Analysis
-
max time kernel
898s -
max time network
901s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250217-en -
resource tags
-
submitted
06/03/2025, 18:11
General
-
Target
15415145.exe
-
Size
59KB
-
MD5
6c091ad6fae0fa76f44870d1a1b05cb4
-
SHA1
040f60c0ee3f4902f919025057e34ab4d11b1abd
-
SHA256
c352c942b6df33510094c7100fb9d48e36b8e1e2af40a60ccc360b58721c2390
-
SHA512
3a414f40f99e5847d9631c4ac1143c76e77db7ae42dd8c7aed2ebf1742ec73bb802d54d6cbde3b04f6b894a4cf731aa4e9dbad95166bade13f787b489d8e8d86
-
SSDEEP
1536:skyZtyUQ8sBkROLW+UzbTH3gfm2qt0OgSko7:skItfQ8sBkROUzbTQf+6OgK7
Score
10/10
Malware Config
Extracted
Family
xworm
Version
3.1
C2
known-savage.gl.at.ply.gg:45116
association-lectures.gl.at.ply.gg:32463
Attributes
-
Install_directory
%AppData%
-
install_file
USB.exe
aes.plain
aes.plain
Signatures
-
Detect Xworm Payload 24 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 11 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 22 IoCs
-
Executes dropped EXE 64 IoCs
-
Adds Run key to start application 2 TTPs 11 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\15415145.exe"C:\Users\Admin\AppData\Local\Temp\15415145.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "15415145" /tr "C:\Users\Admin\AppData\Roaming\15415145.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\rmoutu.exe"C:\Users\Admin\AppData\Local\Temp\rmoutu.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\rmoutu.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'rmoutu.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\rmoutu.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "rmoutu" /tr "C:\Users\Admin\AppData\Roaming\rmoutu.exe"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Local\Temp\ongdrw.exe"C:\Users\Admin\AppData\Local\Temp\ongdrw.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\cluovb.exe"C:\Users\Admin\AppData\Local\Temp\cluovb.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\gticfu.exe"C:\Users\Admin\AppData\Local\Temp\gticfu.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "gticfu" /tr "C:\Users\Admin\AppData\Roaming\gticfu.exe"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\iwlxyq.exe"C:\Users\Admin\AppData\Local\Temp\iwlxyq.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\gqwfqi.exe"C:\Users\Admin\AppData\Local\Temp\gqwfqi.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\zomjwy.exe"C:\Users\Admin\AppData\Local\Temp\zomjwy.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\txsyfb.exe"C:\Users\Admin\AppData\Local\Temp\txsyfb.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "txsyfb" /tr "C:\Users\Admin\AppData\Roaming\txsyfb.exe"4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\jlztct.exe"C:\Users\Admin\AppData\Local\Temp\jlztct.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\wogsju.exe"C:\Users\Admin\AppData\Local\Temp\wogsju.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\fokdxl.exe"C:\Users\Admin\AppData\Local\Temp\fokdxl.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "fokdxl" /tr "C:\Users\Admin\AppData\Roaming\fokdxl.exe"5⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\ppoyjz.exe"C:\Users\Admin\AppData\Local\Temp\ppoyjz.exe"5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\xavuwg.exe"C:\Users\Admin\AppData\Local\Temp\xavuwg.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\nctfke.exe"C:\Users\Admin\AppData\Local\Temp\nctfke.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ugbvab.exe"C:\Users\Admin\AppData\Local\Temp\ugbvab.exe"5⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ugbvab" /tr "C:\Users\Admin\AppData\Roaming\ugbvab.exe"6⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\htmror.exe"C:\Users\Admin\AppData\Local\Temp\htmror.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\kvnlwk.exe"C:\Users\Admin\AppData\Local\Temp\kvnlwk.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\hhtrfd.exe"C:\Users\Admin\AppData\Local\Temp\hhtrfd.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\qnqrfn.exe"C:\Users\Admin\AppData\Local\Temp\qnqrfn.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\pdxzzj.exe"C:\Users\Admin\AppData\Local\Temp\pdxzzj.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\gbxade.exe"C:\Users\Admin\AppData\Local\Temp\gbxade.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cvrgxc.exe"C:\Users\Admin\AppData\Local\Temp\cvrgxc.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\evlzom.exe"C:\Users\Admin\AppData\Local\Temp\evlzom.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\sndgvo.exe"C:\Users\Admin\AppData\Local\Temp\sndgvo.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fpozck.exe"C:\Users\Admin\AppData\Local\Temp\fpozck.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tkvefv.exe"C:\Users\Admin\AppData\Local\Temp\tkvefv.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\mgeppk.exe"C:\Users\Admin\AppData\Local\Temp\mgeppk.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\mjpnmk.exe"C:\Users\Admin\AppData\Local\Temp\mjpnmk.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\bpplhm.exe"C:\Users\Admin\AppData\Local\Temp\bpplhm.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fafjvo.exe"C:\Users\Admin\AppData\Local\Temp\fafjvo.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\qctgnn.exe"C:\Users\Admin\AppData\Local\Temp\qctgnn.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\hapqnh.exe"C:\Users\Admin\AppData\Local\Temp\hapqnh.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\idyttm.exe"C:\Users\Admin\AppData\Local\Temp\idyttm.exe"6⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\xylypj.exe"C:\Users\Admin\AppData\Local\Temp\xylypj.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\wmcpik.exe"C:\Users\Admin\AppData\Local\Temp\wmcpik.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\capzix.exe"C:\Users\Admin\AppData\Local\Temp\capzix.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\nefnbx.exe"C:\Users\Admin\AppData\Local\Temp\nefnbx.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fstfnt.exe"C:\Users\Admin\AppData\Local\Temp\fstfnt.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\iupmbk.exe"C:\Users\Admin\AppData\Local\Temp\iupmbk.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\nylmxj.exe"C:\Users\Admin\AppData\Local\Temp\nylmxj.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\exujcj.exe"C:\Users\Admin\AppData\Local\Temp\exujcj.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ouydiv.exe"C:\Users\Admin\AppData\Local\Temp\ouydiv.exe"5⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ouydiv" /tr "C:\Users\Admin\AppData\Roaming\ouydiv.exe"6⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\svtkzi.exe"C:\Users\Admin\AppData\Local\Temp\svtkzi.exe"6⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svtkzi" /tr "C:\Users\Admin\AppData\Roaming\svtkzi.exe"7⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\agexrt.exe"C:\Users\Admin\AppData\Local\Temp\agexrt.exe"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ypqrod.exe"C:\Users\Admin\AppData\Local\Temp\ypqrod.exe"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\lwhwjz.exe"C:\Users\Admin\AppData\Local\Temp\lwhwjz.exe"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fdwvgv.exe"C:\Users\Admin\AppData\Local\Temp\fdwvgv.exe"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cftaqg.exe"C:\Users\Admin\AppData\Local\Temp\cftaqg.exe"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\bcwpuh.exe"C:\Users\Admin\AppData\Local\Temp\bcwpuh.exe"7⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\vvavib.exe"C:\Users\Admin\AppData\Local\Temp\vvavib.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\zfhenr.exe"C:\Users\Admin\AppData\Local\Temp\zfhenr.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ufckxm.exe"C:\Users\Admin\AppData\Local\Temp\ufckxm.exe"6⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ufckxm" /tr "C:\Users\Admin\AppData\Roaming\ufckxm.exe"7⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\esvian.exe"C:\Users\Admin\AppData\Local\Temp\esvian.exe"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\xdlgew.exe"C:\Users\Admin\AppData\Local\Temp\xdlgew.exe"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\bwqnej.exe"C:\Users\Admin\AppData\Local\Temp\bwqnej.exe"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\iskeez.exe"C:\Users\Admin\AppData\Local\Temp\iskeez.exe"7⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\ipkvdk.exe"C:\Users\Admin\AppData\Local\Temp\ipkvdk.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\uemmpn.exe"C:\Users\Admin\AppData\Local\Temp\uemmpn.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\wdmson.exe"C:\Users\Admin\AppData\Local\Temp\wdmson.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\acmeme.exe"C:\Users\Admin\AppData\Local\Temp\acmeme.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\qqnaju.exe"C:\Users\Admin\AppData\Local\Temp\qqnaju.exe"6⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\wjwosw.exe"C:\Users\Admin\AppData\Local\Temp\wjwosw.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\pqzjhn.exe"C:\Users\Admin\AppData\Local\Temp\pqzjhn.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\uqzfmj.exe"C:\Users\Admin\AppData\Local\Temp\uqzfmj.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\lahvjd.exe"C:\Users\Admin\AppData\Local\Temp\lahvjd.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\dwpjqs.exe"C:\Users\Admin\AppData\Local\Temp\dwpjqs.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\vemuqr.exe"C:\Users\Admin\AppData\Local\Temp\vemuqr.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\nzgowh.exe"C:\Users\Admin\AppData\Local\Temp\nzgowh.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\kvqgom.exe"C:\Users\Admin\AppData\Local\Temp\kvqgom.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\kjiosh.exe"C:\Users\Admin\AppData\Local\Temp\kjiosh.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\naaskw.exe"C:\Users\Admin\AppData\Local\Temp\naaskw.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\hfahoc.exe"C:\Users\Admin\AppData\Local\Temp\hfahoc.exe"5⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\ujetfg.exe"C:\Users\Admin\AppData\Local\Temp\ujetfg.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\igrcxg.exe"C:\Users\Admin\AppData\Local\Temp\igrcxg.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\fqpnzx.exe"C:\Users\Admin\AppData\Local\Temp\fqpnzx.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\hncexx.exe"C:\Users\Admin\AppData\Local\Temp\hncexx.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\xbkymi.exe"C:\Users\Admin\AppData\Local\Temp\xbkymi.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\gcpzwp.exe"C:\Users\Admin\AppData\Local\Temp\gcpzwp.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\oqfslv.exe"C:\Users\Admin\AppData\Local\Temp\oqfslv.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ctrams.exe"C:\Users\Admin\AppData\Local\Temp\ctrams.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fromwj.exe"C:\Users\Admin\AppData\Local\Temp\fromwj.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jplhve.exe"C:\Users\Admin\AppData\Local\Temp\jplhve.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\wjujwu.exe"C:\Users\Admin\AppData\Local\Temp\wjujwu.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\qgtayj.exe"C:\Users\Admin\AppData\Local\Temp\qgtayj.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\rocgcd.exe"C:\Users\Admin\AppData\Local\Temp\rocgcd.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\gxortu.exe"C:\Users\Admin\AppData\Local\Temp\gxortu.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ttgfpg.exe"C:\Users\Admin\AppData\Local\Temp\ttgfpg.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\dgubwb.exe"C:\Users\Admin\AppData\Local\Temp\dgubwb.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\bsxwkg.exe"C:\Users\Admin\AppData\Local\Temp\bsxwkg.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\yesfuh.exe"C:\Users\Admin\AppData\Local\Temp\yesfuh.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\hcnhay.exe"C:\Users\Admin\AppData\Local\Temp\hcnhay.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\peqzqc.exe"C:\Users\Admin\AppData\Local\Temp\peqzqc.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\nkqmws.exe"C:\Users\Admin\AppData\Local\Temp\nkqmws.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\opsafj.exe"C:\Users\Admin\AppData\Local\Temp\opsafj.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\gjmito.exe"C:\Users\Admin\AppData\Local\Temp\gjmito.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\bnzyyn.exe"C:\Users\Admin\AppData\Local\Temp\bnzyyn.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\twfwms.exe"C:\Users\Admin\AppData\Local\Temp\twfwms.exe"4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\wthtua.exe"C:\Users\Admin\AppData\Local\Temp\wthtua.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\fitjqm.exe"C:\Users\Admin\AppData\Local\Temp\fitjqm.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\lkucjw.exe"C:\Users\Admin\AppData\Local\Temp\lkucjw.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "lkucjw" /tr "C:\Users\Admin\AppData\Roaming\lkucjw.exe"4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\kqllra.exe"C:\Users\Admin\AppData\Local\Temp\kqllra.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\whkxum.exe"C:\Users\Admin\AppData\Local\Temp\whkxum.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\cfvlgo.exe"C:\Users\Admin\AppData\Local\Temp\cfvlgo.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\ykmlei.exe"C:\Users\Admin\AppData\Local\Temp\ykmlei.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\sfxyxl.exe"C:\Users\Admin\AppData\Local\Temp\sfxyxl.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\nikcjs.exe"C:\Users\Admin\AppData\Local\Temp\nikcjs.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\hckrgj.exe"C:\Users\Admin\AppData\Local\Temp\hckrgj.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\kqqlyt.exe"C:\Users\Admin\AppData\Local\Temp\kqqlyt.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\mcjxta.exe"C:\Users\Admin\AppData\Local\Temp\mcjxta.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\vzmdtm.exe"C:\Users\Admin\AppData\Local\Temp\vzmdtm.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\dxkzkm.exe"C:\Users\Admin\AppData\Local\Temp\dxkzkm.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\bavded.exe"C:\Users\Admin\AppData\Local\Temp\bavded.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\dhddbo.exe"C:\Users\Admin\AppData\Local\Temp\dhddbo.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\rhhelv.exe"C:\Users\Admin\AppData\Local\Temp\rhhelv.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cppjgk.exe"C:\Users\Admin\AppData\Local\Temp\cppjgk.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fejyoi.exe"C:\Users\Admin\AppData\Local\Temp\fejyoi.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ylfekx.exe"C:\Users\Admin\AppData\Local\Temp\ylfekx.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\yiyful.exe"C:\Users\Admin\AppData\Local\Temp\yiyful.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\wsyyll.exe"C:\Users\Admin\AppData\Local\Temp\wsyyll.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fzlpwu.exe"C:\Users\Admin\AppData\Local\Temp\fzlpwu.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\wrtlya.exe"C:\Users\Admin\AppData\Local\Temp\wrtlya.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tftveq.exe"C:\Users\Admin\AppData\Local\Temp\tftveq.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\inwjfc.exe"C:\Users\Admin\AppData\Local\Temp\inwjfc.exe"4⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "inwjfc" /tr "C:\Users\Admin\AppData\Roaming\inwjfc.exe"5⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\ptsixs.exe"C:\Users\Admin\AppData\Local\Temp\ptsixs.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\xmbwru.exe"C:\Users\Admin\AppData\Local\Temp\xmbwru.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\dcbdlz.exe"C:\Users\Admin\AppData\Local\Temp\dcbdlz.exe"5⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\xwvdno.exe"C:\Users\Admin\AppData\Local\Temp\xwvdno.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\mhsysp.exe"C:\Users\Admin\AppData\Local\Temp\mhsysp.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\wjolht.exe"C:\Users\Admin\AppData\Local\Temp\wjolht.exe"4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\lmrtoa.exe"C:\Users\Admin\AppData\Local\Temp\lmrtoa.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\kfujze.exe"C:\Users\Admin\AppData\Local\Temp\kfujze.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\djqkbe.exe"C:\Users\Admin\AppData\Local\Temp\djqkbe.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\imwvzi.exe"C:\Users\Admin\AppData\Local\Temp\imwvzi.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\ppxzxm.exe"C:\Users\Admin\AppData\Local\Temp\ppxzxm.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ernwns.exe"C:\Users\Admin\AppData\Local\Temp\ernwns.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jcfhjo.exe"C:\Users\Admin\AppData\Local\Temp\jcfhjo.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\gwjpfg.exe"C:\Users\Admin\AppData\Local\Temp\gwjpfg.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\vbiptx.exe"C:\Users\Admin\AppData\Local\Temp\vbiptx.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\apnjey.exe"C:\Users\Admin\AppData\Local\Temp\apnjey.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\dlhhfh.exe"C:\Users\Admin\AppData\Local\Temp\dlhhfh.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\rhwyay.exe"C:\Users\Admin\AppData\Local\Temp\rhwyay.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\zbdhpd.exe"C:\Users\Admin\AppData\Local\Temp\zbdhpd.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\yzkqdw.exe"C:\Users\Admin\AppData\Local\Temp\yzkqdw.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\dpypvx.exe"C:\Users\Admin\AppData\Local\Temp\dpypvx.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\faygey.exe"C:\Users\Admin\AppData\Local\Temp\faygey.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\hyqbyy.exe"C:\Users\Admin\AppData\Local\Temp\hyqbyy.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\kxbkpr.exe"C:\Users\Admin\AppData\Local\Temp\kxbkpr.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\usajke.exe"C:\Users\Admin\AppData\Local\Temp\usajke.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\nmhlep.exe"C:\Users\Admin\AppData\Local\Temp\nmhlep.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\iblysz.exe"C:\Users\Admin\AppData\Local\Temp\iblysz.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\asxear.exe"C:\Users\Admin\AppData\Local\Temp\asxear.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\mwbmfg.exe"C:\Users\Admin\AppData\Local\Temp\mwbmfg.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\vtzgvd.exe"C:\Users\Admin\AppData\Local\Temp\vtzgvd.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\xwqttr.exe"C:\Users\Admin\AppData\Local\Temp\xwqttr.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\rwtbtx.exe"C:\Users\Admin\AppData\Local\Temp\rwtbtx.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\mlfbjw.exe"C:\Users\Admin\AppData\Local\Temp\mlfbjw.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\myiwdr.exe"C:\Users\Admin\AppData\Local\Temp\myiwdr.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\tfghay.exe"C:\Users\Admin\AppData\Local\Temp\tfghay.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\yrkgzj.exe"C:\Users\Admin\AppData\Local\Temp\yrkgzj.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\zctrqf.exe"C:\Users\Admin\AppData\Local\Temp\zctrqf.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\vghnja.exe"C:\Users\Admin\AppData\Local\Temp\vghnja.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\yogthu.exe"C:\Users\Admin\AppData\Local\Temp\yogthu.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\msjpjl.exe"C:\Users\Admin\AppData\Local\Temp\msjpjl.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\pvkvqd.exe"C:\Users\Admin\AppData\Local\Temp\pvkvqd.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\qztydc.exe"C:\Users\Admin\AppData\Local\Temp\qztydc.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\buicax.exe"C:\Users\Admin\AppData\Local\Temp\buicax.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfwgim.exe"C:\Users\Admin\AppData\Local\Temp\jfwgim.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\rekqug.exe"C:\Users\Admin\AppData\Local\Temp\rekqug.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\ajthcv.exe"C:\Users\Admin\AppData\Local\Temp\ajthcv.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\vzqdxk.exe"C:\Users\Admin\AppData\Local\Temp\vzqdxk.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\gzkesm.exe"C:\Users\Admin\AppData\Local\Temp\gzkesm.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\mjsmge.exe"C:\Users\Admin\AppData\Local\Temp\mjsmge.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\pimyel.exe"C:\Users\Admin\AppData\Local\Temp\pimyel.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tafmyu.exe"C:\Users\Admin\AppData\Local\Temp\tafmyu.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jtsnha.exe"C:\Users\Admin\AppData\Local\Temp\jtsnha.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\gfilzi.exe"C:\Users\Admin\AppData\Local\Temp\gfilzi.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\bmmxek.exe"C:\Users\Admin\AppData\Local\Temp\bmmxek.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ondost.exe"C:\Users\Admin\AppData\Local\Temp\ondost.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ixvekw.exe"C:\Users\Admin\AppData\Local\Temp\ixvekw.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ftbpvz.exe"C:\Users\Admin\AppData\Local\Temp\ftbpvz.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\uzcsfa.exe"C:\Users\Admin\AppData\Local\Temp\uzcsfa.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\wejdwr.exe"C:\Users\Admin\AppData\Local\Temp\wejdwr.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\zvwuyl.exe"C:\Users\Admin\AppData\Local\Temp\zvwuyl.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ruayej.exe"C:\Users\Admin\AppData\Local\Temp\ruayej.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ebulgg.exe"C:\Users\Admin\AppData\Local\Temp\ebulgg.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\hmrnce.exe"C:\Users\Admin\AppData\Local\Temp\hmrnce.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\hwhcso.exe"C:\Users\Admin\AppData\Local\Temp\hwhcso.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\kfbdfo.exe"C:\Users\Admin\AppData\Local\Temp\kfbdfo.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\akvqyb.exe"C:\Users\Admin\AppData\Local\Temp\akvqyb.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\yvusne.exe"C:\Users\Admin\AppData\Local\Temp\yvusne.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\flycwk.exe"C:\Users\Admin\AppData\Local\Temp\flycwk.exe"2⤵
-
-
C:\Users\Admin\AppData\Roaming\15415145.exe"C:\Users\Admin\AppData\Roaming\15415145.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\15415145.exe"C:\Users\Admin\AppData\Roaming\15415145.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\15415145.exe"C:\Users\Admin\AppData\Roaming\15415145.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\rmoutu.exe"C:\Users\Admin\AppData\Roaming\rmoutu.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\15415145.exe"C:\Users\Admin\AppData\Roaming\15415145.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\rmoutu.exe"C:\Users\Admin\AppData\Roaming\rmoutu.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\gticfu.exe"C:\Users\Admin\AppData\Roaming\gticfu.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\gticfu.exe"C:\Users\Admin\AppData\Roaming\gticfu.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\15415145.exe"C:\Users\Admin\AppData\Roaming\15415145.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\rmoutu.exe"C:\Users\Admin\AppData\Roaming\rmoutu.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\txsyfb.exe"C:\Users\Admin\AppData\Roaming\txsyfb.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\gticfu.exe"C:\Users\Admin\AppData\Roaming\gticfu.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\15415145.exe"C:\Users\Admin\AppData\Roaming\15415145.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\rmoutu.exe"C:\Users\Admin\AppData\Roaming\rmoutu.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\txsyfb.exe"C:\Users\Admin\AppData\Roaming\txsyfb.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\lkucjw.exe"C:\Users\Admin\AppData\Roaming\lkucjw.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\txsyfb.exe"C:\Users\Admin\AppData\Roaming\txsyfb.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\gticfu.exe"C:\Users\Admin\AppData\Roaming\gticfu.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\15415145.exe"C:\Users\Admin\AppData\Roaming\15415145.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\rmoutu.exe"C:\Users\Admin\AppData\Roaming\rmoutu.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\lkucjw.exe"C:\Users\Admin\AppData\Roaming\lkucjw.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\fokdxl.exe"C:\Users\Admin\AppData\Roaming\fokdxl.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\txsyfb.exe"C:\Users\Admin\AppData\Roaming\txsyfb.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\gticfu.exe"C:\Users\Admin\AppData\Roaming\gticfu.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\fokdxl.exe"C:\Users\Admin\AppData\Roaming\fokdxl.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\15415145.exe"C:\Users\Admin\AppData\Roaming\15415145.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\rmoutu.exe"C:\Users\Admin\AppData\Roaming\rmoutu.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\lkucjw.exe"C:\Users\Admin\AppData\Roaming\lkucjw.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\txsyfb.exe"C:\Users\Admin\AppData\Roaming\txsyfb.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\gticfu.exe"C:\Users\Admin\AppData\Roaming\gticfu.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\fokdxl.exe"C:\Users\Admin\AppData\Roaming\fokdxl.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\15415145.exe"C:\Users\Admin\AppData\Roaming\15415145.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\rmoutu.exe"C:\Users\Admin\AppData\Roaming\rmoutu.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\lkucjw.exe"C:\Users\Admin\AppData\Roaming\lkucjw.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\ugbvab.exe"C:\Users\Admin\AppData\Roaming\ugbvab.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\txsyfb.exe"C:\Users\Admin\AppData\Roaming\txsyfb.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\gticfu.exe"C:\Users\Admin\AppData\Roaming\gticfu.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\fokdxl.exe"C:\Users\Admin\AppData\Roaming\fokdxl.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\ugbvab.exe"C:\Users\Admin\AppData\Roaming\ugbvab.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\15415145.exe"C:\Users\Admin\AppData\Roaming\15415145.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\rmoutu.exe"C:\Users\Admin\AppData\Roaming\rmoutu.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\lkucjw.exe"C:\Users\Admin\AppData\Roaming\lkucjw.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\txsyfb.exe"C:\Users\Admin\AppData\Roaming\txsyfb.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\gticfu.exe"C:\Users\Admin\AppData\Roaming\gticfu.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\fokdxl.exe"C:\Users\Admin\AppData\Roaming\fokdxl.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\15415145.exe"C:\Users\Admin\AppData\Roaming\15415145.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\ugbvab.exe"C:\Users\Admin\AppData\Roaming\ugbvab.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\rmoutu.exe"C:\Users\Admin\AppData\Roaming\rmoutu.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\lkucjw.exe"C:\Users\Admin\AppData\Roaming\lkucjw.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\ouydiv.exe"C:\Users\Admin\AppData\Roaming\ouydiv.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\txsyfb.exe"C:\Users\Admin\AppData\Roaming\txsyfb.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\gticfu.exe"C:\Users\Admin\AppData\Roaming\gticfu.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\fokdxl.exe"C:\Users\Admin\AppData\Roaming\fokdxl.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\ouydiv.exe"C:\Users\Admin\AppData\Roaming\ouydiv.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\15415145.exe"C:\Users\Admin\AppData\Roaming\15415145.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\ugbvab.exe"C:\Users\Admin\AppData\Roaming\ugbvab.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\rmoutu.exe"C:\Users\Admin\AppData\Roaming\rmoutu.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\lkucjw.exe"C:\Users\Admin\AppData\Roaming\lkucjw.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\svtkzi.exe"C:\Users\Admin\AppData\Roaming\svtkzi.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\svtkzi.exe"C:\Users\Admin\AppData\Roaming\svtkzi.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\txsyfb.exe"C:\Users\Admin\AppData\Roaming\txsyfb.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\gticfu.exe"C:\Users\Admin\AppData\Roaming\gticfu.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\fokdxl.exe"C:\Users\Admin\AppData\Roaming\fokdxl.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\ouydiv.exe"C:\Users\Admin\AppData\Roaming\ouydiv.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\15415145.exe"C:\Users\Admin\AppData\Roaming\15415145.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\ugbvab.exe"C:\Users\Admin\AppData\Roaming\ugbvab.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\rmoutu.exe"C:\Users\Admin\AppData\Roaming\rmoutu.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\lkucjw.exe"C:\Users\Admin\AppData\Roaming\lkucjw.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\ufckxm.exe"C:\Users\Admin\AppData\Roaming\ufckxm.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\svtkzi.exe"C:\Users\Admin\AppData\Roaming\svtkzi.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\txsyfb.exe"C:\Users\Admin\AppData\Roaming\txsyfb.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\gticfu.exe"C:\Users\Admin\AppData\Roaming\gticfu.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\ufckxm.exe"C:\Users\Admin\AppData\Roaming\ufckxm.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\fokdxl.exe"C:\Users\Admin\AppData\Roaming\fokdxl.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\ouydiv.exe"C:\Users\Admin\AppData\Roaming\ouydiv.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\ugbvab.exe"C:\Users\Admin\AppData\Roaming\ugbvab.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\15415145.exe"C:\Users\Admin\AppData\Roaming\15415145.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\rmoutu.exe"C:\Users\Admin\AppData\Roaming\rmoutu.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\lkucjw.exe"C:\Users\Admin\AppData\Roaming\lkucjw.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\inwjfc.exe"C:\Users\Admin\AppData\Roaming\inwjfc.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\svtkzi.exe"C:\Users\Admin\AppData\Roaming\svtkzi.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\txsyfb.exe"C:\Users\Admin\AppData\Roaming\txsyfb.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\gticfu.exe"C:\Users\Admin\AppData\Roaming\gticfu.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\inwjfc.exe"C:\Users\Admin\AppData\Roaming\inwjfc.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\ufckxm.exe"C:\Users\Admin\AppData\Roaming\ufckxm.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\fokdxl.exe"C:\Users\Admin\AppData\Roaming\fokdxl.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\ouydiv.exe"C:\Users\Admin\AppData\Roaming\ouydiv.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\15415145.exe"C:\Users\Admin\AppData\Roaming\15415145.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\ugbvab.exe"C:\Users\Admin\AppData\Roaming\ugbvab.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\rmoutu.exe"C:\Users\Admin\AppData\Roaming\rmoutu.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\lkucjw.exe"C:\Users\Admin\AppData\Roaming\lkucjw.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD511c6e74f0561678d2cf7fc075a6cc00c
SHA1535ee79ba978554abcb98c566235805e7ea18490
SHA256d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63
SHA51232c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0
-
Filesize
3KB
MD53eb3833f769dd890afc295b977eab4b4
SHA1e857649b037939602c72ad003e5d3698695f436f
SHA256c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72
-
Filesize
1KB
MD526c94c408a5a2e1e04f1191fc2902d3e
SHA1ce50b153be03511bd62a477abf71a7e9f94e68a5
SHA25686ad00a425874b935cc725f83780add09d08d7dc9cbfb705821955fe937c05ec
SHA51270e7bc620b369d7d0fcf06f93da000819bf089a502f1014641ad14d56ead22f31c25b97363296fd3749c63bde6db3bf115b33504b160485d792e1331c337b586
-
Filesize
1KB
MD5f0eee17537dbc07ea24a91dcebd1bbae
SHA1112e07f97761ccb57c0acac4ce02a930d2421d1f
SHA256420500934c21c5d228bd7d6e3800a1c034cab78654ca3d0309ba69c754db1e62
SHA512eb37a0fa1a9511bc648449f3d281428bb4fa0553f17e7b7c2f128a90d2f501f2f9bb0b00faa942d211a542e0304649c35b6e5d277d62f7a3b6b5585917458520
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
152KB
MD5c0a4054bc0a6553d3a246d91e6cdc95b
SHA1b8722a0cf5483539ce965098fb299ad129d1a36b
SHA2560c20402e4957de72ae5e6c5ce00d0dfab6a49affb260996b3290d44264977909
SHA5125f5e88e876e6363992cd28794203874d27fc204bc7df004d32bfa18ebd0797c8c89ccb6b4cc44d4bdf6a9b476d5be5bec2a91bdc7020ba7b3628b98c9587ea5e
-
Filesize
159KB
MD549a6b6e8627762b929999b0b1fe6d604
SHA14a47bbb17c6cbda79794428df97d203b7261af79
SHA256ca6aa52d419303376de2c37b4c8f6bdd41e31e55de6d178520ad5056303b6571
SHA512c967dcb9be6b1fa73f1ef50a7785c17919365857be63923c6cad53362931d9a1c9fb41a43d68a050ad2a50239580fc8294e61e2ba10ee19d185f4f91c035b85b
-
Filesize
158KB
MD5eccccd69bbde41339441e5278f21bc10
SHA1d1d96bfea61f93c10064417f3682bcebd682a7ad
SHA25669074dfb9990c949ae7238d95ff74d2cd294e54759ee1f087519aec081098541
SHA512edb20574c49e7495eef969113f3a38979b8ef85669da30de4c0e0632ea2467fc3e11ef62686e32b5c90d29e99abc66d5cdc97d5bc420f356eb04b72e71553dea
-
Filesize
156KB
MD5e2cf7cb958bda8d948e80bdb78d6e283
SHA134c18cf619966914046b7a8f9070b0ee9ca0523d
SHA25607f878b812dc294a61fb6030dffab309e4a05bef322759a198f110aa88c3b402
SHA5123197a3a08069a2a33cea248503132dff4369efe6b83d13db61ef5be81e26f5c3f57ecba9c31e73754f321848dcf491f19eb0249f5f182c2332ae0879ed84b56c
-
Filesize
161KB
MD5a2e166ef9ba63b78150b9e08767d0764
SHA1885c223c8436ee6184f6335f3bcf7bd761e85319
SHA2560626693b0820897af0b56b9092439ce955a2435b610127d1686ea256eddc230f
SHA51204651a2f9f4d648b95e7a5e67a1e1ddbaa12d8d2d1fecbf2da956b58826ad2f0aee2b1e182b1beab3f73215185f7c402df67fed4e0bcf401a2eea64ec34c627b
-
Filesize
30KB
MD5d8a05fae946f16dbb12d5489f2b68230
SHA1f8068ceb85905539ed39dc4dc187088487b09e17
SHA2567876b3d0721a40d4d80f873be9ff79e722e28bd24ba0ee9ab9faac5c7aa69899
SHA512661fc778e40c260756d928fe3bed91c3cbc8884ac27a071e1bf3c8f97c9133bd4bd853371baed477a3988305c12e1c405d03059f8652d810a23eb6050f6ade77
-
Filesize
34KB
MD5950d739da650457fab6a225545794238
SHA1e965286161ecda1b8c0072d8a2d80c191bb15705
SHA256a571fcac5384158c4927e7c7cf07182b68eccf67845ba927beae44cd9835e3f8
SHA512b7b91343176c5a7f6408b21fbc96c23d0b02c080b846e29f304ba91de1d0f37a772953e7ab65d1d627cb3490fbef3b85681564e878d8dcda57c0897dbad1d19b
-
Filesize
161KB
MD5760aa2ef40d31c55f0019cc916e9de48
SHA10228e46ca0a0303bebf54a65bf5da8111c4de402
SHA2567ae58db4879d8daf291c5eab58ca9b49bc1b5c63153a02d175d83406a71a2806
SHA512ce85a4af522b22d696ff98e176e2f97280363ac5e4161e39dac8cb0404af8d20fc4efe0ddd9e39cfa07bef28b65960c9a56822c6436b715f37ec6df9bd512d04
-
Filesize
159KB
MD5c73cfd1942fdfaf5d6f3940ca42bbadd
SHA19c9424953c85d03daf296d7841577228d15e1884
SHA2563d735b082f087b25561d293d17a6cda64326f3d48c1db53a2941ded1afc78773
SHA5129d7ce397b67e704773f7a9ea6c9cd1e5345f2211a67ac5dd5f622118690ed295a18e763c47e5c208240f71d4bedb67ba1e869faff466602f8e97350f9df9495c
-
Filesize
151KB
MD55cdc9671612660bd34747c635218a649
SHA18cebfbdfc27689d9988d4512da7d855c13eb8e0b
SHA256119b3e5a0b2aad4dc9a6a7376dde77e80826830a24a08aefd858710e79a11db9
SHA512a33bfb9c9db6469274a38bee8038fa7a86b2e336e48776bee788b7b2b372556b5880253cdc7856339130ca8b29c199a739020e78ca29cc401f441e2ac18280ef
-
Filesize
166KB
MD57a7586c1278ecdb7881a3b34f841b722
SHA18c991bb42729a7e34a096f9d3b23e7e0a25329a8
SHA256e2e527d70759106b6d1f479d0a1edd99d9b57c7fdfde2fffd1705e2161438a7f
SHA51279ddd9f08587767ab6b2b66fa7873b0de9a51b8ee52abe8b9ed7e7cf9c42ddd3e45069e978bde40e1708c44a7d8c6a5c271e1dd7129501227dcd8dc5477872b2
-
Filesize
59KB
MD56c091ad6fae0fa76f44870d1a1b05cb4
SHA1040f60c0ee3f4902f919025057e34ab4d11b1abd
SHA256c352c942b6df33510094c7100fb9d48e36b8e1e2af40a60ccc360b58721c2390
SHA5123a414f40f99e5847d9631c4ac1143c76e77db7ae42dd8c7aed2ebf1742ec73bb802d54d6cbde3b04f6b894a4cf731aa4e9dbad95166bade13f787b489d8e8d86
-
Filesize
56KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
176KB
-
Filesize
56KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
136KB
-
Filesize
192KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
88KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
176KB