrionoot.exe
1988	dpjrionoot.exe
2244	hzhvpflkcm.exe
1188	hzhvpflkcm.exe
1916	aefwvcrpss.exe
1624	aefwvcrpss.exe
800	psbuzrrepl.exe
1468	psbuzrrepl.exe
2220	xeuvmtmpjx.exe
1808	xeuvmtmpjx.exe
728	zmqzuvfbnd.exe
1720	zmqzuvfbnd.exe
928	syopeybpti.exe
652	syopeybpti.exe
3068	hjfqtlpopn.exe
1644	fylwjfttpr.exe
1824	fylwjfttpr.exe
2472	hpmctxfrmp.exe
740	hpmctxfrmp.exe
2872	hivmnsgiab.exe
2620	hivmnsgiab.exe
2700	oexzedryny.exe
2808	oexzedryny.exe
2656	zaykmxsvbj.exe
2896	zaykmxsvbj.exe
2924	jhkhewzvbh.exe
3000	jhkhewzvbh.exe
764	rohpgovgwi.exe
2624	rohpgovgwi.exe
1080	dvhqhhvrjm.exe
1492	dvhqhhvrjm.exe
1800	lzsdqayhwb.exe
2096	lzsdqayhwb.exe
1976	ytytbekrja.exe
2344	ytytbekrja.exe
844	iacqudkqjy.exe
2008	iacqudkqjy.exe
2976	koftpeyjdt.exe
840	koftpeyjdt.exe
1256	rvalbtibkv.exe
1300	rvalbtibkv.exe
1932	tyblpwbhma.exe
1980	tyblpwbhma.exe
800	uqnmxgqskj.exe

System Location Discovery: System Language Discovery 1 TTPs 59 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	syopeybpti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iacqudkqjy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iacqudkqjy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dpjrionoot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aefwvcrpss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bzzwhyckwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psbuzrrepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gqstqnpwxv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oexzedryny.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lzsdqayhwb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lzsdqayhwb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uqnmxgqskj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	esbkkizytq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jncvtvhggl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oexzedryny.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zmqzuvfbnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jncvtvhggl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aefwvcrpss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	syopeybpti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hpmctxfrmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jhkhewzvbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	koftpeyjdt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	suelozdesl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	esbkkizytq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	koftpeyjdt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hivmnsgiab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hivmnsgiab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dvhqhhvrjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ytytbekrja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dpjrionoot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fylwjfttpr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hjfqtlpopn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zaykmxsvbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rohpgovgwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zmqzuvfbnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fylwjfttpr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hpmctxfrmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dvhqhhvrjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jdctlcimvf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hjfqtlpopn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tyblpwbhma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	suelozdesl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gqstqnpwxv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeuvmtmpjx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rvalbtibkv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psbuzrrepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeuvmtmpjx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jdctlcimvf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bzzwhyckwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tyblpwbhma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rohpgovgwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ytytbekrja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jhkhewzvbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hzhvpflkcm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zaykmxsvbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hzhvpflkcm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rvalbtibkv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2992	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe
2992	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe
2456	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe
2992	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe
1728	suelozdesl.exe
1728	suelozdesl.exe
1780	suelozdesl.exe
2760	jdctlcimvf.exe
2760	jdctlcimvf.exe
3016	jdctlcimvf.exe
1728	suelozdesl.exe
2812	bzzwhyckwm.exe
2812	bzzwhyckwm.exe
2760	jdctlcimvf.exe
2808	bzzwhyckwm.exe
1144	esbkkizytq.exe
2812	bzzwhyckwm.exe
1144	esbkkizytq.exe
1044	esbkkizytq.exe
344	jncvtvhggl.exe
344	jncvtvhggl.exe
1968	jncvtvhggl.exe
1144	esbkkizytq.exe
344	jncvtvhggl.exe
1948	gqstqnpwxv.exe
1948	gqstqnpwxv.exe
348	gqstqnpwxv.exe
1948	gqstqnpwxv.exe
2000	dpjrionoot.exe
2000	dpjrionoot.exe
1988	dpjrionoot.exe
2244	hzhvpflkcm.exe
2244	hzhvpflkcm.exe
1188	hzhvpflkcm.exe
2000	dpjrionoot.exe
1916	aefwvcrpss.exe
1916	aefwvcrpss.exe
1624	aefwvcrpss.exe
2244	hzhvpflkcm.exe
800	psbuzrrepl.exe
1916	aefwvcrpss.exe
800	psbuzrrepl.exe
1468	psbuzrrepl.exe
2220	xeuvmtmpjx.exe
2220	xeuvmtmpjx.exe
1808	xeuvmtmpjx.exe
800	psbuzrrepl.exe
728	zmqzuvfbnd.exe
728	zmqzuvfbnd.exe
1720	zmqzuvfbnd.exe
2220	xeuvmtmpjx.exe
928	syopeybpti.exe
928	syopeybpti.exe
728	zmqzuvfbnd.exe
652	syopeybpti.exe
3068	hjfqtlpopn.exe
3068	hjfqtlpopn.exe
928	syopeybpti.exe
1644	fylwjfttpr.exe
1644	fylwjfttpr.exe
1824	fylwjfttpr.exe
2472	hpmctxfrmp.exe
2472	hpmctxfrmp.exe
740	hpmctxfrmp.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2992	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe
2992	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe
2456	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe
2456	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe
1728	suelozdesl.exe
1728	suelozdesl.exe
1780	suelozdesl.exe
1780	suelozdesl.exe
2760	jdctlcimvf.exe
2760	jdctlcimvf.exe
3016	jdctlcimvf.exe
3016	jdctlcimvf.exe
2812	bzzwhyckwm.exe
2812	bzzwhyckwm.exe
2808	bzzwhyckwm.exe
2808	bzzwhyckwm.exe
1144	esbkkizytq.exe
1144	esbkkizytq.exe
1044	esbkkizytq.exe
1044	esbkkizytq.exe
344	jncvtvhggl.exe
344	jncvtvhggl.exe
1968	jncvtvhggl.exe
1968	jncvtvhggl.exe
1948	gqstqnpwxv.exe
1948	gqstqnpwxv.exe
348	gqstqnpwxv.exe
348	gqstqnpwxv.exe
2000	dpjrionoot.exe
2000	dpjrionoot.exe
1988	dpjrionoot.exe
1988	dpjrionoot.exe
2244	hzhvpflkcm.exe
2244	hzhvpflkcm.exe
1188	hzhvpflkcm.exe
1188	hzhvpflkcm.exe
1916	aefwvcrpss.exe
1916	aefwvcrpss.exe
1624	aefwvcrpss.exe
1624	aefwvcrpss.exe
800	psbuzrrepl.exe
800	psbuzrrepl.exe
1468	psbuzrrepl.exe
1468	psbuzrrepl.exe
2220	xeuvmtmpjx.exe
2220	xeuvmtmpjx.exe
1808	xeuvmtmpjx.exe
1808	xeuvmtmpjx.exe
728	zmqzuvfbnd.exe
728	zmqzuvfbnd.exe
1720	zmqzuvfbnd.exe
1720	zmqzuvfbnd.exe
928	syopeybpti.exe
928	syopeybpti.exe
652	syopeybpti.exe
652	syopeybpti.exe
3068	hjfqtlpopn.exe
3068	hjfqtlpopn.exe
1644	fylwjfttpr.exe
1644	fylwjfttpr.exe
1824	fylwjfttpr.exe
1824	fylwjfttpr.exe
2472	hpmctxfrmp.exe
2472	hpmctxfrmp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 2456	2992	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe	31
PID 2992 wrote to memory of 2456	2992	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe	31
PID 2992 wrote to memory of 2456	2992	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe	31
PID 2992 wrote to memory of 2456	2992	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe	31
PID 2992 wrote to memory of 1728	2992	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe	32
PID 2992 wrote to memory of 1728	2992	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe	32
PID 2992 wrote to memory of 1728	2992	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe	32
PID 2992 wrote to memory of 1728	2992	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe	32
PID 1728 wrote to memory of 1780	1728	suelozdesl.exe	33
PID 1728 wrote to memory of 1780	1728	suelozdesl.exe	33
PID 1728 wrote to memory of 1780	1728	suelozdesl.exe	33
PID 1728 wrote to memory of 1780	1728	suelozdesl.exe	33
PID 1728 wrote to memory of 2760	1728	suelozdesl.exe	34
PID 1728 wrote to memory of 2760	1728	suelozdesl.exe	34
PID 1728 wrote to memory of 2760	1728	suelozdesl.exe	34
PID 1728 wrote to memory of 2760	1728	suelozdesl.exe	34
PID 2760 wrote to memory of 3016	2760	jdctlcimvf.exe	35
PID 2760 wrote to memory of 3016	2760	jdctlcimvf.exe	35
PID 2760 wrote to memory of 3016	2760	jdctlcimvf.exe	35
PID 2760 wrote to memory of 3016	2760	jdctlcimvf.exe	35
PID 2760 wrote to memory of 2812	2760	jdctlcimvf.exe	36
PID 2760 wrote to memory of 2812	2760	jdctlcimvf.exe	36
PID 2760 wrote to memory of 2812	2760	jdctlcimvf.exe	36
PID 2760 wrote to memory of 2812	2760	jdctlcimvf.exe	36
PID 2812 wrote to memory of 2808	2812	bzzwhyckwm.exe	37
PID 2812 wrote to memory of 2808	2812	bzzwhyckwm.exe	37
PID 2812 wrote to memory of 2808	2812	bzzwhyckwm.exe	37
PID 2812 wrote to memory of 2808	2812	bzzwhyckwm.exe	37
PID 2812 wrote to memory of 1144	2812	bzzwhyckwm.exe	38
PID 2812 wrote to memory of 1144	2812	bzzwhyckwm.exe	38
PID 2812 wrote to memory of 1144	2812	bzzwhyckwm.exe	38
PID 2812 wrote to memory of 1144	2812	bzzwhyckwm.exe	38
PID 1144 wrote to memory of 1044	1144	esbkkizytq.exe	39
PID 1144 wrote to memory of 1044	1144	esbkkizytq.exe	39
PID 1144 wrote to memory of 1044	1144	esbkkizytq.exe	39
PID 1144 wrote to memory of 1044	1144	esbkkizytq.exe	39
PID 1144 wrote to memory of 344	1144	esbkkizytq.exe	40
PID 1144 wrote to memory of 344	1144	esbkkizytq.exe	40
PID 1144 wrote to memory of 344	1144	esbkkizytq.exe	40
PID 1144 wrote to memory of 344	1144	esbkkizytq.exe	40
PID 344 wrote to memory of 1968	344	jncvtvhggl.exe	41
PID 344 wrote to memory of 1968	344	jncvtvhggl.exe	41
PID 344 wrote to memory of 1968	344	jncvtvhggl.exe	41
PID 344 wrote to memory of 1968	344	jncvtvhggl.exe	41
PID 344 wrote to memory of 1948	344	jncvtvhggl.exe	42
PID 344 wrote to memory of 1948	344	jncvtvhggl.exe	42
PID 344 wrote to memory of 1948	344	jncvtvhggl.exe	42
PID 344 wrote to memory of 1948	344	jncvtvhggl.exe	42
PID 1948 wrote to memory of 348	1948	gqstqnpwxv.exe	43
PID 1948 wrote to memory of 348	1948	gqstqnpwxv.exe	43
PID 1948 wrote to memory of 348	1948	gqstqnpwxv.exe	43
PID 1948 wrote to memory of 348	1948	gqstqnpwxv.exe	43
PID 1948 wrote to memory of 2000	1948	gqstqnpwxv.exe	44
PID 1948 wrote to memory of 2000	1948	gqstqnpwxv.exe	44
PID 1948 wrote to memory of 2000	1948	gqstqnpwxv.exe	44
PID 1948 wrote to memory of 2000	1948	gqstqnpwxv.exe	44
PID 2000 wrote to memory of 1988	2000	dpjrionoot.exe	45
PID 2000 wrote to memory of 1988	2000	dpjrionoot.exe	45
PID 2000 wrote to memory of 1988	2000	dpjrionoot.exe	45
PID 2000 wrote to memory of 1988	2000	dpjrionoot.exe	45
PID 2000 wrote to memory of 2244	2000	dpjrionoot.exe	46
PID 2000 wrote to memory of 2244	2000	dpjrionoot.exe	46
PID 2000 wrote to memory of 2244	2000	dpjrionoot.exe	46
PID 2000 wrote to memory of 2244	2000	dpjrionoot.exe	46

C:\Users\Admin\AppData\Local\Temp\d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe
"C:\Users\Admin\AppData\Local\Temp\d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Users\Admin\AppData\Local\Temp\d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe
  C:\Users\Admin\AppData\Local\Temp\d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe update suelozdesl.exe
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2456
- C:\Users\Admin\AppData\Local\Temp\suelozdesl.exe
  C:\Users\Admin\AppData\Local\Temp\suelozdesl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Users\Admin\AppData\Local\Temp\suelozdesl.exe
    C:\Users\Admin\AppData\Local\Temp\suelozdesl.exe update jdctlcimvf.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1780
- - C:\Users\Admin\AppData\Local\Temp\jdctlcimvf.exe
    C:\Users\Admin\AppData\Local\Temp\jdctlcimvf.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Users\Admin\AppData\Local\Temp\jdctlcimvf.exe
      C:\Users\Admin\AppData\Local\Temp\jdctlcimvf.exe update bzzwhyckwm.exe
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3016
  - - C:\Users\Admin\AppData\Local\Temp\bzzwhyckwm.exe
      C:\Users\Admin\AppData\Local\Temp\bzzwhyckwm.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Users\Admin\AppData\Local\Temp\bzzwhyckwm.exe
        
        C:\Users\Admin\AppData\Local\Temp\bzzwhyckwm.exe update esbkkizytq.exe
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2808
    - - C:\Users\Admin\AppData\Local\Temp\esbkkizytq.exe
        
        C:\Users\Admin\AppData\Local\Temp\esbkkizytq.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1144
      - C:\Users\Admin\AppData\Local\Temp\esbkkizytq.exe
        
        C:\Users\Admin\AppData\Local\Temp\esbkkizytq.exe update jncvtvhggl.exe
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1044
      - C:\Users\Admin\AppData\Local\Temp\jncvtvhggl.exe
        
        C:\Users\Admin\AppData\Local\Temp\jncvtvhggl.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:344
        
        C:\Users\Admin\AppData\Local\Temp\jncvtvhggl.exe
        
        C:\Users\Admin\AppData\Local\Temp\jncvtvhggl.exe update gqstqnpwxv.exe
        7⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\gqstqnpwxv.exe
        
        C:\Users\Admin\AppData\Local\Temp\gqstqnpwxv.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\gqstqnpwxv.exe
        
        C:\Users\Admin\AppData\Local\Temp\gqstqnpwxv.exe update dpjrionoot.exe
        8⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\dpjrionoot.exe
        
        C:\Users\Admin\AppData\Local\Temp\dpjrionoot.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\dpjrionoot.exe
        
        C:\Users\Admin\AppData\Local\Temp\dpjrionoot.exe update hzhvpflkcm.exe
        9⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\hzhvpflkcm.exe
        
        C:\Users\Admin\AppData\Local\Temp\hzhvpflkcm.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\hzhvpflkcm.exe
        
        C:\Users\Admin\AppData\Local\Temp\hzhvpflkcm.exe update aefwvcrpss.exe
        10⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\aefwvcrpss.exe
        
        C:\Users\Admin\AppData\Local\Temp\aefwvcrpss.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\aefwvcrpss.exe
        
        C:\Users\Admin\AppData\Local\Temp\aefwvcrpss.exe update psbuzrrepl.exe
        11⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\psbuzrrepl.exe
        
        C:\Users\Admin\AppData\Local\Temp\psbuzrrepl.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\psbuzrrepl.exe
        
        C:\Users\Admin\AppData\Local\Temp\psbuzrrepl.exe update xeuvmtmpjx.exe
        12⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\xeuvmtmpjx.exe
        
        C:\Users\Admin\AppData\Local\Temp\xeuvmtmpjx.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\xeuvmtmpjx.exe
        
        C:\Users\Admin\AppData\Local\Temp\xeuvmtmpjx.exe update zmqzuvfbnd.exe
        13⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\zmqzuvfbnd.exe
        
        C:\Users\Admin\AppData\Local\Temp\zmqzuvfbnd.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:728
        
        C:\Users\Admin\AppData\Local\Temp\zmqzuvfbnd.exe
        
        C:\Users\Admin\AppData\Local\Temp\zmqzuvfbnd.exe update syopeybpti.exe
        14⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\syopeybpti.exe
        
        C:\Users\Admin\AppData\Local\Temp\syopeybpti.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\syopeybpti.exe
        
        C:\Users\Admin\AppData\Local\Temp\syopeybpti.exe update hjfqtlpopn.exe
        15⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\hjfqtlpopn.exe
        
        C:\Users\Admin\AppData\Local\Temp\hjfqtlpopn.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\hjfqtlpopn.exe
        
        C:\Users\Admin\AppData\Local\Temp\hjfqtlpopn.exe update fylwjfttpr.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\fylwjfttpr.exe
        
        C:\Users\Admin\AppData\Local\Temp\fylwjfttpr.exe
        16⤵
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\fylwjfttpr.exe
        
        C:\Users\Admin\AppData\Local\Temp\fylwjfttpr.exe update hpmctxfrmp.exe
        17⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\hpmctxfrmp.exe
        
        C:\Users\Admin\AppData\Local\Temp\hpmctxfrmp.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\hpmctxfrmp.exe
        
        C:\Users\Admin\AppData\Local\Temp\hpmctxfrmp.exe update hivmnsgiab.exe
        18⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\hivmnsgiab.exe
        
        C:\Users\Admin\AppData\Local\Temp\hivmnsgiab.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\hivmnsgiab.exe
        
        C:\Users\Admin\AppData\Local\Temp\hivmnsgiab.exe update oexzedryny.exe
        19⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\oexzedryny.exe
        
        C:\Users\Admin\AppData\Local\Temp\oexzedryny.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\oexzedryny.exe
        
        C:\Users\Admin\AppData\Local\Temp\oexzedryny.exe update zaykmxsvbj.exe
        20⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\zaykmxsvbj.exe
        
        C:\Users\Admin\AppData\Local\Temp\zaykmxsvbj.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\zaykmxsvbj.exe
        
        C:\Users\Admin\AppData\Local\Temp\zaykmxsvbj.exe update jhkhewzvbh.exe
        21⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\jhkhewzvbh.exe
        
        C:\Users\Admin\AppData\Local\Temp\jhkhewzvbh.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\jhkhewzvbh.exe
        
        C:\Users\Admin\AppData\Local\Temp\jhkhewzvbh.exe update rohpgovgwi.exe
        22⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\rohpgovgwi.exe
        
        C:\Users\Admin\AppData\Local\Temp\rohpgovgwi.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\rohpgovgwi.exe
        
        C:\Users\Admin\AppData\Local\Temp\rohpgovgwi.exe update dvhqhhvrjm.exe
        23⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\dvhqhhvrjm.exe
        
        C:\Users\Admin\AppData\Local\Temp\dvhqhhvrjm.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\dvhqhhvrjm.exe
        
        C:\Users\Admin\AppData\Local\Temp\dvhqhhvrjm.exe update lzsdqayhwb.exe
        24⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\lzsdqayhwb.exe
        
        C:\Users\Admin\AppData\Local\Temp\lzsdqayhwb.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\lzsdqayhwb.exe
        
        C:\Users\Admin\AppData\Local\Temp\lzsdqayhwb.exe update ytytbekrja.exe
        25⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\ytytbekrja.exe
        
        C:\Users\Admin\AppData\Local\Temp\ytytbekrja.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\ytytbekrja.exe
        
        C:\Users\Admin\AppData\Local\Temp\ytytbekrja.exe update iacqudkqjy.exe
        26⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\iacqudkqjy.exe
        
        C:\Users\Admin\AppData\Local\Temp\iacqudkqjy.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\iacqudkqjy.exe
        
        C:\Users\Admin\AppData\Local\Temp\iacqudkqjy.exe update koftpeyjdt.exe
        27⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\koftpeyjdt.exe
        
        C:\Users\Admin\AppData\Local\Temp\koftpeyjdt.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\koftpeyjdt.exe
        
        C:\Users\Admin\AppData\Local\Temp\koftpeyjdt.exe update rvalbtibkv.exe
        28⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\rvalbtibkv.exe
        
        C:\Users\Admin\AppData\Local\Temp\rvalbtibkv.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\rvalbtibkv.exe
        
        C:\Users\Admin\AppData\Local\Temp\rvalbtibkv.exe update tyblpwbhma.exe
        29⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\tyblpwbhma.exe
        
        C:\Users\Admin\AppData\Local\Temp\tyblpwbhma.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\tyblpwbhma.exe
        
        C:\Users\Admin\AppData\Local\Temp\tyblpwbhma.exe update uqnmxgqskj.exe
        30⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\uqnmxgqskj.exe
        
        C:\Users\Admin\AppData\Local\Temp\uqnmxgqskj.exe
        30⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\uqnmxgqskj.exe
        
        C:\Users\Admin\AppData\Local\Temp\uqnmxgqskj.exe update mewzzettlx.exe
        31⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\mewzzettlx.exe
        
        C:\Users\Admin\AppData\Local\Temp\mewzzettlx.exe
        31⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\mewzzettlx.exe
        
        C:\Users\Admin\AppData\Local\Temp\mewzzettlx.exe update zrfpfisyzw.exe
        32⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\zrfpfisyzw.exe
        
        C:\Users\Admin\AppData\Local\Temp\zrfpfisyzw.exe
        32⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\zrfpfisyzw.exe
        
        C:\Users\Admin\AppData\Local\Temp\zrfpfisyzw.exe update ruuzgsknur.exe
        33⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\ruuzgsknur.exe
        
        C:\Users\Admin\AppData\Local\Temp\ruuzgsknur.exe
        33⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\ruuzgsknur.exe
        
        C:\Users\Admin\AppData\Local\Temp\ruuzgsknur.exe update qbrkgnabzd.exe
        34⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\qbrkgnabzd.exe
        
        C:\Users\Admin\AppData\Local\Temp\qbrkgnabzd.exe
        34⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\qbrkgnabzd.exe
        
        C:\Users\Admin\AppData\Local\Temp\qbrkgnabzd.exe update fvvndqzocu.exe
        35⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\fvvndqzocu.exe
        
        C:\Users\Admin\AppData\Local\Temp\fvvndqzocu.exe
        35⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\fvvndqzocu.exe
        
        C:\Users\Admin\AppData\Local\Temp\fvvndqzocu.exe update xlsajvacos.exe
        36⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\xlsajvacos.exe
        
        C:\Users\Admin\AppData\Local\Temp\xlsajvacos.exe
        36⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\xlsajvacos.exe
        
        C:\Users\Admin\AppData\Local\Temp\xlsajvacos.exe update zyqtwsghex.exe
        37⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\zyqtwsghex.exe
        
        C:\Users\Admin\AppData\Local\Temp\zyqtwsghex.exe
        37⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\zyqtwsghex.exe
        
        C:\Users\Admin\AppData\Local\Temp\zyqtwsghex.exe update eonosyrjkl.exe
        38⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\eonosyrjkl.exe
        
        C:\Users\Admin\AppData\Local\Temp\eonosyrjkl.exe
        38⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\eonosyrjkl.exe
        
        C:\Users\Admin\AppData\Local\Temp\eonosyrjkl.exe update gymdluzirt.exe
        39⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\gymdluzirt.exe
        
        C:\Users\Admin\AppData\Local\Temp\gymdluzirt.exe
        39⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\gymdluzirt.exe
        
        C:\Users\Admin\AppData\Local\Temp\gymdluzirt.exe update nzbozelrfh.exe
        40⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\nzbozelrfh.exe
        
        C:\Users\Admin\AppData\Local\Temp\nzbozelrfh.exe
        40⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\nzbozelrfh.exe
        
        C:\Users\Admin\AppData\Local\Temp\nzbozelrfh.exe update ybomyyuogk.exe
        41⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\ybomyyuogk.exe
        
        C:\Users\Admin\AppData\Local\Temp\ybomyyuogk.exe
        41⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\ybomyyuogk.exe
        
        C:\Users\Admin\AppData\Local\Temp\ybomyyuogk.exe update ncvrfsaibw.exe
        42⤵
        
        PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aefwvcrpss.exe

Filesize
10.4MB

MD5
9d640773eca10b0040e0755ac359dcd0

SHA1
852e076438e84c1ab3317a2b332a70b98f95ac8d

SHA256
44fc8f8371cbc35a1b51f70154d4ef12b53bfc16b533fff195f035f0b219ddf1

SHA512
9b6084f051a3a8ee8676ee3bbc6b19ee47d96a9171a48999ebd9ad0cbfb0314daa2d8d2bf6e86d2f182496eff4eae11ba2420065a603ead783b7d21c1702e2b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bzzwhyckwm.exe

Filesize
10.4MB

MD5
7aaaaa2c87b0a92ba063aee8c6d7a40c

SHA1
c6202c863975b7b10a946c2f86546793e9e2f116

SHA256
dc8a5abcaa75d82136f5cea37c9b6b80a9b3a949559cb1d17c3516bdc2ee7df9

SHA512
061252a3778a58b17162c64ddd2d406138a669b71f560dddf307bd80ef6bc8891c75ae122672f6eeaa612d3d4b50a3e88e86007e2752084ceb6f2142d011b6cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\dpjrionoot.exe

Filesize
10.4MB

MD5
0ee48d77c0074d5825f446f00ad82740

SHA1
d3d81fb1a352982d71ee71f4164321942c1ab0cf

SHA256
f72d4b0dcf9493a1b05fa3f925d37b3b5bdbdce751358e32b4be8e26468be66e

SHA512
597c5419cda65e241d7d8a3b03edaad7d6071c122ea5e6fce877729786b7ba3f49efdf5fdd5ed33de122ac73ff9ca8b899e24adf38efebd024bd5263d7a89ecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\esbkkizytq.exe

Filesize
10.4MB

MD5
50c6de2a1b48e3fa7585b0becd6b3258

SHA1
32f1b12062058af5d84d4789336a1210e5586555

SHA256
69ef7c81a858fd2b5769e83fe25d1f679636a53853c91a2ade7c43c7a7f8894e

SHA512
5746ca2195c0b185cf66b01fb0f7177ec7c08f71e6add76214192184df72b12f77f4a848bb2ff8bcd725f7d7fa6b38b50ff28b6cf4fe23a6bb2792f014204ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\gqstqnpwxv.exe

Filesize
10.4MB

MD5
0407494281d2a783594683db9bfc3364

SHA1
dafb83d68c4a2a200a41b87a3a3c147850e783ea

SHA256
5d929f6b89aac5ec7a19aa02db526920ade08939e679636c6a43f0e9410bc5fd

SHA512
5a827e905812da3cfdf0f34db1a7d629dc116217f4ae7697193a9d37dda6649823d7dbeaf66756672e4bb1e866d2f34863b1187c2d3dc36fa0fbfa111e803d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\hzhvpflkcm.exe

Filesize
10.4MB

MD5
b002abd34c4fb6cbcf73800db41e4dac

SHA1
5a95ebf1eb6c690a617cfbce92d2498357332df0

SHA256
37b11dd70c8d0247f4fb10f254f1d09dbeefc9119738557daed8613d7cff3418

SHA512
5bb1fa3ab4bbe85d92c7f34d7842644a21177df63b8f9b455cb73828656968f8c708acf4e3152ce4b723e9d10f67289248968ca2663de390024cd47f5875d089

Download Submit
C:\Users\Admin\AppData\Local\Temp\jdctlcimvf.exe

Filesize
10.4MB

MD5
47d870b207c319415953c3a074953296

SHA1
f5d1f422cc39f5691b474de4eeddb634d1823c1f

SHA256
ce6a9d6a59df45eec23b9102988a04ef134d94f349cb86ba5cd64462738d9733

SHA512
29bb69d26d5d89d48e1b02b1b40e786de396e2b8c86bb8c62c9fe48ec4e41ba9e75a502bc006ad05f78d696cc796763a543d544630292095f6131db216eb53b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jncvtvhggl.exe

Filesize
10.4MB

MD5
8926bdf826d4b4061320578ac428b0d0

SHA1
70f6fa4ce95881adca820b4c258ced42dc1b7b91

SHA256
e0b80dc5df83a6aa7c8e9690a8c3dc66e47132201da4061c3df547816359b866

SHA512
6c105336f90db05932af0743fb4e12331678cd9d6ebd48555eb314f30e596177787fb51cadb5e98afca8fe8e1b31c3de8eb250b14c5dbd2a59f28e253b3f6660

Download Submit
C:\Users\Admin\AppData\Local\Temp\psbuzrrepl.exe

Filesize
10.4MB

MD5
a6f1d8fde0a17172a3571ecb715d2df0

SHA1
fbf39655dea52d0497c0be04a40c8e80c947b7b7

SHA256
fb03d1c594188fd6b3ab6b34199127da49f5b8df22d0747c2144ede29c61c614

SHA512
bc0f426ae913f7fc1fd2fc9ab74dd31b425c653c39bfe9519a8e75e7200b4dee4b9d9c314ca23fa8a31555f3a724bf960c74f8d9a30c52c9ad7a40cb88bc7f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\suelozdesl.exe

Filesize
10.4MB

MD5
575e3de9ebd196b6bee6a57a24ded72e

SHA1
71c502df62c37e86daea5661dae49b7193f2b81c

SHA256
10fce9d5af0430ac7da80fccba3ffbbfb6c90cad228bd0f4c8b8f32eb9cc0368

SHA512
96fca020134fdbeccef2c8b2310304af4df26458b6bb0b93f717b26ad1c027360743dea3d384cc6a2caa2155ff13fdea6038f4432c625794c080243d3eb41bf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
31a9c9192a5e0dc657fd106e1e2c4abe

SHA1
6fcc666afadf9832a13b104f92402d6181bf3b18

SHA256
d56a1c2f12d50ed31f02f2efa6cc79a76bb418db2971a3ad0288272e05823629

SHA512
443966b02a5387a43cb3abb71d22810237d9197c2bb399c69abf1e9786098e3c82c54d3421cdc4f65485e6c73318e5b3f48240e697acfa72800dc589e36a9a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
9da50b59538e2aa8327618bcac386437

SHA1
88b0361b0a9e16ecc5d3101cab7448244cd51383

SHA256
1ebce6c7a5a1793133403ebf937d8ecf929cfc54913c794db41d4b6be5c36b3d

SHA512
7c7c29a4c32b201e7189c7e500eeb306ace213766eb44a4976b33cf588ca9faff6db5f44f5a4dc412f1a8c393b9e3f51f388b488ac1576a72581a6645e46dfd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
229309c32bc70b41389ef52c1f94af7a

SHA1
548358aca26e9bfab289f351e91c3f2608fe7aa8

SHA256
02d678083a756840d4d0c5907546871c15631d52467d6de046383d2c2614207f

SHA512
eba99d90a07bc07f7f99d474ee38bad1fed36f7ae43cb10ac883c357bad41b48166526e0bf82cee01b5cde3df61fd765fc6dd49d8def78ea15db280e3b25c7bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
8aee77b78f911c39ff499dee8e5e9017

SHA1
0d30cfd90ae5a613927831fed3dd34692df0b5f3

SHA256
3bb36474dffe6991e16cf236677b1f0d32a3c0cc2e3a7b9e68cd3cc1cdb7f2d9

SHA512
8534e19c0239b3f01e0363a8476aef5714976091dfd732bd958201745c88c8dbc614aacd86f03f7f5799941d22f1aa41be0e9081a198ea0a99a555f8946f6005

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
d6f6b5ac47af27c2ccf2bea41a5c9c83

SHA1
b05f9cdc1712feb596b24d543fe6605d8be7e152

SHA256
17acdcf1471eef6c8a0e756f970eccbcc6d8a8dcb8b734d1f6ab091c7dd60ed4

SHA512
e9d0bf041a9b4c1018b8c7fed1e61c73bac8f3a72cef3db71e0d67017d23c7d7cf6b18900089bd9755b54ac5679f9467653b76a46145c1d3ab8593ca3dd8c5e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
37384313925039ea579bc0d1f2be5d77

SHA1
77a88d43bb5c6810b1c7d617790ae06c3d6e9972

SHA256
51f6a7eed0ae05d759f49c091bdc422cafdb880b10a98f4498ae874991da7ed1

SHA512
96d276e7823fb220cb90eae3c10841b8d18eaae0c31d5b401b5ae76428e7982154485804d6b8b1490757206c1b36adcbec9242dbca3bff2813ae90f5675c03c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xeuvmtmpjx.exe

Filesize
10.4MB

MD5
26d9e75da7b1892c4ae36b638fcc28e0

SHA1
43a6f288ad77d47cd2ed7ac8dd4fabc96a9296a0

SHA256
45cbcdd30ef3cf6c3cbcc1d0773d70ba649ec7add725bade3c17cb3b3d655d6d

SHA512
226ea5c99526e6e36ad0497af1a57e821a49529d76cb76f32d5577840a8f4205860424a32cca70050a74312573305577c613ac9bc97d996723c2b67fb8a71a04

Download Submit
memory/1044-90-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1144-82-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1728-24-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1780-29-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1780-31-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1780-32-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2456-12-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2456-13-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2456-9-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2456-11-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2456-15-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2760-42-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2808-67-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2808-69-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2808-70-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2812-62-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2992-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2992-56-0x00000000005D7000-0x0000000000C65000-memory.dmp

Filesize
6.6MB

Download
memory/2992-2-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2992-5-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2992-4-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2992-6-0x00000000005D7000-0x0000000000C65000-memory.dmp

Filesize
6.6MB

Download
memory/3016-50-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download