Analysis
-
max time kernel
898s -
max time network
902s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250217-en -
resource tags
-
submitted
06/03/2025, 18:12
General
-
Target
15415145.exe
-
Size
59KB
-
MD5
6c091ad6fae0fa76f44870d1a1b05cb4
-
SHA1
040f60c0ee3f4902f919025057e34ab4d11b1abd
-
SHA256
c352c942b6df33510094c7100fb9d48e36b8e1e2af40a60ccc360b58721c2390
-
SHA512
3a414f40f99e5847d9631c4ac1143c76e77db7ae42dd8c7aed2ebf1742ec73bb802d54d6cbde3b04f6b894a4cf731aa4e9dbad95166bade13f787b489d8e8d86
-
SSDEEP
1536:skyZtyUQ8sBkROLW+UzbTH3gfm2qt0OgSko7:skItfQ8sBkROUzbTQf+6OgK7
Score
10/10
Malware Config
Extracted
Family
xworm
Version
3.1
C2
known-savage.gl.at.ply.gg:45116
association-lectures.gl.at.ply.gg:32463
Attributes
-
Install_directory
%AppData%
-
install_file
USB.exe
aes.plain
aes.plain
Signatures
-
Detect Xworm Payload 24 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 11 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 22 IoCs
-
Executes dropped EXE 64 IoCs
-
Adds Run key to start application 2 TTPs 11 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\15415145.exe"C:\Users\Admin\AppData\Local\Temp\15415145.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "15415145" /tr "C:\Users\Admin\AppData\Roaming\15415145.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\ppbduv.exe"C:\Users\Admin\AppData\Local\Temp\ppbduv.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ppbduv.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ppbduv.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ppbduv.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ppbduv" /tr "C:\Users\Admin\AppData\Roaming\ppbduv.exe"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Local\Temp\otwebf.exe"C:\Users\Admin\AppData\Local\Temp\otwebf.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\ahlczu.exe"C:\Users\Admin\AppData\Local\Temp\ahlczu.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\mdbhzb.exe"C:\Users\Admin\AppData\Local\Temp\mdbhzb.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "mdbhzb" /tr "C:\Users\Admin\AppData\Roaming\mdbhzb.exe"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\ddnzzu.exe"C:\Users\Admin\AppData\Local\Temp\ddnzzu.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\ztfecf.exe"C:\Users\Admin\AppData\Local\Temp\ztfecf.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jtfaxf.exe"C:\Users\Admin\AppData\Local\Temp\jtfaxf.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\wkayip.exe"C:\Users\Admin\AppData\Local\Temp\wkayip.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "wkayip" /tr "C:\Users\Admin\AppData\Roaming\wkayip.exe"4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\uoyauo.exe"C:\Users\Admin\AppData\Local\Temp\uoyauo.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\fegvwt.exe"C:\Users\Admin\AppData\Local\Temp\fegvwt.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\ctjqjg.exe"C:\Users\Admin\AppData\Local\Temp\ctjqjg.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ctjqjg" /tr "C:\Users\Admin\AppData\Roaming\ctjqjg.exe"5⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\jiycko.exe"C:\Users\Admin\AppData\Local\Temp\jiycko.exe"5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\bxjxnd.exe"C:\Users\Admin\AppData\Local\Temp\bxjxnd.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\myarpn.exe"C:\Users\Admin\AppData\Local\Temp\myarpn.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\buyvht.exe"C:\Users\Admin\AppData\Local\Temp\buyvht.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\hlioxn.exe"C:\Users\Admin\AppData\Local\Temp\hlioxn.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\glniit.exe"C:\Users\Admin\AppData\Local\Temp\glniit.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\kthtou.exe"C:\Users\Admin\AppData\Local\Temp\kthtou.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tcvenu.exe"C:\Users\Admin\AppData\Local\Temp\tcvenu.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ddyzwm.exe"C:\Users\Admin\AppData\Local\Temp\ddyzwm.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\xnafuy.exe"C:\Users\Admin\AppData\Local\Temp\xnafuy.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\gnzvqc.exe"C:\Users\Admin\AppData\Local\Temp\gnzvqc.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\qepghw.exe"C:\Users\Admin\AppData\Local\Temp\qepghw.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\gifece.exe"C:\Users\Admin\AppData\Local\Temp\gifece.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ydxnlu.exe"C:\Users\Admin\AppData\Local\Temp\ydxnlu.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ohoalu.exe"C:\Users\Admin\AppData\Local\Temp\ohoalu.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\seyjnb.exe"C:\Users\Admin\AppData\Local\Temp\seyjnb.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\uxmsoj.exe"C:\Users\Admin\AppData\Local\Temp\uxmsoj.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fwwcto.exe"C:\Users\Admin\AppData\Local\Temp\fwwcto.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\gslvgr.exe"C:\Users\Admin\AppData\Local\Temp\gslvgr.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\atcfgi.exe"C:\Users\Admin\AppData\Local\Temp\atcfgi.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\npsunc.exe"C:\Users\Admin\AppData\Local\Temp\npsunc.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\xwveje.exe"C:\Users\Admin\AppData\Local\Temp\xwveje.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\sfooio.exe"C:\Users\Admin\AppData\Local\Temp\sfooio.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\xmnats.exe"C:\Users\Admin\AppData\Local\Temp\xmnats.exe"5⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\wmvjif.exe"C:\Users\Admin\AppData\Local\Temp\wmvjif.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\oltcez.exe"C:\Users\Admin\AppData\Local\Temp\oltcez.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\ssstgj.exe"C:\Users\Admin\AppData\Local\Temp\ssstgj.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jiyzjz.exe"C:\Users\Admin\AppData\Local\Temp\jiyzjz.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\vyiuxk.exe"C:\Users\Admin\AppData\Local\Temp\vyiuxk.exe"4⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "vyiuxk" /tr "C:\Users\Admin\AppData\Roaming\vyiuxk.exe"5⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\rmmhfp.exe"C:\Users\Admin\AppData\Local\Temp\rmmhfp.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\skasfp.exe"C:\Users\Admin\AppData\Local\Temp\skasfp.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\nfherh.exe"C:\Users\Admin\AppData\Local\Temp\nfherh.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jlccaj.exe"C:\Users\Admin\AppData\Local\Temp\jlccaj.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\mcycxp.exe"C:\Users\Admin\AppData\Local\Temp\mcycxp.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cjmtfr.exe"C:\Users\Admin\AppData\Local\Temp\cjmtfr.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\yonhdt.exe"C:\Users\Admin\AppData\Local\Temp\yonhdt.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ucdvqq.exe"C:\Users\Admin\AppData\Local\Temp\ucdvqq.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\wyxcsu.exe"C:\Users\Admin\AppData\Local\Temp\wyxcsu.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\solcvd.exe"C:\Users\Admin\AppData\Local\Temp\solcvd.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\qpnlpw.exe"C:\Users\Admin\AppData\Local\Temp\qpnlpw.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\dtzpfd.exe"C:\Users\Admin\AppData\Local\Temp\dtzpfd.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\uciihy.exe"C:\Users\Admin\AppData\Local\Temp\uciihy.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\gqmigy.exe"C:\Users\Admin\AppData\Local\Temp\gqmigy.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\saqsbr.exe"C:\Users\Admin\AppData\Local\Temp\saqsbr.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\gwskqn.exe"C:\Users\Admin\AppData\Local\Temp\gwskqn.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\gjmgrw.exe"C:\Users\Admin\AppData\Local\Temp\gjmgrw.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\qhtthq.exe"C:\Users\Admin\AppData\Local\Temp\qhtthq.exe"5⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\yefisb.exe"C:\Users\Admin\AppData\Local\Temp\yefisb.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ilftli.exe"C:\Users\Admin\AppData\Local\Temp\ilftli.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\udahde.exe"C:\Users\Admin\AppData\Local\Temp\udahde.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\binzhb.exe"C:\Users\Admin\AppData\Local\Temp\binzhb.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\iwcwnk.exe"C:\Users\Admin\AppData\Local\Temp\iwcwnk.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\wunjez.exe"C:\Users\Admin\AppData\Local\Temp\wunjez.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ujaqlu.exe"C:\Users\Admin\AppData\Local\Temp\ujaqlu.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\epwpfg.exe"C:\Users\Admin\AppData\Local\Temp\epwpfg.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\zouesp.exe"C:\Users\Admin\AppData\Local\Temp\zouesp.exe"4⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "zouesp" /tr "C:\Users\Admin\AppData\Roaming\zouesp.exe"5⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\ngserz.exe"C:\Users\Admin\AppData\Local\Temp\ngserz.exe"5⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ngserz" /tr "C:\Users\Admin\AppData\Roaming\ngserz.exe"6⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\itlbyk.exe"C:\Users\Admin\AppData\Local\Temp\itlbyk.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ebzcvs.exe"C:\Users\Admin\AppData\Local\Temp\ebzcvs.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\selrim.exe"C:\Users\Admin\AppData\Local\Temp\selrim.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\twzjmy.exe"C:\Users\Admin\AppData\Local\Temp\twzjmy.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\dzbtyh.exe"C:\Users\Admin\AppData\Local\Temp\dzbtyh.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\vkemfs.exe"C:\Users\Admin\AppData\Local\Temp\vkemfs.exe"6⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\mtaueq.exe"C:\Users\Admin\AppData\Local\Temp\mtaueq.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\itspwd.exe"C:\Users\Admin\AppData\Local\Temp\itspwd.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\adeazw.exe"C:\Users\Admin\AppData\Local\Temp\adeazw.exe"5⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "adeazw" /tr "C:\Users\Admin\AppData\Roaming\adeazw.exe"6⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\tkhjyf.exe"C:\Users\Admin\AppData\Local\Temp\tkhjyf.exe"6⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "tkhjyf" /tr "C:\Users\Admin\AppData\Roaming\tkhjyf.exe"7⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\qygsyb.exe"C:\Users\Admin\AppData\Local\Temp\qygsyb.exe"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fmwytt.exe"C:\Users\Admin\AppData\Local\Temp\fmwytt.exe"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\azrdll.exe"C:\Users\Admin\AppData\Local\Temp\azrdll.exe"7⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\nfpvrc.exe"C:\Users\Admin\AppData\Local\Temp\nfpvrc.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\qhbrjw.exe"C:\Users\Admin\AppData\Local\Temp\qhbrjw.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\aaactr.exe"C:\Users\Admin\AppData\Local\Temp\aaactr.exe"6⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\csmijt.exe"C:\Users\Admin\AppData\Local\Temp\csmijt.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\haqwfa.exe"C:\Users\Admin\AppData\Local\Temp\haqwfa.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\sljykh.exe"C:\Users\Admin\AppData\Local\Temp\sljykh.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\lwccyx.exe"C:\Users\Admin\AppData\Local\Temp\lwccyx.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\rumyrb.exe"C:\Users\Admin\AppData\Local\Temp\rumyrb.exe"5⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\xzwdav.exe"C:\Users\Admin\AppData\Local\Temp\xzwdav.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\zmxuxr.exe"C:\Users\Admin\AppData\Local\Temp\zmxuxr.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ulzamt.exe"C:\Users\Admin\AppData\Local\Temp\ulzamt.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\dkxsur.exe"C:\Users\Admin\AppData\Local\Temp\dkxsur.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\esrvxz.exe"C:\Users\Admin\AppData\Local\Temp\esrvxz.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\prbyle.exe"C:\Users\Admin\AppData\Local\Temp\prbyle.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cqjery.exe"C:\Users\Admin\AppData\Local\Temp\cqjery.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\xjsfut.exe"C:\Users\Admin\AppData\Local\Temp\xjsfut.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\hybbai.exe"C:\Users\Admin\AppData\Local\Temp\hybbai.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\reefzh.exe"C:\Users\Admin\AppData\Local\Temp\reefzh.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ddpyff.exe"C:\Users\Admin\AppData\Local\Temp\ddpyff.exe"4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\coxihj.exe"C:\Users\Admin\AppData\Local\Temp\coxihj.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\klveod.exe"C:\Users\Admin\AppData\Local\Temp\klveod.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\imyvqs.exe"C:\Users\Admin\AppData\Local\Temp\imyvqs.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "imyvqs" /tr "C:\Users\Admin\AppData\Roaming\imyvqs.exe"4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\locmkr.exe"C:\Users\Admin\AppData\Local\Temp\locmkr.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\lvteqa.exe"C:\Users\Admin\AppData\Local\Temp\lvteqa.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jekgqx.exe"C:\Users\Admin\AppData\Local\Temp\jekgqx.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jnwvvp.exe"C:\Users\Admin\AppData\Local\Temp\jnwvvp.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\wnsnbg.exe"C:\Users\Admin\AppData\Local\Temp\wnsnbg.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cbpuzm.exe"C:\Users\Admin\AppData\Local\Temp\cbpuzm.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\arqhde.exe"C:\Users\Admin\AppData\Local\Temp\arqhde.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\vmxrhx.exe"C:\Users\Admin\AppData\Local\Temp\vmxrhx.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\dytinw.exe"C:\Users\Admin\AppData\Local\Temp\dytinw.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fptmpw.exe"C:\Users\Admin\AppData\Local\Temp\fptmpw.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\yxtmbo.exe"C:\Users\Admin\AppData\Local\Temp\yxtmbo.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\kpexfz.exe"C:\Users\Admin\AppData\Local\Temp\kpexfz.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\gbkrai.exe"C:\Users\Admin\AppData\Local\Temp\gbkrai.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\sfgvkc.exe"C:\Users\Admin\AppData\Local\Temp\sfgvkc.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\nuospj.exe"C:\Users\Admin\AppData\Local\Temp\nuospj.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\snbuif.exe"C:\Users\Admin\AppData\Local\Temp\snbuif.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\kjkigr.exe"C:\Users\Admin\AppData\Local\Temp\kjkigr.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\sfstbl.exe"C:\Users\Admin\AppData\Local\Temp\sfstbl.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\mnpktk.exe"C:\Users\Admin\AppData\Local\Temp\mnpktk.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\qdnrzg.exe"C:\Users\Admin\AppData\Local\Temp\qdnrzg.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\asaues.exe"C:\Users\Admin\AppData\Local\Temp\asaues.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\xmtehr.exe"C:\Users\Admin\AppData\Local\Temp\xmtehr.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ykyoce.exe"C:\Users\Admin\AppData\Local\Temp\ykyoce.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jttdgb.exe"C:\Users\Admin\AppData\Local\Temp\jttdgb.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\uitrde.exe"C:\Users\Admin\AppData\Local\Temp\uitrde.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\rtkeio.exe"C:\Users\Admin\AppData\Local\Temp\rtkeio.exe"4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\awoxhm.exe"C:\Users\Admin\AppData\Local\Temp\awoxhm.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\edziri.exe"C:\Users\Admin\AppData\Local\Temp\edziri.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\reuyxl.exe"C:\Users\Admin\AppData\Local\Temp\reuyxl.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\wqmwtr.exe"C:\Users\Admin\AppData\Local\Temp\wqmwtr.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jffcrl.exe"C:\Users\Admin\AppData\Local\Temp\jffcrl.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\hauiyl.exe"C:\Users\Admin\AppData\Local\Temp\hauiyl.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\behked.exe"C:\Users\Admin\AppData\Local\Temp\behked.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\kctnnj.exe"C:\Users\Admin\AppData\Local\Temp\kctnnj.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ikomzz.exe"C:\Users\Admin\AppData\Local\Temp\ikomzz.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fddxoc.exe"C:\Users\Admin\AppData\Local\Temp\fddxoc.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\hbmoar.exe"C:\Users\Admin\AppData\Local\Temp\hbmoar.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\oifjwt.exe"C:\Users\Admin\AppData\Local\Temp\oifjwt.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\dllimq.exe"C:\Users\Admin\AppData\Local\Temp\dllimq.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\xwrvth.exe"C:\Users\Admin\AppData\Local\Temp\xwrvth.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\wvbucu.exe"C:\Users\Admin\AppData\Local\Temp\wvbucu.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ieqfdc.exe"C:\Users\Admin\AppData\Local\Temp\ieqfdc.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\rwccyf.exe"C:\Users\Admin\AppData\Local\Temp\rwccyf.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\dznvin.exe"C:\Users\Admin\AppData\Local\Temp\dznvin.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\nxrmzs.exe"C:\Users\Admin\AppData\Local\Temp\nxrmzs.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\klhfrf.exe"C:\Users\Admin\AppData\Local\Temp\klhfrf.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\quflas.exe"C:\Users\Admin\AppData\Local\Temp\quflas.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cyijqp.exe"C:\Users\Admin\AppData\Local\Temp\cyijqp.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ouxlru.exe"C:\Users\Admin\AppData\Local\Temp\ouxlru.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tamngf.exe"C:\Users\Admin\AppData\Local\Temp\tamngf.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\dwexur.exe"C:\Users\Admin\AppData\Local\Temp\dwexur.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\umexme.exe"C:\Users\Admin\AppData\Local\Temp\umexme.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\zsyusj.exe"C:\Users\Admin\AppData\Local\Temp\zsyusj.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\ukyljn.exe"C:\Users\Admin\AppData\Local\Temp\ukyljn.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\nhfobc.exe"C:\Users\Admin\AppData\Local\Temp\nhfobc.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jtdsui.exe"C:\Users\Admin\AppData\Local\Temp\jtdsui.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\lhuoon.exe"C:\Users\Admin\AppData\Local\Temp\lhuoon.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\ukhkua.exe"C:\Users\Admin\AppData\Local\Temp\ukhkua.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\qhqzjk.exe"C:\Users\Admin\AppData\Local\Temp\qhqzjk.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\xckjrt.exe"C:\Users\Admin\AppData\Local\Temp\xckjrt.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\zmfitf.exe"C:\Users\Admin\AppData\Local\Temp\zmfitf.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\qtjtwr.exe"C:\Users\Admin\AppData\Local\Temp\qtjtwr.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\gfvkqy.exe"C:\Users\Admin\AppData\Local\Temp\gfvkqy.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\gcnext.exe"C:\Users\Admin\AppData\Local\Temp\gcnext.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\ljktvr.exe"C:\Users\Admin\AppData\Local\Temp\ljktvr.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\ybpboc.exe"C:\Users\Admin\AppData\Local\Temp\ybpboc.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\hlrbtb.exe"C:\Users\Admin\AppData\Local\Temp\hlrbtb.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\rxlytd.exe"C:\Users\Admin\AppData\Local\Temp\rxlytd.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\pmmldo.exe"C:\Users\Admin\AppData\Local\Temp\pmmldo.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\gvomwj.exe"C:\Users\Admin\AppData\Local\Temp\gvomwj.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\uxysuu.exe"C:\Users\Admin\AppData\Local\Temp\uxysuu.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\bfrtde.exe"C:\Users\Admin\AppData\Local\Temp\bfrtde.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\heimnz.exe"C:\Users\Admin\AppData\Local\Temp\heimnz.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\hmqhej.exe"C:\Users\Admin\AppData\Local\Temp\hmqhej.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fnybvt.exe"C:\Users\Admin\AppData\Local\Temp\fnybvt.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\nuphhw.exe"C:\Users\Admin\AppData\Local\Temp\nuphhw.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\czdrwn.exe"C:\Users\Admin\AppData\Local\Temp\czdrwn.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\mvihdz.exe"C:\Users\Admin\AppData\Local\Temp\mvihdz.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\guhoej.exe"C:\Users\Admin\AppData\Local\Temp\guhoej.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tntomh.exe"C:\Users\Admin\AppData\Local\Temp\tntomh.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\wakxfi.exe"C:\Users\Admin\AppData\Local\Temp\wakxfi.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\pzxmjo.exe"C:\Users\Admin\AppData\Local\Temp\pzxmjo.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\wqpcvi.exe"C:\Users\Admin\AppData\Local\Temp\wqpcvi.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\bxjzva.exe"C:\Users\Admin\AppData\Local\Temp\bxjzva.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\myqfot.exe"C:\Users\Admin\AppData\Local\Temp\myqfot.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\domvvw.exe"C:\Users\Admin\AppData\Local\Temp\domvvw.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\doqzre.exe"C:\Users\Admin\AppData\Local\Temp\doqzre.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\buksso.exe"C:\Users\Admin\AppData\Local\Temp\buksso.exe"2⤵
-
-
C:\Users\Admin\AppData\Roaming\15415145.exe"C:\Users\Admin\AppData\Roaming\15415145.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\15415145.exe"C:\Users\Admin\AppData\Roaming\15415145.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\ppbduv.exe"C:\Users\Admin\AppData\Roaming\ppbduv.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\ppbduv.exe"C:\Users\Admin\AppData\Roaming\ppbduv.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\15415145.exe"C:\Users\Admin\AppData\Roaming\15415145.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\mdbhzb.exe"C:\Users\Admin\AppData\Roaming\mdbhzb.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\ppbduv.exe"C:\Users\Admin\AppData\Roaming\ppbduv.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\mdbhzb.exe"C:\Users\Admin\AppData\Roaming\mdbhzb.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\15415145.exe"C:\Users\Admin\AppData\Roaming\15415145.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\wkayip.exe"C:\Users\Admin\AppData\Roaming\wkayip.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\ppbduv.exe"C:\Users\Admin\AppData\Roaming\ppbduv.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\mdbhzb.exe"C:\Users\Admin\AppData\Roaming\mdbhzb.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\15415145.exe"C:\Users\Admin\AppData\Roaming\15415145.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\wkayip.exe"C:\Users\Admin\AppData\Roaming\wkayip.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\imyvqs.exe"C:\Users\Admin\AppData\Roaming\imyvqs.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\ppbduv.exe"C:\Users\Admin\AppData\Roaming\ppbduv.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\imyvqs.exe"C:\Users\Admin\AppData\Roaming\imyvqs.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\mdbhzb.exe"C:\Users\Admin\AppData\Roaming\mdbhzb.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\15415145.exe"C:\Users\Admin\AppData\Roaming\15415145.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\wkayip.exe"C:\Users\Admin\AppData\Roaming\wkayip.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\ctjqjg.exe"C:\Users\Admin\AppData\Roaming\ctjqjg.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\ctjqjg.exe"C:\Users\Admin\AppData\Roaming\ctjqjg.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\ppbduv.exe"C:\Users\Admin\AppData\Roaming\ppbduv.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\imyvqs.exe"C:\Users\Admin\AppData\Roaming\imyvqs.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\mdbhzb.exe"C:\Users\Admin\AppData\Roaming\mdbhzb.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\15415145.exe"C:\Users\Admin\AppData\Roaming\15415145.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\wkayip.exe"C:\Users\Admin\AppData\Roaming\wkayip.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\ctjqjg.exe"C:\Users\Admin\AppData\Roaming\ctjqjg.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\ppbduv.exe"C:\Users\Admin\AppData\Roaming\ppbduv.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\imyvqs.exe"C:\Users\Admin\AppData\Roaming\imyvqs.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\mdbhzb.exe"C:\Users\Admin\AppData\Roaming\mdbhzb.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\15415145.exe"C:\Users\Admin\AppData\Roaming\15415145.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\wkayip.exe"C:\Users\Admin\AppData\Roaming\wkayip.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\vyiuxk.exe"C:\Users\Admin\AppData\Roaming\vyiuxk.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\vyiuxk.exe"C:\Users\Admin\AppData\Roaming\vyiuxk.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\ctjqjg.exe"C:\Users\Admin\AppData\Roaming\ctjqjg.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\ppbduv.exe"C:\Users\Admin\AppData\Roaming\ppbduv.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\imyvqs.exe"C:\Users\Admin\AppData\Roaming\imyvqs.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\mdbhzb.exe"C:\Users\Admin\AppData\Roaming\mdbhzb.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\15415145.exe"C:\Users\Admin\AppData\Roaming\15415145.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\wkayip.exe"C:\Users\Admin\AppData\Roaming\wkayip.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\vyiuxk.exe"C:\Users\Admin\AppData\Roaming\vyiuxk.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\ctjqjg.exe"C:\Users\Admin\AppData\Roaming\ctjqjg.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\ppbduv.exe"C:\Users\Admin\AppData\Roaming\ppbduv.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\imyvqs.exe"C:\Users\Admin\AppData\Roaming\imyvqs.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\mdbhzb.exe"C:\Users\Admin\AppData\Roaming\mdbhzb.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\15415145.exe"C:\Users\Admin\AppData\Roaming\15415145.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\wkayip.exe"C:\Users\Admin\AppData\Roaming\wkayip.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\zouesp.exe"C:\Users\Admin\AppData\Roaming\zouesp.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\vyiuxk.exe"C:\Users\Admin\AppData\Roaming\vyiuxk.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\ctjqjg.exe"C:\Users\Admin\AppData\Roaming\ctjqjg.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\ppbduv.exe"C:\Users\Admin\AppData\Roaming\ppbduv.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\mdbhzb.exe"C:\Users\Admin\AppData\Roaming\mdbhzb.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\imyvqs.exe"C:\Users\Admin\AppData\Roaming\imyvqs.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\15415145.exe"C:\Users\Admin\AppData\Roaming\15415145.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\zouesp.exe"C:\Users\Admin\AppData\Roaming\zouesp.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\wkayip.exe"C:\Users\Admin\AppData\Roaming\wkayip.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\ngserz.exe"C:\Users\Admin\AppData\Roaming\ngserz.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\vyiuxk.exe"C:\Users\Admin\AppData\Roaming\vyiuxk.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\ctjqjg.exe"C:\Users\Admin\AppData\Roaming\ctjqjg.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\ppbduv.exe"C:\Users\Admin\AppData\Roaming\ppbduv.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\imyvqs.exe"C:\Users\Admin\AppData\Roaming\imyvqs.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\mdbhzb.exe"C:\Users\Admin\AppData\Roaming\mdbhzb.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\15415145.exe"C:\Users\Admin\AppData\Roaming\15415145.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\zouesp.exe"C:\Users\Admin\AppData\Roaming\zouesp.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\wkayip.exe"C:\Users\Admin\AppData\Roaming\wkayip.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\ngserz.exe"C:\Users\Admin\AppData\Roaming\ngserz.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\adeazw.exe"C:\Users\Admin\AppData\Roaming\adeazw.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\vyiuxk.exe"C:\Users\Admin\AppData\Roaming\vyiuxk.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\ctjqjg.exe"C:\Users\Admin\AppData\Roaming\ctjqjg.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\adeazw.exe"C:\Users\Admin\AppData\Roaming\adeazw.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\ppbduv.exe"C:\Users\Admin\AppData\Roaming\ppbduv.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\imyvqs.exe"C:\Users\Admin\AppData\Roaming\imyvqs.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\mdbhzb.exe"C:\Users\Admin\AppData\Roaming\mdbhzb.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\15415145.exe"C:\Users\Admin\AppData\Roaming\15415145.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\zouesp.exe"C:\Users\Admin\AppData\Roaming\zouesp.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\wkayip.exe"C:\Users\Admin\AppData\Roaming\wkayip.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\ngserz.exe"C:\Users\Admin\AppData\Roaming\ngserz.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\tkhjyf.exe"C:\Users\Admin\AppData\Roaming\tkhjyf.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\vyiuxk.exe"C:\Users\Admin\AppData\Roaming\vyiuxk.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\adeazw.exe"C:\Users\Admin\AppData\Roaming\adeazw.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\ctjqjg.exe"C:\Users\Admin\AppData\Roaming\ctjqjg.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\ppbduv.exe"C:\Users\Admin\AppData\Roaming\ppbduv.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\imyvqs.exe"C:\Users\Admin\AppData\Roaming\imyvqs.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\mdbhzb.exe"C:\Users\Admin\AppData\Roaming\mdbhzb.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\15415145.exe"C:\Users\Admin\AppData\Roaming\15415145.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\zouesp.exe"C:\Users\Admin\AppData\Roaming\zouesp.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\wkayip.exe"C:\Users\Admin\AppData\Roaming\wkayip.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\ngserz.exe"C:\Users\Admin\AppData\Roaming\ngserz.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\tkhjyf.exe"C:\Users\Admin\AppData\Roaming\tkhjyf.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\vyiuxk.exe"C:\Users\Admin\AppData\Roaming\vyiuxk.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\ctjqjg.exe"C:\Users\Admin\AppData\Roaming\ctjqjg.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\adeazw.exe"C:\Users\Admin\AppData\Roaming\adeazw.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\ppbduv.exe"C:\Users\Admin\AppData\Roaming\ppbduv.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\mdbhzb.exe"C:\Users\Admin\AppData\Roaming\mdbhzb.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\imyvqs.exe"C:\Users\Admin\AppData\Roaming\imyvqs.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\15415145.exe"C:\Users\Admin\AppData\Roaming\15415145.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\zouesp.exe"C:\Users\Admin\AppData\Roaming\zouesp.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\wkayip.exe"C:\Users\Admin\AppData\Roaming\wkayip.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\ngserz.exe"C:\Users\Admin\AppData\Roaming\ngserz.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\tkhjyf.exe"C:\Users\Admin\AppData\Roaming\tkhjyf.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD511c6e74f0561678d2cf7fc075a6cc00c
SHA1535ee79ba978554abcb98c566235805e7ea18490
SHA256d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63
SHA51232c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0
-
Filesize
3KB
MD53eb3833f769dd890afc295b977eab4b4
SHA1e857649b037939602c72ad003e5d3698695f436f
SHA256c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72
-
Filesize
1KB
MD56a807b1c91ac66f33f88a787d64904c1
SHA183c554c7de04a8115c9005709e5cd01fca82c5d3
SHA256155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256
SHA51229f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200
-
Filesize
1KB
MD53caf917b1ebfa78eb8b14105254e1620
SHA103f062b326fc4b5e28b5bf3a30ef6c43d114ca66
SHA25684ea2570cb450ef442ddc7874aa109174711280e6eae41eed67db35f155bb006
SHA51207f408a7660a3d22d61b4597c16a095c2ad395b8376bb4b92edc61ca73559d92be3ef45d5a34f19b30b4f79e5e7e74e71c84fd5c43f84d4704b75fb643d11bac
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
159KB
MD5c73cfd1942fdfaf5d6f3940ca42bbadd
SHA19c9424953c85d03daf296d7841577228d15e1884
SHA2563d735b082f087b25561d293d17a6cda64326f3d48c1db53a2941ded1afc78773
SHA5129d7ce397b67e704773f7a9ea6c9cd1e5345f2211a67ac5dd5f622118690ed295a18e763c47e5c208240f71d4bedb67ba1e869faff466602f8e97350f9df9495c
-
Filesize
152KB
MD5c0a4054bc0a6553d3a246d91e6cdc95b
SHA1b8722a0cf5483539ce965098fb299ad129d1a36b
SHA2560c20402e4957de72ae5e6c5ce00d0dfab6a49affb260996b3290d44264977909
SHA5125f5e88e876e6363992cd28794203874d27fc204bc7df004d32bfa18ebd0797c8c89ccb6b4cc44d4bdf6a9b476d5be5bec2a91bdc7020ba7b3628b98c9587ea5e
-
Filesize
156KB
MD5e2cf7cb958bda8d948e80bdb78d6e283
SHA134c18cf619966914046b7a8f9070b0ee9ca0523d
SHA25607f878b812dc294a61fb6030dffab309e4a05bef322759a198f110aa88c3b402
SHA5123197a3a08069a2a33cea248503132dff4369efe6b83d13db61ef5be81e26f5c3f57ecba9c31e73754f321848dcf491f19eb0249f5f182c2332ae0879ed84b56c
-
Filesize
159KB
MD549a6b6e8627762b929999b0b1fe6d604
SHA14a47bbb17c6cbda79794428df97d203b7261af79
SHA256ca6aa52d419303376de2c37b4c8f6bdd41e31e55de6d178520ad5056303b6571
SHA512c967dcb9be6b1fa73f1ef50a7785c17919365857be63923c6cad53362931d9a1c9fb41a43d68a050ad2a50239580fc8294e61e2ba10ee19d185f4f91c035b85b
-
Filesize
161KB
MD5760aa2ef40d31c55f0019cc916e9de48
SHA10228e46ca0a0303bebf54a65bf5da8111c4de402
SHA2567ae58db4879d8daf291c5eab58ca9b49bc1b5c63153a02d175d83406a71a2806
SHA512ce85a4af522b22d696ff98e176e2f97280363ac5e4161e39dac8cb0404af8d20fc4efe0ddd9e39cfa07bef28b65960c9a56822c6436b715f37ec6df9bd512d04
-
Filesize
30KB
MD5d8a05fae946f16dbb12d5489f2b68230
SHA1f8068ceb85905539ed39dc4dc187088487b09e17
SHA2567876b3d0721a40d4d80f873be9ff79e722e28bd24ba0ee9ab9faac5c7aa69899
SHA512661fc778e40c260756d928fe3bed91c3cbc8884ac27a071e1bf3c8f97c9133bd4bd853371baed477a3988305c12e1c405d03059f8652d810a23eb6050f6ade77
-
Filesize
34KB
MD5950d739da650457fab6a225545794238
SHA1e965286161ecda1b8c0072d8a2d80c191bb15705
SHA256a571fcac5384158c4927e7c7cf07182b68eccf67845ba927beae44cd9835e3f8
SHA512b7b91343176c5a7f6408b21fbc96c23d0b02c080b846e29f304ba91de1d0f37a772953e7ab65d1d627cb3490fbef3b85681564e878d8dcda57c0897dbad1d19b
-
Filesize
158KB
MD5eccccd69bbde41339441e5278f21bc10
SHA1d1d96bfea61f93c10064417f3682bcebd682a7ad
SHA25669074dfb9990c949ae7238d95ff74d2cd294e54759ee1f087519aec081098541
SHA512edb20574c49e7495eef969113f3a38979b8ef85669da30de4c0e0632ea2467fc3e11ef62686e32b5c90d29e99abc66d5cdc97d5bc420f356eb04b72e71553dea
-
Filesize
151KB
MD55cdc9671612660bd34747c635218a649
SHA18cebfbdfc27689d9988d4512da7d855c13eb8e0b
SHA256119b3e5a0b2aad4dc9a6a7376dde77e80826830a24a08aefd858710e79a11db9
SHA512a33bfb9c9db6469274a38bee8038fa7a86b2e336e48776bee788b7b2b372556b5880253cdc7856339130ca8b29c199a739020e78ca29cc401f441e2ac18280ef
-
Filesize
166KB
MD57a7586c1278ecdb7881a3b34f841b722
SHA18c991bb42729a7e34a096f9d3b23e7e0a25329a8
SHA256e2e527d70759106b6d1f479d0a1edd99d9b57c7fdfde2fffd1705e2161438a7f
SHA51279ddd9f08587767ab6b2b66fa7873b0de9a51b8ee52abe8b9ed7e7cf9c42ddd3e45069e978bde40e1708c44a7d8c6a5c271e1dd7129501227dcd8dc5477872b2
-
Filesize
161KB
MD5a2e166ef9ba63b78150b9e08767d0764
SHA1885c223c8436ee6184f6335f3bcf7bd761e85319
SHA2560626693b0820897af0b56b9092439ce955a2435b610127d1686ea256eddc230f
SHA51204651a2f9f4d648b95e7a5e67a1e1ddbaa12d8d2d1fecbf2da956b58826ad2f0aee2b1e182b1beab3f73215185f7c402df67fed4e0bcf401a2eea64ec34c627b
-
Filesize
59KB
MD56c091ad6fae0fa76f44870d1a1b05cb4
SHA1040f60c0ee3f4902f919025057e34ab4d11b1abd
SHA256c352c942b6df33510094c7100fb9d48e36b8e1e2af40a60ccc360b58721c2390
SHA5123a414f40f99e5847d9631c4ac1143c76e77db7ae42dd8c7aed2ebf1742ec73bb802d54d6cbde3b04f6b894a4cf731aa4e9dbad95166bade13f787b489d8e8d86
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
88KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
176KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
192KB
-
Filesize
184KB
-
Filesize
176KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
136KB