d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a

Analysis

max time kernel
74s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2024, 04:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe
Size

10.4MB
MD5

67121f5f3172b5479abe0eaae1aa0168
SHA1

883b46d2bbfeaebfc2d9f719428e8bd6be60aafc
SHA256

d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a
SHA512

567917c39ed328f66c8e644474ba909c147e4b7df433bffc49be064378de38162229f892c3bc18fa99e34267171d49b5b5b66ac30ab57c7df92365dbdfbd38a4
SSDEEP

196608:XZGmuasR2/LGPLCXOKODxH5qFlXS47dV2MANpvrjVbEKGWIoS:XZGnasREJLODBWlX3d+NpvdHIo

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1140	inwckzrkjr.exe
1364	inwckzrkjr.exe
4144	qrhufrrszm.exe
2180	qrhufrrszm.exe
4216	igfsficott.exe
1208	igfsficott.exe
3032	lmuigzjbhe.exe
2824	lmuigzjbhe.exe
3852	sgfdfvbozp.exe
3124	sgfdfvbozp.exe
1500	qxzmdqjdms.exe
2488	qxzmdqjdms.exe
4652	ddddoicqnr.exe
1464	ddddoicqnr.exe
1968	voacyjehzj.exe
2576	voacyjehzj.exe
4980	cxjdxvihll.exe
3352	cxjdxvihll.exe
2788	hrltzhlekb.exe
4732	hrltzhlekb.exe
2188	cbsxbkopxx.exe
1788	cbsxbkopxx.exe
2976	zhggriogvg.exe
4700	zhggriogvg.exe
4508	nnlfcahbwg.exe
2676	nnlfcahbwg.exe
2220	mvvymxhghy.exe
3940	mvvymxhghy.exe
3636	nojmdlhgox.exe
1364	nojmdlhgox.exe
3288	mzffbmlfgq.exe
2572	mzffbmlfgq.exe
1148	kyxwucfznr.exe
3944	kyxwucfznr.exe
4752	bjwfsqulgl.exe
1472	bjwfsqulgl.exe
688	mmxgqvlfyd.exe
5104	mmxgqvlfyd.exe
3092	rdokpdphdn.exe
3516	rdokpdphdn.exe
4080	jwafirequh.exe
2816	jwafirequh.exe
4996	jmkbkcaeuu.exe
3256	jmkbkcaeuu.exe
3852	oromufrmjl.exe
3440	oromufrmjl.exe
2940	zreneyemva.exe
1388	zreneyemva.exe
1352	mtvgpfvvdh.exe
2492	mtvgpfvvdh.exe
1872	odxhyvquwx.exe
4860	odxhyvquwx.exe
3496	tnefajssgl.exe
1940	tnefajssgl.exe
1368	gahyfhweyb.exe
1072	gahyfhweyb.exe
4456	jahefocrbp.exe
4708	jahefocrbp.exe
4856	ymhcowjitl.exe
4784	ymhcowjitl.exe
1816	wymnktfdia.exe
728	wymnktfdia.exe
4544	erwqqboqus.exe
4504	erwqqboqus.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
728	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe
1596	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe
1140	inwckzrkjr.exe
1364	inwckzrkjr.exe
4144	qrhufrrszm.exe
2180	qrhufrrszm.exe
4216	igfsficott.exe
1208	igfsficott.exe
3032	lmuigzjbhe.exe
2824	lmuigzjbhe.exe
3852	sgfdfvbozp.exe
3124	sgfdfvbozp.exe
1500	qxzmdqjdms.exe
2488	qxzmdqjdms.exe
4652	ddddoicqnr.exe
1464	ddddoicqnr.exe
1968	voacyjehzj.exe
2576	voacyjehzj.exe
4980	cxjdxvihll.exe
3352	cxjdxvihll.exe
2788	hrltzhlekb.exe
4732	hrltzhlekb.exe
2188	cbsxbkopxx.exe
1788	cbsxbkopxx.exe
2976	zhggriogvg.exe
4700	zhggriogvg.exe
4508	nnlfcahbwg.exe
2676	nnlfcahbwg.exe
2220	mvvymxhghy.exe
3940	mvvymxhghy.exe
3636	nojmdlhgox.exe
1364	nojmdlhgox.exe
3288	mzffbmlfgq.exe
2572	mzffbmlfgq.exe
1148	kyxwucfznr.exe
3944	kyxwucfznr.exe
4752	bjwfsqulgl.exe
1472	bjwfsqulgl.exe
688	mmxgqvlfyd.exe
5104	mmxgqvlfyd.exe
3092	rdokpdphdn.exe
3516	rdokpdphdn.exe
4080	jwafirequh.exe
2816	jwafirequh.exe
4996	jmkbkcaeuu.exe
3256	jmkbkcaeuu.exe
3852	oromufrmjl.exe
3440	oromufrmjl.exe
2940	zreneyemva.exe
1388	zreneyemva.exe
1352	mtvgpfvvdh.exe
2492	mtvgpfvvdh.exe
1872	odxhyvquwx.exe
4860	odxhyvquwx.exe
3496	tnefajssgl.exe
1940	tnefajssgl.exe
1368	gahyfhweyb.exe
1072	gahyfhweyb.exe
4456	jahefocrbp.exe
4708	jahefocrbp.exe
4856	ymhcowjitl.exe
4784	ymhcowjitl.exe
1816	wymnktfdia.exe
728	wymnktfdia.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sgfdfvbozp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nnlfcahbwg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mvvymxhghy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abykwqjsny.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mzffbmlfgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zreneyemva.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inwckzrkjr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sgfdfvbozp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qxzmdqjdms.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddddoicqnr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cxjdxvihll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hrltzhlekb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tnefajssgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ymhcowjitl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dqwocfophh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cbsxbkopxx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jmkbkcaeuu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wymnktfdia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ymhcowjitl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wymnktfdia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cbsxbkopxx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mvvymxhghy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nojmdlhgox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	odxhyvquwx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gahyfhweyb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lmuigzjbhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	voacyjehzj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mzffbmlfgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rdokpdphdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jmkbkcaeuu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jxacpmkurt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lpcgdfxpes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inwckzrkjr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qrhufrrszm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	voacyjehzj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kyxwucfznr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bjwfsqulgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gahyfhweyb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cxjdxvihll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hrltzhlekb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zhggriogvg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zhggriogvg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erwqqboqus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddddoicqnr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jwafirequh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	odxhyvquwx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jxacpmkurt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	trhntetqea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfsficott.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nnlfcahbwg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nojmdlhgox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rdokpdphdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jwafirequh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qrhufrrszm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mtvgpfvvdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jahefocrbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tnefajssgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abykwqjsny.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dqwocfophh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfsficott.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kyxwucfznr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbbbcelooj.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
728	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe
728	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe
728	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe
728	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe
1596	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe
1596	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe
1140	inwckzrkjr.exe
1140	inwckzrkjr.exe
1140	inwckzrkjr.exe
1140	inwckzrkjr.exe
1364	inwckzrkjr.exe
1364	inwckzrkjr.exe
4144	qrhufrrszm.exe
4144	qrhufrrszm.exe
4144	qrhufrrszm.exe
4144	qrhufrrszm.exe
2180	qrhufrrszm.exe
2180	qrhufrrszm.exe
4216	igfsficott.exe
4216	igfsficott.exe
4216	igfsficott.exe
4216	igfsficott.exe
728	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe
728	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe
1208	igfsficott.exe
1208	igfsficott.exe
1140	inwckzrkjr.exe
1140	inwckzrkjr.exe
4144	qrhufrrszm.exe
4144	qrhufrrszm.exe
3032	lmuigzjbhe.exe
3032	lmuigzjbhe.exe
3032	lmuigzjbhe.exe
3032	lmuigzjbhe.exe
2824	lmuigzjbhe.exe
2824	lmuigzjbhe.exe
4216	igfsficott.exe
4216	igfsficott.exe
3852	sgfdfvbozp.exe
3852	sgfdfvbozp.exe
3852	sgfdfvbozp.exe
3852	sgfdfvbozp.exe
3124	sgfdfvbozp.exe
3124	sgfdfvbozp.exe
3032	lmuigzjbhe.exe
3032	lmuigzjbhe.exe
1500	qxzmdqjdms.exe
1500	qxzmdqjdms.exe
1500	qxzmdqjdms.exe
1500	qxzmdqjdms.exe
2488	qxzmdqjdms.exe
2488	qxzmdqjdms.exe
3852	sgfdfvbozp.exe
3852	sgfdfvbozp.exe
4652	ddddoicqnr.exe
4652	ddddoicqnr.exe
4652	ddddoicqnr.exe
4652	ddddoicqnr.exe
1464	ddddoicqnr.exe
1464	ddddoicqnr.exe
1500	qxzmdqjdms.exe
1500	qxzmdqjdms.exe
1968	voacyjehzj.exe
1968	voacyjehzj.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
728	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe
728	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe
1596	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe
1596	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe
1140	inwckzrkjr.exe
1140	inwckzrkjr.exe
1364	inwckzrkjr.exe
1364	inwckzrkjr.exe
4144	qrhufrrszm.exe
4144	qrhufrrszm.exe
2180	qrhufrrszm.exe
2180	qrhufrrszm.exe
4216	igfsficott.exe
4216	igfsficott.exe
1208	igfsficott.exe
1208	igfsficott.exe
3032	lmuigzjbhe.exe
3032	lmuigzjbhe.exe
2824	lmuigzjbhe.exe
2824	lmuigzjbhe.exe
3852	sgfdfvbozp.exe
3852	sgfdfvbozp.exe
3124	sgfdfvbozp.exe
3124	sgfdfvbozp.exe
1500	qxzmdqjdms.exe
1500	qxzmdqjdms.exe
2488	qxzmdqjdms.exe
2488	qxzmdqjdms.exe
4652	ddddoicqnr.exe
4652	ddddoicqnr.exe
1464	ddddoicqnr.exe
1464	ddddoicqnr.exe
1968	voacyjehzj.exe
1968	voacyjehzj.exe
2576	voacyjehzj.exe
2576	voacyjehzj.exe
4980	cxjdxvihll.exe
4980	cxjdxvihll.exe
3352	cxjdxvihll.exe
3352	cxjdxvihll.exe
2788	hrltzhlekb.exe
2788	hrltzhlekb.exe
4732	hrltzhlekb.exe
4732	hrltzhlekb.exe
2188	cbsxbkopxx.exe
2188	cbsxbkopxx.exe
1788	cbsxbkopxx.exe
1788	cbsxbkopxx.exe
2976	zhggriogvg.exe
2976	zhggriogvg.exe
4700	zhggriogvg.exe
4700	zhggriogvg.exe
4508	nnlfcahbwg.exe
4508	nnlfcahbwg.exe
2676	nnlfcahbwg.exe
2676	nnlfcahbwg.exe
2220	mvvymxhghy.exe
2220	mvvymxhghy.exe
3940	mvvymxhghy.exe
3940	mvvymxhghy.exe
3636	nojmdlhgox.exe
3636	nojmdlhgox.exe
1364	nojmdlhgox.exe
1364	nojmdlhgox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 728 wrote to memory of 1596	728	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe	85
PID 728 wrote to memory of 1596	728	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe	85
PID 728 wrote to memory of 1596	728	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe	85
PID 728 wrote to memory of 1140	728	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe	87
PID 728 wrote to memory of 1140	728	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe	87
PID 728 wrote to memory of 1140	728	d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe	87
PID 1140 wrote to memory of 1364	1140	inwckzrkjr.exe	88
PID 1140 wrote to memory of 1364	1140	inwckzrkjr.exe	88
PID 1140 wrote to memory of 1364	1140	inwckzrkjr.exe	88
PID 1140 wrote to memory of 4144	1140	inwckzrkjr.exe	90
PID 1140 wrote to memory of 4144	1140	inwckzrkjr.exe	90
PID 1140 wrote to memory of 4144	1140	inwckzrkjr.exe	90
PID 4144 wrote to memory of 2180	4144	qrhufrrszm.exe	91
PID 4144 wrote to memory of 2180	4144	qrhufrrszm.exe	91
PID 4144 wrote to memory of 2180	4144	qrhufrrszm.exe	91
PID 4144 wrote to memory of 4216	4144	qrhufrrszm.exe	92
PID 4144 wrote to memory of 4216	4144	qrhufrrszm.exe	92
PID 4144 wrote to memory of 4216	4144	qrhufrrszm.exe	92
PID 4216 wrote to memory of 1208	4216	igfsficott.exe	93
PID 4216 wrote to memory of 1208	4216	igfsficott.exe	93
PID 4216 wrote to memory of 1208	4216	igfsficott.exe	93
PID 4216 wrote to memory of 3032	4216	igfsficott.exe	94
PID 4216 wrote to memory of 3032	4216	igfsficott.exe	94
PID 4216 wrote to memory of 3032	4216	igfsficott.exe	94
PID 3032 wrote to memory of 2824	3032	lmuigzjbhe.exe	95
PID 3032 wrote to memory of 2824	3032	lmuigzjbhe.exe	95
PID 3032 wrote to memory of 2824	3032	lmuigzjbhe.exe	95
PID 3032 wrote to memory of 3852	3032	lmuigzjbhe.exe	96
PID 3032 wrote to memory of 3852	3032	lmuigzjbhe.exe	96
PID 3032 wrote to memory of 3852	3032	lmuigzjbhe.exe	96
PID 3852 wrote to memory of 3124	3852	sgfdfvbozp.exe	97
PID 3852 wrote to memory of 3124	3852	sgfdfvbozp.exe	97
PID 3852 wrote to memory of 3124	3852	sgfdfvbozp.exe	97
PID 3852 wrote to memory of 1500	3852	sgfdfvbozp.exe	98
PID 3852 wrote to memory of 1500	3852	sgfdfvbozp.exe	98
PID 3852 wrote to memory of 1500	3852	sgfdfvbozp.exe	98
PID 1500 wrote to memory of 2488	1500	qxzmdqjdms.exe	99
PID 1500 wrote to memory of 2488	1500	qxzmdqjdms.exe	99
PID 1500 wrote to memory of 2488	1500	qxzmdqjdms.exe	99
PID 1500 wrote to memory of 4652	1500	qxzmdqjdms.exe	100
PID 1500 wrote to memory of 4652	1500	qxzmdqjdms.exe	100
PID 1500 wrote to memory of 4652	1500	qxzmdqjdms.exe	100
PID 4652 wrote to memory of 1464	4652	ddddoicqnr.exe	101
PID 4652 wrote to memory of 1464	4652	ddddoicqnr.exe	101
PID 4652 wrote to memory of 1464	4652	ddddoicqnr.exe	101
PID 4652 wrote to memory of 1968	4652	ddddoicqnr.exe	102
PID 4652 wrote to memory of 1968	4652	ddddoicqnr.exe	102
PID 4652 wrote to memory of 1968	4652	ddddoicqnr.exe	102
PID 1968 wrote to memory of 2576	1968	voacyjehzj.exe	103
PID 1968 wrote to memory of 2576	1968	voacyjehzj.exe	103
PID 1968 wrote to memory of 2576	1968	voacyjehzj.exe	103
PID 1968 wrote to memory of 4980	1968	voacyjehzj.exe	104
PID 1968 wrote to memory of 4980	1968	voacyjehzj.exe	104
PID 1968 wrote to memory of 4980	1968	voacyjehzj.exe	104
PID 4980 wrote to memory of 3352	4980	cxjdxvihll.exe	105
PID 4980 wrote to memory of 3352	4980	cxjdxvihll.exe	105
PID 4980 wrote to memory of 3352	4980	cxjdxvihll.exe	105
PID 4980 wrote to memory of 2788	4980	cxjdxvihll.exe	106
PID 4980 wrote to memory of 2788	4980	cxjdxvihll.exe	106
PID 4980 wrote to memory of 2788	4980	cxjdxvihll.exe	106
PID 2788 wrote to memory of 4732	2788	hrltzhlekb.exe	107
PID 2788 wrote to memory of 4732	2788	hrltzhlekb.exe	107
PID 2788 wrote to memory of 4732	2788	hrltzhlekb.exe	107
PID 2788 wrote to memory of 2188	2788	hrltzhlekb.exe	108

C:\Users\Admin\AppData\Local\Temp\d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe
"C:\Users\Admin\AppData\Local\Temp\d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:728
- C:\Users\Admin\AppData\Local\Temp\d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe
  C:\Users\Admin\AppData\Local\Temp\d35f49a9f98b0f420d350656bf1b6423a73076bb915b792db64725b1e5b0c41a.exe update inwckzrkjr.exe
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1596
- C:\Users\Admin\AppData\Local\Temp\inwckzrkjr.exe
  C:\Users\Admin\AppData\Local\Temp\inwckzrkjr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\Users\Admin\AppData\Local\Temp\inwckzrkjr.exe
    C:\Users\Admin\AppData\Local\Temp\inwckzrkjr.exe update qrhufrrszm.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1364
- - C:\Users\Admin\AppData\Local\Temp\qrhufrrszm.exe
    C:\Users\Admin\AppData\Local\Temp\qrhufrrszm.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4144
  - - C:\Users\Admin\AppData\Local\Temp\qrhufrrszm.exe
      C:\Users\Admin\AppData\Local\Temp\qrhufrrszm.exe update igfsficott.exe
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2180
  - - C:\Users\Admin\AppData\Local\Temp\igfsficott.exe
      C:\Users\Admin\AppData\Local\Temp\igfsficott.exe
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4216
    - - C:\Users\Admin\AppData\Local\Temp\igfsficott.exe
        
        C:\Users\Admin\AppData\Local\Temp\igfsficott.exe update lmuigzjbhe.exe
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1208
    - - C:\Users\Admin\AppData\Local\Temp\lmuigzjbhe.exe
        
        C:\Users\Admin\AppData\Local\Temp\lmuigzjbhe.exe
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3032
      - C:\Users\Admin\AppData\Local\Temp\lmuigzjbhe.exe
        
        C:\Users\Admin\AppData\Local\Temp\lmuigzjbhe.exe update sgfdfvbozp.exe
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2824
      - C:\Users\Admin\AppData\Local\Temp\sgfdfvbozp.exe
        
        C:\Users\Admin\AppData\Local\Temp\sgfdfvbozp.exe
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\sgfdfvbozp.exe
        
        C:\Users\Admin\AppData\Local\Temp\sgfdfvbozp.exe update qxzmdqjdms.exe
        7⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\qxzmdqjdms.exe
        
        C:\Users\Admin\AppData\Local\Temp\qxzmdqjdms.exe
        7⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\qxzmdqjdms.exe
        
        C:\Users\Admin\AppData\Local\Temp\qxzmdqjdms.exe update ddddoicqnr.exe
        8⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\ddddoicqnr.exe
        
        C:\Users\Admin\AppData\Local\Temp\ddddoicqnr.exe
        8⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\ddddoicqnr.exe
        
        C:\Users\Admin\AppData\Local\Temp\ddddoicqnr.exe update voacyjehzj.exe
        9⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\voacyjehzj.exe
        
        C:\Users\Admin\AppData\Local\Temp\voacyjehzj.exe
        9⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\voacyjehzj.exe
        
        C:\Users\Admin\AppData\Local\Temp\voacyjehzj.exe update cxjdxvihll.exe
        10⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\cxjdxvihll.exe
        
        C:\Users\Admin\AppData\Local\Temp\cxjdxvihll.exe
        10⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\cxjdxvihll.exe
        
        C:\Users\Admin\AppData\Local\Temp\cxjdxvihll.exe update hrltzhlekb.exe
        11⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\hrltzhlekb.exe
        
        C:\Users\Admin\AppData\Local\Temp\hrltzhlekb.exe
        11⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\hrltzhlekb.exe
        
        C:\Users\Admin\AppData\Local\Temp\hrltzhlekb.exe update cbsxbkopxx.exe
        12⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\cbsxbkopxx.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbsxbkopxx.exe
        12⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\cbsxbkopxx.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbsxbkopxx.exe update zhggriogvg.exe
        13⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\zhggriogvg.exe
        
        C:\Users\Admin\AppData\Local\Temp\zhggriogvg.exe
        13⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\zhggriogvg.exe
        
        C:\Users\Admin\AppData\Local\Temp\zhggriogvg.exe update nnlfcahbwg.exe
        14⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\nnlfcahbwg.exe
        
        C:\Users\Admin\AppData\Local\Temp\nnlfcahbwg.exe
        14⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\nnlfcahbwg.exe
        
        C:\Users\Admin\AppData\Local\Temp\nnlfcahbwg.exe update mvvymxhghy.exe
        15⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\mvvymxhghy.exe
        
        C:\Users\Admin\AppData\Local\Temp\mvvymxhghy.exe
        15⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\mvvymxhghy.exe
        
        C:\Users\Admin\AppData\Local\Temp\mvvymxhghy.exe update nojmdlhgox.exe
        16⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\nojmdlhgox.exe
        
        C:\Users\Admin\AppData\Local\Temp\nojmdlhgox.exe
        16⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\nojmdlhgox.exe
        
        C:\Users\Admin\AppData\Local\Temp\nojmdlhgox.exe update mzffbmlfgq.exe
        17⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\mzffbmlfgq.exe
        
        C:\Users\Admin\AppData\Local\Temp\mzffbmlfgq.exe
        17⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\mzffbmlfgq.exe
        
        C:\Users\Admin\AppData\Local\Temp\mzffbmlfgq.exe update kyxwucfznr.exe
        18⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\kyxwucfznr.exe
        
        C:\Users\Admin\AppData\Local\Temp\kyxwucfznr.exe
        18⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\kyxwucfznr.exe
        
        C:\Users\Admin\AppData\Local\Temp\kyxwucfznr.exe update bjwfsqulgl.exe
        19⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\bjwfsqulgl.exe
        
        C:\Users\Admin\AppData\Local\Temp\bjwfsqulgl.exe
        19⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\bjwfsqulgl.exe
        
        C:\Users\Admin\AppData\Local\Temp\bjwfsqulgl.exe update mmxgqvlfyd.exe
        20⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\mmxgqvlfyd.exe
        
        C:\Users\Admin\AppData\Local\Temp\mmxgqvlfyd.exe
        20⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\mmxgqvlfyd.exe
        
        C:\Users\Admin\AppData\Local\Temp\mmxgqvlfyd.exe update rdokpdphdn.exe
        21⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\rdokpdphdn.exe
        
        C:\Users\Admin\AppData\Local\Temp\rdokpdphdn.exe
        21⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\rdokpdphdn.exe
        
        C:\Users\Admin\AppData\Local\Temp\rdokpdphdn.exe update jwafirequh.exe
        22⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\jwafirequh.exe
        
        C:\Users\Admin\AppData\Local\Temp\jwafirequh.exe
        22⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\jwafirequh.exe
        
        C:\Users\Admin\AppData\Local\Temp\jwafirequh.exe update jmkbkcaeuu.exe
        23⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\jmkbkcaeuu.exe
        
        C:\Users\Admin\AppData\Local\Temp\jmkbkcaeuu.exe
        23⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\jmkbkcaeuu.exe
        
        C:\Users\Admin\AppData\Local\Temp\jmkbkcaeuu.exe update oromufrmjl.exe
        24⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\oromufrmjl.exe
        
        C:\Users\Admin\AppData\Local\Temp\oromufrmjl.exe
        24⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\oromufrmjl.exe
        
        C:\Users\Admin\AppData\Local\Temp\oromufrmjl.exe update zreneyemva.exe
        25⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\zreneyemva.exe
        
        C:\Users\Admin\AppData\Local\Temp\zreneyemva.exe
        25⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\zreneyemva.exe
        
        C:\Users\Admin\AppData\Local\Temp\zreneyemva.exe update mtvgpfvvdh.exe
        26⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\mtvgpfvvdh.exe
        
        C:\Users\Admin\AppData\Local\Temp\mtvgpfvvdh.exe
        26⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\mtvgpfvvdh.exe
        
        C:\Users\Admin\AppData\Local\Temp\mtvgpfvvdh.exe update odxhyvquwx.exe
        27⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\odxhyvquwx.exe
        
        C:\Users\Admin\AppData\Local\Temp\odxhyvquwx.exe
        27⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\odxhyvquwx.exe
        
        C:\Users\Admin\AppData\Local\Temp\odxhyvquwx.exe update tnefajssgl.exe
        28⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\tnefajssgl.exe
        
        C:\Users\Admin\AppData\Local\Temp\tnefajssgl.exe
        28⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\tnefajssgl.exe
        
        C:\Users\Admin\AppData\Local\Temp\tnefajssgl.exe update gahyfhweyb.exe
        29⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\gahyfhweyb.exe
        
        C:\Users\Admin\AppData\Local\Temp\gahyfhweyb.exe
        29⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\gahyfhweyb.exe
        
        C:\Users\Admin\AppData\Local\Temp\gahyfhweyb.exe update jahefocrbp.exe
        30⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\jahefocrbp.exe
        
        C:\Users\Admin\AppData\Local\Temp\jahefocrbp.exe
        30⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\jahefocrbp.exe
        
        C:\Users\Admin\AppData\Local\Temp\jahefocrbp.exe update ymhcowjitl.exe
        31⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\ymhcowjitl.exe
        
        C:\Users\Admin\AppData\Local\Temp\ymhcowjitl.exe
        31⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\ymhcowjitl.exe
        
        C:\Users\Admin\AppData\Local\Temp\ymhcowjitl.exe update wymnktfdia.exe
        32⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\wymnktfdia.exe
        
        C:\Users\Admin\AppData\Local\Temp\wymnktfdia.exe
        32⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\wymnktfdia.exe
        
        C:\Users\Admin\AppData\Local\Temp\wymnktfdia.exe update erwqqboqus.exe
        33⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:728
        
        C:\Users\Admin\AppData\Local\Temp\erwqqboqus.exe
        
        C:\Users\Admin\AppData\Local\Temp\erwqqboqus.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\erwqqboqus.exe
        
        C:\Users\Admin\AppData\Local\Temp\erwqqboqus.exe update jxacpmkurt.exe
        34⤵
        Executes dropped EXE
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\jxacpmkurt.exe
        
        C:\Users\Admin\AppData\Local\Temp\jxacpmkurt.exe
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\jxacpmkurt.exe
        
        C:\Users\Admin\AppData\Local\Temp\jxacpmkurt.exe update abykwqjsny.exe
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\abykwqjsny.exe
        
        C:\Users\Admin\AppData\Local\Temp\abykwqjsny.exe
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\abykwqjsny.exe
        
        C:\Users\Admin\AppData\Local\Temp\abykwqjsny.exe update lpcgdfxpes.exe
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\lpcgdfxpes.exe
        
        C:\Users\Admin\AppData\Local\Temp\lpcgdfxpes.exe
        36⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\lpcgdfxpes.exe
        
        C:\Users\Admin\AppData\Local\Temp\lpcgdfxpes.exe update dbbbcelooj.exe
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\dbbbcelooj.exe
        
        C:\Users\Admin\AppData\Local\Temp\dbbbcelooj.exe
        37⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\dbbbcelooj.exe
        
        C:\Users\Admin\AppData\Local\Temp\dbbbcelooj.exe update yzuhevfnsw.exe
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\yzuhevfnsw.exe
        
        C:\Users\Admin\AppData\Local\Temp\yzuhevfnsw.exe
        38⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\yzuhevfnsw.exe
        
        C:\Users\Admin\AppData\Local\Temp\yzuhevfnsw.exe update trhntetqea.exe
        39⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\trhntetqea.exe
        
        C:\Users\Admin\AppData\Local\Temp\trhntetqea.exe
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\trhntetqea.exe
        
        C:\Users\Admin\AppData\Local\Temp\trhntetqea.exe update dqwocfophh.exe
        40⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\dqwocfophh.exe
        
        C:\Users\Admin\AppData\Local\Temp\dqwocfophh.exe
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\dqwocfophh.exe
        
        C:\Users\Admin\AppData\Local\Temp\dqwocfophh.exe update qenzofldfs.exe
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\qenzofldfs.exe
        
        C:\Users\Admin\AppData\Local\Temp\qenzofldfs.exe
        41⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\qenzofldfs.exe
        
        C:\Users\Admin\AppData\Local\Temp\qenzofldfs.exe update dweinbqkmc.exe
        42⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\dweinbqkmc.exe
        
        C:\Users\Admin\AppData\Local\Temp\dweinbqkmc.exe
        42⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\dweinbqkmc.exe
        
        C:\Users\Admin\AppData\Local\Temp\dweinbqkmc.exe update imugajhvwh.exe
        43⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\imugajhvwh.exe
        
        C:\Users\Admin\AppData\Local\Temp\imugajhvwh.exe
        43⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\imugajhvwh.exe
        
        C:\Users\Admin\AppData\Local\Temp\imugajhvwh.exe update ixgctyemoi.exe
        44⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\ixgctyemoi.exe
        
        C:\Users\Admin\AppData\Local\Temp\ixgctyemoi.exe
        44⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\ixgctyemoi.exe
        
        C:\Users\Admin\AppData\Local\Temp\ixgctyemoi.exe update lphkibptkf.exe
        45⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\lphkibptkf.exe
        
        C:\Users\Admin\AppData\Local\Temp\lphkibptkf.exe
        45⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\lphkibptkf.exe
        
        C:\Users\Admin\AppData\Local\Temp\lphkibptkf.exe update fpylgahwbv.exe
        46⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\fpylgahwbv.exe
        
        C:\Users\Admin\AppData\Local\Temp\fpylgahwbv.exe
        46⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\fpylgahwbv.exe
        
        C:\Users\Admin\AppData\Local\Temp\fpylgahwbv.exe update avrzgfzfqw.exe
        47⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\avrzgfzfqw.exe
        
        C:\Users\Admin\AppData\Local\Temp\avrzgfzfqw.exe
        47⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\avrzgfzfqw.exe
        
        C:\Users\Admin\AppData\Local\Temp\avrzgfzfqw.exe update pdnkejiuvf.exe
        48⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\pdnkejiuvf.exe
        
        C:\Users\Admin\AppData\Local\Temp\pdnkejiuvf.exe
        48⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\pdnkejiuvf.exe
        
        C:\Users\Admin\AppData\Local\Temp\pdnkejiuvf.exe update agoxqobwlg.exe
        49⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\agoxqobwlg.exe
        
        C:\Users\Admin\AppData\Local\Temp\agoxqobwlg.exe
        49⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\agoxqobwlg.exe
        
        C:\Users\Admin\AppData\Local\Temp\agoxqobwlg.exe update kcatxcptcz.exe
        50⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\kcatxcptcz.exe
        
        C:\Users\Admin\AppData\Local\Temp\kcatxcptcz.exe
        50⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\kcatxcptcz.exe
        
        C:\Users\Admin\AppData\Local\Temp\kcatxcptcz.exe update zdwjdtkhtd.exe
        51⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\zdwjdtkhtd.exe
        
        C:\Users\Admin\AppData\Local\Temp\zdwjdtkhtd.exe
        51⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\zdwjdtkhtd.exe
        
        C:\Users\Admin\AppData\Local\Temp\zdwjdtkhtd.exe update kdlknuegwk.exe
        52⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\kdlknuegwk.exe
        
        C:\Users\Admin\AppData\Local\Temp\kdlknuegwk.exe
        52⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\kdlknuegwk.exe
        
        C:\Users\Admin\AppData\Local\Temp\kdlknuegwk.exe update cpjnasnagl.exe
        53⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\cpjnasnagl.exe
        
        C:\Users\Admin\AppData\Local\Temp\cpjnasnagl.exe
        53⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\cpjnasnagl.exe
        
        C:\Users\Admin\AppData\Local\Temp\cpjnasnagl.exe update clgoxlruka.exe
        54⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\clgoxlruka.exe
        
        C:\Users\Admin\AppData\Local\Temp\clgoxlruka.exe
        54⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\clgoxlruka.exe
        
        C:\Users\Admin\AppData\Local\Temp\clgoxlruka.exe update ewjpgbesvq.exe
        55⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\ewjpgbesvq.exe
        
        C:\Users\Admin\AppData\Local\Temp\ewjpgbesvq.exe
        55⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\ewjpgbesvq.exe
        
        C:\Users\Admin\AppData\Local\Temp\ewjpgbesvq.exe update cipnvxxwmw.exe
        56⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\cipnvxxwmw.exe
        
        C:\Users\Admin\AppData\Local\Temp\cipnvxxwmw.exe
        56⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\cipnvxxwmw.exe
        
        C:\Users\Admin\AppData\Local\Temp\cipnvxxwmw.exe update bbbipmunwx.exe
        57⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\bbbipmunwx.exe
        
        C:\Users\Admin\AppData\Local\Temp\bbbipmunwx.exe
        57⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\bbbipmunwx.exe
        
        C:\Users\Admin\AppData\Local\Temp\bbbipmunwx.exe update phebmkgann.exe
        58⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\phebmkgann.exe
        
        C:\Users\Admin\AppData\Local\Temp\phebmkgann.exe
        58⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\phebmkgann.exe
        
        C:\Users\Admin\AppData\Local\Temp\phebmkgann.exe update haqxfrvrfh.exe
        59⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\haqxfrvrfh.exe
        
        C:\Users\Admin\AppData\Local\Temp\haqxfrvrfh.exe
        59⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\haqxfrvrfh.exe
        
        C:\Users\Admin\AppData\Local\Temp\haqxfrvrfh.exe update eyaaxrnyjh.exe
        60⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\eyaaxrnyjh.exe
        
        C:\Users\Admin\AppData\Local\Temp\eyaaxrnyjh.exe
        60⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\eyaaxrnyjh.exe
        
        C:\Users\Admin\AppData\Local\Temp\eyaaxrnyjh.exe update jdgztdkxbx.exe
        61⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\jdgztdkxbx.exe
        
        C:\Users\Admin\AppData\Local\Temp\jdgztdkxbx.exe
        61⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\jdgztdkxbx.exe
        
        C:\Users\Admin\AppData\Local\Temp\jdgztdkxbx.exe update mnizltfwln.exe
        62⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\mnizltfwln.exe
        
        C:\Users\Admin\AppData\Local\Temp\mnizltfwln.exe
        62⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\mnizltfwln.exe
        
        C:\Users\Admin\AppData\Local\Temp\mnizltfwln.exe update mshnsmyhka.exe
        63⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\mshnsmyhka.exe
        
        C:\Users\Admin\AppData\Local\Temp\mshnsmyhka.exe
        63⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\mshnsmyhka.exe
        
        C:\Users\Admin\AppData\Local\Temp\mshnsmyhka.exe update jiawwmwfjz.exe
        64⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\jiawwmwfjz.exe
        
        C:\Users\Admin\AppData\Local\Temp\jiawwmwfjz.exe
        64⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\jiawwmwfjz.exe
        
        C:\Users\Admin\AppData\Local\Temp\jiawwmwfjz.exe update gofaadxenc.exe
        65⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\gofaadxenc.exe
        
        C:\Users\Admin\AppData\Local\Temp\gofaadxenc.exe
        65⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\gofaadxenc.exe
        
        C:\Users\Admin\AppData\Local\Temp\gofaadxenc.exe update mmvtfyjplt.exe
        66⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\mmvtfyjplt.exe
        
        C:\Users\Admin\AppData\Local\Temp\mmvtfyjplt.exe
        66⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\mmvtfyjplt.exe
        
        C:\Users\Admin\AppData\Local\Temp\mmvtfyjplt.exe update owylxweovj.exe
        67⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\owylxweovj.exe
        
        C:\Users\Admin\AppData\Local\Temp\owylxweovj.exe
        67⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\owylxweovj.exe
        
        C:\Users\Admin\AppData\Local\Temp\owylxweovj.exe update zwnugprnzp.exe
        68⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\zwnugprnzp.exe
        
        C:\Users\Admin\AppData\Local\Temp\zwnugprnzp.exe
        68⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\zwnugprnzp.exe
        
        C:\Users\Admin\AppData\Local\Temp\zwnugprnzp.exe update yajkancqws.exe
        69⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\yajkancqws.exe
        
        C:\Users\Admin\AppData\Local\Temp\yajkancqws.exe
        69⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\yajkancqws.exe
        
        C:\Users\Admin\AppData\Local\Temp\yajkancqws.exe update qhmledgazj.exe
        70⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\qhmledgazj.exe
        
        C:\Users\Admin\AppData\Local\Temp\qhmledgazj.exe
        70⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\qhmledgazj.exe
        
        C:\Users\Admin\AppData\Local\Temp\qhmledgazj.exe update bwxzsyysym.exe
        71⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\bwxzsyysym.exe
        
        C:\Users\Admin\AppData\Local\Temp\bwxzsyysym.exe
        71⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\bwxzsyysym.exe
        
        C:\Users\Admin\AppData\Local\Temp\bwxzsyysym.exe update ymhkkzqzdn.exe
        72⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\ymhkkzqzdn.exe
        
        C:\Users\Admin\AppData\Local\Temp\ymhkkzqzdn.exe
        72⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\ymhkkzqzdn.exe
        
        C:\Users\Admin\AppData\Local\Temp\ymhkkzqzdn.exe update alhisgouhb.exe
        73⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\alhisgouhb.exe
        
        C:\Users\Admin\AppData\Local\Temp\alhisgouhb.exe
        73⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\alhisgouhb.exe
        
        C:\Users\Admin\AppData\Local\Temp\alhisgouhb.exe update jnruypxhst.exe
        74⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\jnruypxhst.exe
        
        C:\Users\Admin\AppData\Local\Temp\jnruypxhst.exe
        74⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\jnruypxhst.exe
        
        C:\Users\Admin\AppData\Local\Temp\jnruypxhst.exe update yractrwpii.exe
        75⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\yractrwpii.exe
        
        C:\Users\Admin\AppData\Local\Temp\yractrwpii.exe
        75⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\yractrwpii.exe
        
        C:\Users\Admin\AppData\Local\Temp\yractrwpii.exe update veenmnwxfa.exe
        76⤵
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\veenmnwxfa.exe
        
        C:\Users\Admin\AppData\Local\Temp\veenmnwxfa.exe
        76⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\veenmnwxfa.exe
        
        C:\Users\Admin\AppData\Local\Temp\veenmnwxfa.exe update fetwnoixjg.exe
        77⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\fetwnoixjg.exe
        
        C:\Users\Admin\AppData\Local\Temp\fetwnoixjg.exe
        77⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\fetwnoixjg.exe
        
        C:\Users\Admin\AppData\Local\Temp\fetwnoixjg.exe update snjzbcinws.exe
        78⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\snjzbcinws.exe
        
        C:\Users\Admin\AppData\Local\Temp\snjzbcinws.exe
        78⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\snjzbcinws.exe
        
        C:\Users\Admin\AppData\Local\Temp\snjzbcinws.exe update xxcbnmmxjn.exe
        79⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\xxcbnmmxjn.exe
        
        C:\Users\Admin\AppData\Local\Temp\xxcbnmmxjn.exe
        79⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\xxcbnmmxjn.exe
        
        C:\Users\Admin\AppData\Local\Temp\xxcbnmmxjn.exe update xbbpvfniia.exe
        80⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\xbbpvfniia.exe
        
        C:\Users\Admin\AppData\Local\Temp\xbbpvfniia.exe
        80⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\xbbpvfniia.exe
        
        C:\Users\Admin\AppData\Local\Temp\xbbpvfniia.exe update usrscnjcmd.exe
        81⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\usrscnjcmd.exe
        
        C:\Users\Admin\AppData\Local\Temp\usrscnjcmd.exe
        81⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\usrscnjcmd.exe
        
        C:\Users\Admin\AppData\Local\Temp\usrscnjcmd.exe update ijylnpzjld.exe
        82⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\ijylnpzjld.exe
        
        C:\Users\Admin\AppData\Local\Temp\ijylnpzjld.exe
        82⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\ijylnpzjld.exe
        
        C:\Users\Admin\AppData\Local\Temp\ijylnpzjld.exe update ceycswcoln.exe
        83⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\ceycswcoln.exe
        
        C:\Users\Admin\AppData\Local\Temp\ceycswcoln.exe
        83⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\ceycswcoln.exe
        
        C:\Users\Admin\AppData\Local\Temp\ceycswcoln.exe update sjhlnzbwic.exe
        84⤵
        
        PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bjwfsqulgl.exe

Filesize
10.4MB

MD5
f5a478e9467235c6290b6032ed581803

SHA1
06f49679d8d8713877599b4ea7d38a3690be4ed5

SHA256
5e433f1cc487c3feb40de48f6fa512aa3d800258aaa4274f48ebebbc6a24f5e8

SHA512
abc744b78ba1d5e2088bc1b6ba483e6d508e72343b4cf548361bcdc577fbbc7a4b5de2c0e60ad4b558d63a4f5f38b9ecf54ccb744b09eed32305b968f29f19ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbsxbkopxx.exe

Filesize
10.4MB

MD5
7a3b08e854c191218bb8fb103e9aaa7f

SHA1
4bd8463795b3dfa4ee3254ef449d010b6752173c

SHA256
9c9c82f8a85bbf962c0098965d915ef5c2fddefe251b1296e169efec11ef32de

SHA512
470a5524e5616a1c396e06e024557fd99e284437b15fe04126514814ad9341f9ef1a04534364f8c507537c362462f015e0cd2951dd1a1a01c741a7d242e8ce79

Download Submit
C:\Users\Admin\AppData\Local\Temp\cxjdxvihll.exe

Filesize
10.4MB

MD5
cf13e94787f7acfdfd9fad1152cea5ae

SHA1
0555cbb073c21714723944f1ce3a68a6de56bb8a

SHA256
8cd9ba8368203c7dd4a55710145415ea88aff64617917605e48cc1a0432a52d9

SHA512
0c8ca018033ef0d71ea2e0204f5099dc660fc8746630fd7c107f98458816d9bd4107c0f890f97b459244fb3fa3494253400909fee33387cd9ceda7da28f6589a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddddoicqnr.exe

Filesize
10.4MB

MD5
82ea69019027b8cbbad42e3b89f3550e

SHA1
bc4f7f1e533bcdbfd7e36be856255ccc732974d0

SHA256
735930c49a6545fb65ded5223a69617667ce065dfaf31c977fde8b43605bad90

SHA512
3c815a2da34258c34a533a034d40d9afcf8d4c8f10c9134f5e22d0a5b55cc2ddd1e539472b1320be01be60aca900b1360664ac0dde46908254e4532ec8db6a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrltzhlekb.exe

Filesize
10.4MB

MD5
86e9a3111c6ba2d367ebc7193cce4cfe

SHA1
2e8d90257196aacdb715eb70065d29b33bfd5875

SHA256
d69287c438bbc4a2a36590b77696a94b7e980079085206519d3279322682775d

SHA512
6350a0f82ce6e1f1a12b83b440e0104d2f00f98e083b6f4c73c229da8858762dac3eb26155616067485cf5c84c4d0741e7c838919f97eadce668f0ba3422d5be

Download Submit
C:\Users\Admin\AppData\Local\Temp\igfsficott.exe

Filesize
10.4MB

MD5
abbaf2481eba3ac576ea4c52fc1fe5dd

SHA1
3e1f769123df342e1358d981b77bbaa925aaa57a

SHA256
9527191c6376862c6ffc3412bd3b934c80cdda7890b21fc446bf4d8617d4e9b7

SHA512
c95f210865d42df739f68edbe1b8cf25671a2abdfdc34a6806e0453f7a857978f1c7fbca53d08c5c8c2eed57a13273989d3985723184a7fd2327daee0b689d44

Download Submit
C:\Users\Admin\AppData\Local\Temp\inwckzrkjr.exe

Filesize
10.4MB

MD5
22497e838980853c002b5bef0fd98f24

SHA1
2b76ad5fc6b744dbce5bbdf9335fcdf3b319631a

SHA256
0b35700abd124984b4775255b6d2abc04ad6633eee4f60023a0b3e5c66d204bb

SHA512
26c7822aee1c2934a1b024dce83682e1d394c9b2ec62f69ee6ced0b38339b27b2daab3ed70302c80241c0a55c65c056371b5db6a05c96cda95ed4010a8314656

Download Submit
C:\Users\Admin\AppData\Local\Temp\kyxwucfznr.exe

Filesize
10.4MB

MD5
5083e584548112e40ca2ad468ff98f17

SHA1
ba732f3014c9275e6c5a9c7e8732562fd92a09f8

SHA256
d416b1fee11d4d78e5d3c94ad28ec2e1ef4c321971bddc8d958a70429aeca17f

SHA512
31ff33b7c74f99a5ab4f36f18e8aa7a501b7b1f99f13e69628d03fefef90611ea31550bcd41a9580a4b22d9fcfdc89f5af36f11067133eaab6d1280e2bf59c55

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmuigzjbhe.exe

Filesize
10.4MB

MD5
2cc23fe2a0070c1bf6c3ee5856fb0430

SHA1
a051e63f9d1149599d20e248aa5ade7546fd6f98

SHA256
9e2e540fb9a557700a29495944563a1f05dbded4fb48d20590b70041e34235af

SHA512
273148d4057ab8c26f6d700adb21120495e17bb0b04ab8bc7b8248b3416f7a1c5fb8baa7347ae711a72f3e132ca52b1d4b8b99c9f4beeb86ccbc3fd9f31450b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mvvymxhghy.exe

Filesize
10.4MB

MD5
0cbc0749a8e75f08eeadb97b4c92c92d

SHA1
3c9972dec955a8286e615e114c5797b63aace836

SHA256
80b9d826e0642f8cb63a9d7462f6236e9aada873f34c057acbb4e4ef0679a4bf

SHA512
20b57b288f4bfa9b8107bf8170f39c602ecf5231193953e305bbc35ed740db2d5036d2c2c0bb149f291475bf8c5623f43f20f1e2f242d30e9eda47484135f096

Download Submit
C:\Users\Admin\AppData\Local\Temp\mzffbmlfgq.exe

Filesize
10.4MB

MD5
5696f7ed3a98e2ea7c729c0bcbc1b2ec

SHA1
a7251043ab3ca5452435c567c57cf54f50512410

SHA256
41496654743904eedcbc344b2faa988122ff9318e396160ed2ad45666575d1d7

SHA512
61751b3ac69c60898d647425d94fdc7a388b47cca80631444b7d127167817ea179c3b335b138d2ca6aa809580ee1567a5a10b84f469798851e04cdf6ecac56ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\nnlfcahbwg.exe

Filesize
10.4MB

MD5
8573e834c93b3e7a5caf743b1074b2ae

SHA1
4ddef0d55c8d58d8483d2b28c77c44f1f45b95fb

SHA256
437bc02eba9eff8f4d50841216fff3297b89ecb61ce42f8655208b7f41a88162

SHA512
4fed99a772e6f7aa1931830e370bb76d56b24a78c4b305f41122a3ea14bbd3f4fd50f8210dbe237488170c210f01faad9252ba4edd2814ba1c008a42212e1918

Download Submit
C:\Users\Admin\AppData\Local\Temp\nojmdlhgox.exe

Filesize
10.4MB

MD5
6e3b7c98ed50baac2b6e4dcf06229f97

SHA1
8a94628cddbda889b3fb81aed55b416506db1c8d

SHA256
ddc9be85394223cd86d4cee3101628c4a806c0976eaa8b7fcb4e6931134df4d6

SHA512
9bc14a0f960f4dc95b906683a3615fb6484cd83c04b74ef0728bff3e5f9e4198e181bc617d31a1aeeb9d7ac76ec4f89636da52a8344b2e766737fed40c86e8f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qrhufrrszm.exe

Filesize
10.4MB

MD5
e43471d897b0dbdbd09f4a86fa861678

SHA1
787927f3ff9b789703d76ea75d3a850ea1ce6633

SHA256
517491e4658d80045be023d21cfe2c6dc0fcccc5699303f6e9f5b85c579e6087

SHA512
20717495254ba3119318c79639d9cb50cb5c92004dc0f3fdeeed4f4d0e5067826f8c02383f6d6b2612d1295221b5d695b829e75c90bcac1617220095000fafc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qxzmdqjdms.exe

Filesize
10.4MB

MD5
b3cc9618cb9c2aac35193de2340809a5

SHA1
e9227efe8a6d9d8e6e3d2cf4f2ccc07a845accbe

SHA256
30d3402650ff0947746ec824fd3ed589bf1900b569c5c8b02ab6f01aa2949118

SHA512
82dacaca0a958051f3a3210e0b01abbbb6dbf48b7ac1980b975b172bb3aac8aca570d702f9b3f6c3d709502543303050067fe15f1d07d25d578b855014d7dffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgfdfvbozp.exe

Filesize
10.4MB

MD5
0987fef636e0020184ea85da0d52209f

SHA1
69507e0c35c9da832864956603bc940209a2bf2b

SHA256
6fdd3de61442ee68801fbcfb0218573234bf3f9c8283faa0b3755fa44de3791f

SHA512
f4cb835017d045382a0eadc274594beeb34f75199dc4fec9b1b33d3d87986d624454b1dc4896859329a0a1202e0c8b5850aa56119b84be687696f44c130da35c

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
d2197affef1d390ffaead987386fe8b1

SHA1
68efe793af980493e5274d7f08ed71766d4351d2

SHA256
a1fee98da9af2f6214cd274c2d1aeca5febd3b3d2aeaa097a8321bd89f014a37

SHA512
41bfe82e2d2f0cb7d29abe8e7db1c79813a523d72997f994828baf4ff03d9c02f4ad69261e4a4807b26fe81cc580f58e0194e54b72927b195d603fa41abaa300

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
fdc43fef282f5b973dd3b9889401abc1

SHA1
b57fbf951139e6fe13fe75ed602b197187e96b17

SHA256
68ec6956b3c195daa6660e1903b88acda44be6eb35d3930cecf1ef4f1a94704e

SHA512
59f8e1dc3c306c27719c0fdf8a090057f06a189b87fc6804096ddf06aa34433d9354c3cdf1257ceb22a0de3e004ff27a7b6ac0629e3447009d9469f5b248e405

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
f8a71b1bc951d58a37643fd5561a0a5f

SHA1
a70e02af3474d92c7c0da0ebda6fd36c5f9157b0

SHA256
8056183db8d14c89e6093c91875e408a50270a50e906bdf628b7d880145ba488

SHA512
3bc8fe7117da67bc8af13e288c1a0756c664c6cdbed050c9cce7be8f3d4e191d0213c228bcec15a16e87709ece730571bbb2ab3c6dffe1353651dbbe8d863faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
e19a2a01bef0ce5d9f02075d304a28e4

SHA1
c1576497cb7a78f957cc3909daf8747f93b9c2f1

SHA256
14c5a0dc3e2f1b05f25591538d526a43a6049438a2a53d7c82b822bb84f95e4b

SHA512
3011e4a32d76255c6160d6a581497026e935206571b48c4980781788f62e9aa9f34ae05820ae91727702f97639ec31ac8fdcf400f7c86767613ac0b597a67c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
9bbab624c9e94cbe8cbb5bca17a03467

SHA1
61713f3fb71528ef93ee64c36651dd5553c74298

SHA256
4c4d07568e417a207aabffb179d572c4b763b4e8805dd60e9e68b51bc0de0cd3

SHA512
08aa83249a9d9eeffec0ee7f094551335c95a0299aaf41ac9240bca41f06147ce4afb18b3f84899c9be682e7bde7f58fdc211ce8849dc87dcea2d8e6e4032c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
0fa735f9a8e14b958bd8284064a49f44

SHA1
6d29aad6bb513b557e09f228977bb8a7ac001c64

SHA256
1f35f401469bf184b00a5d7c96b9f16155ee4fc1a22a24c8bdcd31d57e07139b

SHA512
7b910c1c473576e21901f4682e2bbff8215c732b4170d0722b1a60ccbd3fb32cb578c089c28e159a2f9f20def33c5910e4b8736aca12149f2fb465ee5b1c839e

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
a5878764fc640797d8fae6fa697aa14c

SHA1
8e508567fcc8e1a018e7ee8c551e1079070b279e

SHA256
408671ac8646c86fae3def04d1605aceb02496b3cf2fc0d438e748b2e4acc086

SHA512
5311b88b847434e70f563f21b251a2d8342bc7e33bea3dd432a94183f9dafc08e056bbaaf0a1a49709a49f5f4eeb165914ad0241e5e8f8fe0abcbecd5c756beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
c525ff40d1d6cc00338c75cc8a0da063

SHA1
9ef1a77567ab74aa3b6c8d76743914e2080f16dc

SHA256
830400d68c7d902a7b263fc2ef187430588fa00250617575fcb9ada764335849

SHA512
e2e99ccab10e043909b496edea6e52ca0b5c1b2972c1f03c3839c5cf17259fa565b82e309dfe4b2b1b87b23a3cc1e1efaad5af7aa76d1f6f83500f015b950a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\voacyjehzj.exe

Filesize
10.4MB

MD5
162a91256b00d9538345506e8a6ed65f

SHA1
70a259c7cf8cef66864b87503f7274571352e56d

SHA256
ab4ef0740caa94c502e3e5845e3d9c5cf07eed82e348f273fc35babf18f5c8a0

SHA512
c2b6938d1235572f03eec02179b7f106739c7b58f2334e59fe0b01db09ef7ab5bf52b98f411a7316e53cabb5f81ce134f6b73f7f58afacba5b525a44776571e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zhggriogvg.exe

Filesize
10.4MB

MD5
2070fae9995acdf7f8963cdeb940cbb7

SHA1
90bb92789b09d74bd4c9f655c584e9dde47aaf12

SHA256
5db49a9788d3d1baff2a90695a3ffe014f24979cd189157a31648b42b298c78c

SHA512
69ff81cf78a6eceefc121fe02b967b3855cdb3e18803cb3f23a45594a44df4fb5e52adc44eb98bfac819c43a093df037add5acbc6a41360ece6a4d813b6bc5e3

Download Submit
memory/728-1-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/728-0-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/728-62-0x00000000005D7000-0x0000000000C65000-memory.dmp

Filesize
6.6MB

Download
memory/728-2-0x00000000005D7000-0x0000000000C65000-memory.dmp

Filesize
6.6MB

Download
memory/728-67-0x00000000005D7000-0x0000000000C65000-memory.dmp

Filesize
6.6MB

Download
memory/1140-11-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1140-12-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/1140-13-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1140-73-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1208-34-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1364-16-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1364-15-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/1364-164-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1364-163-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/1464-76-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1500-58-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1500-57-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/1596-4-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1596-5-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1596-7-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1788-120-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1968-81-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/1968-82-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2180-25-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2188-117-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2220-150-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2488-61-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2576-87-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2676-142-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2788-105-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/2788-106-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2824-42-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/2824-43-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2976-128-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3032-40-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3124-52-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3352-98-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3352-97-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/3636-161-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3636-160-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/3852-49-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3940-152-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/3940-153-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4144-22-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4144-21-0x0000000001100000-0x0000000001101000-memory.dmp

Filesize
4KB

Download
memory/4216-30-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/4216-31-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4508-139-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4652-70-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4700-131-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4732-109-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4980-95-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4980-94-0x0000000001000000-0x0000000001001000-memory.dmp

Filesize
4KB

Download