2b594c38d6e850ca43a559e5a56393dd37613f1e87ea14fda212e785f9545c0d

Analysis

max time kernel
150s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
12/04/2025, 23:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-12_079bb4f8a82dd01498b7917f34780382_amadey_elex_smoke-loader.exe
Size

10.4MB
MD5

079bb4f8a82dd01498b7917f34780382
SHA1

c4149f7bd613931b1bef8fbfb35a99565a2ca80b
SHA256

2b594c38d6e850ca43a559e5a56393dd37613f1e87ea14fda212e785f9545c0d
SHA512

350136f128d192b9cd21a698d683b254fb1480d87e145cd71585d4eeb6a3f4efb0a88ef9feaaad5fd83d5d951d8bbf194b9cc8661a80e84f668f5b1157d9bf38
SSDEEP

196608:XZGmufsR2/LGPLCXOKODxH5qFlXS47dV2MANpvrjVbEKGWIoS7:XZGnfsREJLODBWlX3d+NpvdHIoQ

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
4144	uykbawtjla.exe
556	uykbawtjla.exe
4516	jzjpuhvfdo.exe
4664	jzjpuhvfdo.exe
4616	oultwhapxm.exe
4908	oultwhapxm.exe
3624	twdlshndnr.exe
4952	twdlshndnr.exe
1948	guiuxmqpuk.exe
1564	guiuxmqpuk.exe
3312	bmwgxdkbtn.exe
4924	bmwgxdkbtn.exe
4640	brvuevlmra.exe
5880	brvuevlmra.exe
1232	ihqdwcpowb.exe
2692	ihqdwcpowb.exe
2664	nfgjzmvnlu.exe
5492	nfgjzmvnlu.exe
3116	vjdfuzruwx.exe
4108	vjdfuzruwx.exe
1452	frrjicwrju.exe
6064	frrjicwrju.exe
5304	nsaqzvbeyn.exe
3188	nsaqzvbeyn.exe
1712	ajqbnrbudz.exe
3684	ajqbnrbudz.exe
6004	xskclfjjqk.exe
4036	xskclfjjqk.exe
2172	xaujhjggvi.exe
2064	xaujhjggvi.exe
4064	slinptoejg.exe
4336	slinptoejg.exe
5712	kefgiooqbi.exe
5580	kefgiooqbi.exe
2228	xckpmsruhb.exe
4480	xckpmsruhb.exe
3856	ctbglxpjpm.exe
5532	ctbglxpjpm.exe
4596	jjhebjeycn.exe
1532	jjhebjeycn.exe
4092	etwiwmabpj.exe
3276	etwiwmabpj.exe
1548	xqzejprugm.exe
4684	xqzejprugm.exe
1208	uvpnszvxml.exe
2940	uvpnszvxml.exe
2608	ekqvcchyjq.exe
5528	ekqvcchyjq.exe
2892	gutwmscwtg.exe
6096	gutwmscwtg.exe
4952	gnfrfhyndi.exe
5664	gnfrfhyndi.exe
1728	tixqbnnowo.exe
4920	tixqbnnowo.exe
4460	rueorkhtgb.exe
6128	rueorkhtgb.exe
456	oswrblzaku.exe
4396	oswrblzaku.exe
3036	eigdtmrgov.exe
2944	eigdtmrgov.exe
5492	oidddelgrb.exe
5056	oidddelgrb.exe
5820	iwupwmicxm.exe
1960	iwupwmicxm.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
5180	2025-04-12_079bb4f8a82dd01498b7917f34780382_amadey_elex_smoke-loader.exe
1544	2025-04-12_079bb4f8a82dd01498b7917f34780382_amadey_elex_smoke-loader.exe
4144	uykbawtjla.exe
556	uykbawtjla.exe
4516	jzjpuhvfdo.exe
4664	jzjpuhvfdo.exe
4616	oultwhapxm.exe
4908	oultwhapxm.exe
3624	twdlshndnr.exe
4952	twdlshndnr.exe
1948	guiuxmqpuk.exe
1564	guiuxmqpuk.exe
3312	bmwgxdkbtn.exe
4924	bmwgxdkbtn.exe
4640	brvuevlmra.exe
5880	brvuevlmra.exe
1232	ihqdwcpowb.exe
2692	ihqdwcpowb.exe
2664	nfgjzmvnlu.exe
5492	nfgjzmvnlu.exe
3116	vjdfuzruwx.exe
4108	vjdfuzruwx.exe
1452	frrjicwrju.exe
6064	frrjicwrju.exe
5304	nsaqzvbeyn.exe
3188	nsaqzvbeyn.exe
1712	ajqbnrbudz.exe
3684	ajqbnrbudz.exe
6004	xskclfjjqk.exe
4036	xskclfjjqk.exe
2172	xaujhjggvi.exe
2064	xaujhjggvi.exe
4064	slinptoejg.exe
4336	slinptoejg.exe
5712	kefgiooqbi.exe
5580	kefgiooqbi.exe
2228	xckpmsruhb.exe
4480	xckpmsruhb.exe
3856	ctbglxpjpm.exe
5532	ctbglxpjpm.exe
4596	jjhebjeycn.exe
1532	jjhebjeycn.exe
4092	etwiwmabpj.exe
3276	etwiwmabpj.exe
1548	xqzejprugm.exe
4684	xqzejprugm.exe
1208	uvpnszvxml.exe
2940	uvpnszvxml.exe
2608	ekqvcchyjq.exe
5528	ekqvcchyjq.exe
2892	gutwmscwtg.exe
6096	gutwmscwtg.exe
4952	gnfrfhyndi.exe
5664	gnfrfhyndi.exe
1728	tixqbnnowo.exe
4920	tixqbnnowo.exe
4460	rueorkhtgb.exe
6128	rueorkhtgb.exe
456	oswrblzaku.exe
4396	oswrblzaku.exe
3036	eigdtmrgov.exe
2944	eigdtmrgov.exe
5492	oidddelgrb.exe
5056	oidddelgrb.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	frrjicwrju.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eigdtmrgov.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yhrefbsnog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yspibkzveo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fjceccokik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	guiuxmqpuk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	slinptoejg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zolmzmowiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tixqbnnowo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brvuevlmra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kzdsfsgaej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rjnivwqkxy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gaxhqabdtm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jlaahyocec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lbqdkdeise.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	twdlshndnr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	etwiwmabpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kmvsupkhdt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lbqdkdeise.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oultwhapxm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctbglxpjpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	osbvvxklff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vukywpyfuc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fjceccokik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ajqbnrbudz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xskclfjjqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ekoihrycpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zfnvuksuzu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nqnxhjhbdq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kxqwxjhkmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bmwgxdkbtn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfgjzmvnlu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xckpmsruhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jjhebjeycn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ceinzpddml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmiwegxmrk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bmwgxdkbtn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brvuevlmra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ekqvcchyjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ifwenewdfr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ceinzpddml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uovopjwexg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	glyetxjgrw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iparvctclt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kmvsupkhdt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmiwegxmrk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xckpmsruhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igngzdxzgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gnokyouvdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tlttdtxykz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uykbawtjla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	frrjicwrju.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kefgiooqbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xqzejprugm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gutwmscwtg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ekoihrycpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gzwfwrgndf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gzwfwrgndf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xaujhjggvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ekqvcchyjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eigdtmrgov.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yxgyxuiovh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iekzmwakyw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oswrblzaku.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5180	2025-04-12_079bb4f8a82dd01498b7917f34780382_amadey_elex_smoke-loader.exe
5180	2025-04-12_079bb4f8a82dd01498b7917f34780382_amadey_elex_smoke-loader.exe
5180	2025-04-12_079bb4f8a82dd01498b7917f34780382_amadey_elex_smoke-loader.exe
5180	2025-04-12_079bb4f8a82dd01498b7917f34780382_amadey_elex_smoke-loader.exe
1544	2025-04-12_079bb4f8a82dd01498b7917f34780382_amadey_elex_smoke-loader.exe
1544	2025-04-12_079bb4f8a82dd01498b7917f34780382_amadey_elex_smoke-loader.exe
4144	uykbawtjla.exe
4144	uykbawtjla.exe
4144	uykbawtjla.exe
4144	uykbawtjla.exe
556	uykbawtjla.exe
556	uykbawtjla.exe
5180	2025-04-12_079bb4f8a82dd01498b7917f34780382_amadey_elex_smoke-loader.exe
5180	2025-04-12_079bb4f8a82dd01498b7917f34780382_amadey_elex_smoke-loader.exe
4516	jzjpuhvfdo.exe
4516	jzjpuhvfdo.exe
4516	jzjpuhvfdo.exe
4516	jzjpuhvfdo.exe
4664	jzjpuhvfdo.exe
4664	jzjpuhvfdo.exe
4616	oultwhapxm.exe
4616	oultwhapxm.exe
4616	oultwhapxm.exe
4616	oultwhapxm.exe
4908	oultwhapxm.exe
4908	oultwhapxm.exe
4144	uykbawtjla.exe
4144	uykbawtjla.exe
4516	jzjpuhvfdo.exe
4516	jzjpuhvfdo.exe
3624	twdlshndnr.exe
3624	twdlshndnr.exe
3624	twdlshndnr.exe
3624	twdlshndnr.exe
4952	twdlshndnr.exe
4952	twdlshndnr.exe
4616	oultwhapxm.exe
4616	oultwhapxm.exe
1948	guiuxmqpuk.exe
1948	guiuxmqpuk.exe
1948	guiuxmqpuk.exe
1948	guiuxmqpuk.exe
1564	guiuxmqpuk.exe
1564	guiuxmqpuk.exe
3624	twdlshndnr.exe
3624	twdlshndnr.exe
3312	bmwgxdkbtn.exe
3312	bmwgxdkbtn.exe
3312	bmwgxdkbtn.exe
3312	bmwgxdkbtn.exe
4924	bmwgxdkbtn.exe
4924	bmwgxdkbtn.exe
1948	guiuxmqpuk.exe
1948	guiuxmqpuk.exe
4640	brvuevlmra.exe
4640	brvuevlmra.exe
4640	brvuevlmra.exe
4640	brvuevlmra.exe
5880	brvuevlmra.exe
5880	brvuevlmra.exe
3312	bmwgxdkbtn.exe
3312	bmwgxdkbtn.exe
1232	ihqdwcpowb.exe
1232	ihqdwcpowb.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
5180	2025-04-12_079bb4f8a82dd01498b7917f34780382_amadey_elex_smoke-loader.exe
5180	2025-04-12_079bb4f8a82dd01498b7917f34780382_amadey_elex_smoke-loader.exe
1544	2025-04-12_079bb4f8a82dd01498b7917f34780382_amadey_elex_smoke-loader.exe
1544	2025-04-12_079bb4f8a82dd01498b7917f34780382_amadey_elex_smoke-loader.exe
4144	uykbawtjla.exe
4144	uykbawtjla.exe
556	uykbawtjla.exe
556	uykbawtjla.exe
4516	jzjpuhvfdo.exe
4516	jzjpuhvfdo.exe
4664	jzjpuhvfdo.exe
4664	jzjpuhvfdo.exe
4616	oultwhapxm.exe
4616	oultwhapxm.exe
4908	oultwhapxm.exe
4908	oultwhapxm.exe
3624	twdlshndnr.exe
3624	twdlshndnr.exe
4952	twdlshndnr.exe
4952	twdlshndnr.exe
1948	guiuxmqpuk.exe
1948	guiuxmqpuk.exe
1564	guiuxmqpuk.exe
1564	guiuxmqpuk.exe
3312	bmwgxdkbtn.exe
3312	bmwgxdkbtn.exe
4924	bmwgxdkbtn.exe
4924	bmwgxdkbtn.exe
4640	brvuevlmra.exe
4640	brvuevlmra.exe
5880	brvuevlmra.exe
5880	brvuevlmra.exe
1232	ihqdwcpowb.exe
1232	ihqdwcpowb.exe
2692	ihqdwcpowb.exe
2692	ihqdwcpowb.exe
2664	nfgjzmvnlu.exe
2664	nfgjzmvnlu.exe
5492	nfgjzmvnlu.exe
5492	nfgjzmvnlu.exe
3116	vjdfuzruwx.exe
3116	vjdfuzruwx.exe
4108	vjdfuzruwx.exe
4108	vjdfuzruwx.exe
1452	frrjicwrju.exe
1452	frrjicwrju.exe
6064	frrjicwrju.exe
6064	frrjicwrju.exe
5304	nsaqzvbeyn.exe
5304	nsaqzvbeyn.exe
3188	nsaqzvbeyn.exe
3188	nsaqzvbeyn.exe
1712	ajqbnrbudz.exe
1712	ajqbnrbudz.exe
3684	ajqbnrbudz.exe
3684	ajqbnrbudz.exe
6004	xskclfjjqk.exe
6004	xskclfjjqk.exe
4036	xskclfjjqk.exe
4036	xskclfjjqk.exe
2172	xaujhjggvi.exe
2172	xaujhjggvi.exe
2064	xaujhjggvi.exe
2064	xaujhjggvi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5180 wrote to memory of 1544	5180	2025-04-12_079bb4f8a82dd01498b7917f34780382_amadey_elex_smoke-loader.exe	86
PID 5180 wrote to memory of 1544	5180	2025-04-12_079bb4f8a82dd01498b7917f34780382_amadey_elex_smoke-loader.exe	86
PID 5180 wrote to memory of 1544	5180	2025-04-12_079bb4f8a82dd01498b7917f34780382_amadey_elex_smoke-loader.exe	86
PID 5180 wrote to memory of 4144	5180	2025-04-12_079bb4f8a82dd01498b7917f34780382_amadey_elex_smoke-loader.exe	90
PID 5180 wrote to memory of 4144	5180	2025-04-12_079bb4f8a82dd01498b7917f34780382_amadey_elex_smoke-loader.exe	90
PID 5180 wrote to memory of 4144	5180	2025-04-12_079bb4f8a82dd01498b7917f34780382_amadey_elex_smoke-loader.exe	90
PID 4144 wrote to memory of 556	4144	uykbawtjla.exe	91
PID 4144 wrote to memory of 556	4144	uykbawtjla.exe	91
PID 4144 wrote to memory of 556	4144	uykbawtjla.exe	91
PID 4144 wrote to memory of 4516	4144	uykbawtjla.exe	92
PID 4144 wrote to memory of 4516	4144	uykbawtjla.exe	92
PID 4144 wrote to memory of 4516	4144	uykbawtjla.exe	92
PID 4516 wrote to memory of 4664	4516	jzjpuhvfdo.exe	93
PID 4516 wrote to memory of 4664	4516	jzjpuhvfdo.exe	93
PID 4516 wrote to memory of 4664	4516	jzjpuhvfdo.exe	93
PID 4516 wrote to memory of 4616	4516	jzjpuhvfdo.exe	94
PID 4516 wrote to memory of 4616	4516	jzjpuhvfdo.exe	94
PID 4516 wrote to memory of 4616	4516	jzjpuhvfdo.exe	94
PID 4616 wrote to memory of 4908	4616	oultwhapxm.exe	95
PID 4616 wrote to memory of 4908	4616	oultwhapxm.exe	95
PID 4616 wrote to memory of 4908	4616	oultwhapxm.exe	95
PID 4616 wrote to memory of 3624	4616	oultwhapxm.exe	98
PID 4616 wrote to memory of 3624	4616	oultwhapxm.exe	98
PID 4616 wrote to memory of 3624	4616	oultwhapxm.exe	98
PID 3624 wrote to memory of 4952	3624	twdlshndnr.exe	100
PID 3624 wrote to memory of 4952	3624	twdlshndnr.exe	100
PID 3624 wrote to memory of 4952	3624	twdlshndnr.exe	100
PID 3624 wrote to memory of 1948	3624	twdlshndnr.exe	101
PID 3624 wrote to memory of 1948	3624	twdlshndnr.exe	101
PID 3624 wrote to memory of 1948	3624	twdlshndnr.exe	101
PID 1948 wrote to memory of 1564	1948	guiuxmqpuk.exe	102
PID 1948 wrote to memory of 1564	1948	guiuxmqpuk.exe	102
PID 1948 wrote to memory of 1564	1948	guiuxmqpuk.exe	102
PID 1948 wrote to memory of 3312	1948	guiuxmqpuk.exe	103
PID 1948 wrote to memory of 3312	1948	guiuxmqpuk.exe	103
PID 1948 wrote to memory of 3312	1948	guiuxmqpuk.exe	103
PID 3312 wrote to memory of 4924	3312	bmwgxdkbtn.exe	104
PID 3312 wrote to memory of 4924	3312	bmwgxdkbtn.exe	104
PID 3312 wrote to memory of 4924	3312	bmwgxdkbtn.exe	104
PID 3312 wrote to memory of 4640	3312	bmwgxdkbtn.exe	105
PID 3312 wrote to memory of 4640	3312	bmwgxdkbtn.exe	105
PID 3312 wrote to memory of 4640	3312	bmwgxdkbtn.exe	105
PID 4640 wrote to memory of 5880	4640	brvuevlmra.exe	106
PID 4640 wrote to memory of 5880	4640	brvuevlmra.exe	106
PID 4640 wrote to memory of 5880	4640	brvuevlmra.exe	106
PID 4640 wrote to memory of 1232	4640	brvuevlmra.exe	107
PID 4640 wrote to memory of 1232	4640	brvuevlmra.exe	107
PID 4640 wrote to memory of 1232	4640	brvuevlmra.exe	107
PID 1232 wrote to memory of 2692	1232	ihqdwcpowb.exe	108
PID 1232 wrote to memory of 2692	1232	ihqdwcpowb.exe	108
PID 1232 wrote to memory of 2692	1232	ihqdwcpowb.exe	108
PID 1232 wrote to memory of 2664	1232	ihqdwcpowb.exe	110
PID 1232 wrote to memory of 2664	1232	ihqdwcpowb.exe	110
PID 1232 wrote to memory of 2664	1232	ihqdwcpowb.exe	110
PID 2664 wrote to memory of 5492	2664	nfgjzmvnlu.exe	111
PID 2664 wrote to memory of 5492	2664	nfgjzmvnlu.exe	111
PID 2664 wrote to memory of 5492	2664	nfgjzmvnlu.exe	111
PID 2664 wrote to memory of 3116	2664	nfgjzmvnlu.exe	113
PID 2664 wrote to memory of 3116	2664	nfgjzmvnlu.exe	113
PID 2664 wrote to memory of 3116	2664	nfgjzmvnlu.exe	113
PID 3116 wrote to memory of 4108	3116	vjdfuzruwx.exe	114
PID 3116 wrote to memory of 4108	3116	vjdfuzruwx.exe	114
PID 3116 wrote to memory of 4108	3116	vjdfuzruwx.exe	114
PID 3116 wrote to memory of 1452	3116	vjdfuzruwx.exe	115

C:\Users\Admin\AppData\Local\Temp\2025-04-12_079bb4f8a82dd01498b7917f34780382_amadey_elex_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-12_079bb4f8a82dd01498b7917f34780382_amadey_elex_smoke-loader.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5180
- C:\Users\Admin\AppData\Local\Temp\2025-04-12_079bb4f8a82dd01498b7917f34780382_amadey_elex_smoke-loader.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-12_079bb4f8a82dd01498b7917f34780382_amadey_elex_smoke-loader.exe update uykbawtjla.exe
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1544
- C:\Users\Admin\AppData\Local\Temp\uykbawtjla.exe
  C:\Users\Admin\AppData\Local\Temp\uykbawtjla.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4144
- - C:\Users\Admin\AppData\Local\Temp\uykbawtjla.exe
    C:\Users\Admin\AppData\Local\Temp\uykbawtjla.exe update jzjpuhvfdo.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:556
- - C:\Users\Admin\AppData\Local\Temp\jzjpuhvfdo.exe
    C:\Users\Admin\AppData\Local\Temp\jzjpuhvfdo.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4516
  - - C:\Users\Admin\AppData\Local\Temp\jzjpuhvfdo.exe
      C:\Users\Admin\AppData\Local\Temp\jzjpuhvfdo.exe update oultwhapxm.exe
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4664
  - - C:\Users\Admin\AppData\Local\Temp\oultwhapxm.exe
      C:\Users\Admin\AppData\Local\Temp\oultwhapxm.exe
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4616
    - - C:\Users\Admin\AppData\Local\Temp\oultwhapxm.exe
        
        C:\Users\Admin\AppData\Local\Temp\oultwhapxm.exe update twdlshndnr.exe
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4908
    - - C:\Users\Admin\AppData\Local\Temp\twdlshndnr.exe
        
        C:\Users\Admin\AppData\Local\Temp\twdlshndnr.exe
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3624
      - C:\Users\Admin\AppData\Local\Temp\twdlshndnr.exe
        
        C:\Users\Admin\AppData\Local\Temp\twdlshndnr.exe update guiuxmqpuk.exe
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4952
      - C:\Users\Admin\AppData\Local\Temp\guiuxmqpuk.exe
        
        C:\Users\Admin\AppData\Local\Temp\guiuxmqpuk.exe
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\guiuxmqpuk.exe
        
        C:\Users\Admin\AppData\Local\Temp\guiuxmqpuk.exe update bmwgxdkbtn.exe
        7⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\bmwgxdkbtn.exe
        
        C:\Users\Admin\AppData\Local\Temp\bmwgxdkbtn.exe
        7⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\bmwgxdkbtn.exe
        
        C:\Users\Admin\AppData\Local\Temp\bmwgxdkbtn.exe update brvuevlmra.exe
        8⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\brvuevlmra.exe
        
        C:\Users\Admin\AppData\Local\Temp\brvuevlmra.exe
        8⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\brvuevlmra.exe
        
        C:\Users\Admin\AppData\Local\Temp\brvuevlmra.exe update ihqdwcpowb.exe
        9⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5880
        
        C:\Users\Admin\AppData\Local\Temp\ihqdwcpowb.exe
        
        C:\Users\Admin\AppData\Local\Temp\ihqdwcpowb.exe
        9⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\ihqdwcpowb.exe
        
        C:\Users\Admin\AppData\Local\Temp\ihqdwcpowb.exe update nfgjzmvnlu.exe
        10⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\nfgjzmvnlu.exe
        
        C:\Users\Admin\AppData\Local\Temp\nfgjzmvnlu.exe
        10⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\nfgjzmvnlu.exe
        
        C:\Users\Admin\AppData\Local\Temp\nfgjzmvnlu.exe update vjdfuzruwx.exe
        11⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:5492
        
        C:\Users\Admin\AppData\Local\Temp\vjdfuzruwx.exe
        
        C:\Users\Admin\AppData\Local\Temp\vjdfuzruwx.exe
        11⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\vjdfuzruwx.exe
        
        C:\Users\Admin\AppData\Local\Temp\vjdfuzruwx.exe update frrjicwrju.exe
        12⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\frrjicwrju.exe
        
        C:\Users\Admin\AppData\Local\Temp\frrjicwrju.exe
        12⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\frrjicwrju.exe
        
        C:\Users\Admin\AppData\Local\Temp\frrjicwrju.exe update nsaqzvbeyn.exe
        13⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:6064
        
        C:\Users\Admin\AppData\Local\Temp\nsaqzvbeyn.exe
        
        C:\Users\Admin\AppData\Local\Temp\nsaqzvbeyn.exe
        13⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:5304
        
        C:\Users\Admin\AppData\Local\Temp\nsaqzvbeyn.exe
        
        C:\Users\Admin\AppData\Local\Temp\nsaqzvbeyn.exe update ajqbnrbudz.exe
        14⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\ajqbnrbudz.exe
        
        C:\Users\Admin\AppData\Local\Temp\ajqbnrbudz.exe
        14⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\ajqbnrbudz.exe
        
        C:\Users\Admin\AppData\Local\Temp\ajqbnrbudz.exe update xskclfjjqk.exe
        15⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\xskclfjjqk.exe
        
        C:\Users\Admin\AppData\Local\Temp\xskclfjjqk.exe
        15⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:6004
        
        C:\Users\Admin\AppData\Local\Temp\xskclfjjqk.exe
        
        C:\Users\Admin\AppData\Local\Temp\xskclfjjqk.exe update xaujhjggvi.exe
        16⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\xaujhjggvi.exe
        
        C:\Users\Admin\AppData\Local\Temp\xaujhjggvi.exe
        16⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\xaujhjggvi.exe
        
        C:\Users\Admin\AppData\Local\Temp\xaujhjggvi.exe update slinptoejg.exe
        17⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\slinptoejg.exe
        
        C:\Users\Admin\AppData\Local\Temp\slinptoejg.exe
        17⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\slinptoejg.exe
        
        C:\Users\Admin\AppData\Local\Temp\slinptoejg.exe update kefgiooqbi.exe
        18⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\kefgiooqbi.exe
        
        C:\Users\Admin\AppData\Local\Temp\kefgiooqbi.exe
        18⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:5712
        
        C:\Users\Admin\AppData\Local\Temp\kefgiooqbi.exe
        
        C:\Users\Admin\AppData\Local\Temp\kefgiooqbi.exe update xckpmsruhb.exe
        19⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5580
        
        C:\Users\Admin\AppData\Local\Temp\xckpmsruhb.exe
        
        C:\Users\Admin\AppData\Local\Temp\xckpmsruhb.exe
        19⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\xckpmsruhb.exe
        
        C:\Users\Admin\AppData\Local\Temp\xckpmsruhb.exe update ctbglxpjpm.exe
        20⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\ctbglxpjpm.exe
        
        C:\Users\Admin\AppData\Local\Temp\ctbglxpjpm.exe
        20⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\ctbglxpjpm.exe
        
        C:\Users\Admin\AppData\Local\Temp\ctbglxpjpm.exe update jjhebjeycn.exe
        21⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5532
        
        C:\Users\Admin\AppData\Local\Temp\jjhebjeycn.exe
        
        C:\Users\Admin\AppData\Local\Temp\jjhebjeycn.exe
        21⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\jjhebjeycn.exe
        
        C:\Users\Admin\AppData\Local\Temp\jjhebjeycn.exe update etwiwmabpj.exe
        22⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\etwiwmabpj.exe
        
        C:\Users\Admin\AppData\Local\Temp\etwiwmabpj.exe
        22⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\etwiwmabpj.exe
        
        C:\Users\Admin\AppData\Local\Temp\etwiwmabpj.exe update xqzejprugm.exe
        23⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\xqzejprugm.exe
        
        C:\Users\Admin\AppData\Local\Temp\xqzejprugm.exe
        23⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\xqzejprugm.exe
        
        C:\Users\Admin\AppData\Local\Temp\xqzejprugm.exe update uvpnszvxml.exe
        24⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\uvpnszvxml.exe
        
        C:\Users\Admin\AppData\Local\Temp\uvpnszvxml.exe
        24⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\uvpnszvxml.exe
        
        C:\Users\Admin\AppData\Local\Temp\uvpnszvxml.exe update ekqvcchyjq.exe
        25⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\ekqvcchyjq.exe
        
        C:\Users\Admin\AppData\Local\Temp\ekqvcchyjq.exe
        25⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\ekqvcchyjq.exe
        
        C:\Users\Admin\AppData\Local\Temp\ekqvcchyjq.exe update gutwmscwtg.exe
        26⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:5528
        
        C:\Users\Admin\AppData\Local\Temp\gutwmscwtg.exe
        
        C:\Users\Admin\AppData\Local\Temp\gutwmscwtg.exe
        26⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\gutwmscwtg.exe
        
        C:\Users\Admin\AppData\Local\Temp\gutwmscwtg.exe update gnfrfhyndi.exe
        27⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:6096
        
        C:\Users\Admin\AppData\Local\Temp\gnfrfhyndi.exe
        
        C:\Users\Admin\AppData\Local\Temp\gnfrfhyndi.exe
        27⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\gnfrfhyndi.exe
        
        C:\Users\Admin\AppData\Local\Temp\gnfrfhyndi.exe update tixqbnnowo.exe
        28⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5664
        
        C:\Users\Admin\AppData\Local\Temp\tixqbnnowo.exe
        
        C:\Users\Admin\AppData\Local\Temp\tixqbnnowo.exe
        28⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tixqbnnowo.exe
        
        C:\Users\Admin\AppData\Local\Temp\tixqbnnowo.exe update rueorkhtgb.exe
        29⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\rueorkhtgb.exe
        
        C:\Users\Admin\AppData\Local\Temp\rueorkhtgb.exe
        29⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\rueorkhtgb.exe
        
        C:\Users\Admin\AppData\Local\Temp\rueorkhtgb.exe update oswrblzaku.exe
        30⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:6128
        
        C:\Users\Admin\AppData\Local\Temp\oswrblzaku.exe
        
        C:\Users\Admin\AppData\Local\Temp\oswrblzaku.exe
        30⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\oswrblzaku.exe
        
        C:\Users\Admin\AppData\Local\Temp\oswrblzaku.exe update eigdtmrgov.exe
        31⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\eigdtmrgov.exe
        
        C:\Users\Admin\AppData\Local\Temp\eigdtmrgov.exe
        31⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\eigdtmrgov.exe
        
        C:\Users\Admin\AppData\Local\Temp\eigdtmrgov.exe update oidddelgrb.exe
        32⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\oidddelgrb.exe
        
        C:\Users\Admin\AppData\Local\Temp\oidddelgrb.exe
        32⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5492
        
        C:\Users\Admin\AppData\Local\Temp\oidddelgrb.exe
        
        C:\Users\Admin\AppData\Local\Temp\oidddelgrb.exe update iwupwmicxm.exe
        33⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\iwupwmicxm.exe
        
        C:\Users\Admin\AppData\Local\Temp\iwupwmicxm.exe
        33⤵
        Executes dropped EXE
        
        PID:5820
        
        C:\Users\Admin\AppData\Local\Temp\iwupwmicxm.exe
        
        C:\Users\Admin\AppData\Local\Temp\iwupwmicxm.exe update ekoihrycpd.exe
        34⤵
        Executes dropped EXE
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\ekoihrycpd.exe
        
        C:\Users\Admin\AppData\Local\Temp\ekoihrycpd.exe
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\ekoihrycpd.exe
        
        C:\Users\Admin\AppData\Local\Temp\ekoihrycpd.exe update lwhdhmzggp.exe
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:5296
        
        C:\Users\Admin\AppData\Local\Temp\lwhdhmzggp.exe
        
        C:\Users\Admin\AppData\Local\Temp\lwhdhmzggp.exe
        35⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\lwhdhmzggp.exe
        
        C:\Users\Admin\AppData\Local\Temp\lwhdhmzggp.exe update lhrzhissyt.exe
        36⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\lhrzhissyt.exe
        
        C:\Users\Admin\AppData\Local\Temp\lhrzhissyt.exe
        36⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\lhrzhissyt.exe
        
        C:\Users\Admin\AppData\Local\Temp\lhrzhissyt.exe update gzwfwrgndf.exe
        37⤵
        
        PID:5520
        
        C:\Users\Admin\AppData\Local\Temp\gzwfwrgndf.exe
        
        C:\Users\Admin\AppData\Local\Temp\gzwfwrgndf.exe
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\gzwfwrgndf.exe
        
        C:\Users\Admin\AppData\Local\Temp\gzwfwrgndf.exe update igngzdxzgc.exe
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\igngzdxzgc.exe
        
        C:\Users\Admin\AppData\Local\Temp\igngzdxzgc.exe
        38⤵
        
        PID:5848
        
        C:\Users\Admin\AppData\Local\Temp\igngzdxzgc.exe
        
        C:\Users\Admin\AppData\Local\Temp\igngzdxzgc.exe update yhrefbsnog.exe
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\yhrefbsnog.exe
        
        C:\Users\Admin\AppData\Local\Temp\yhrefbsnog.exe
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\yhrefbsnog.exe
        
        C:\Users\Admin\AppData\Local\Temp\yhrefbsnog.exe update gathlcjiay.exe
        40⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\gathlcjiay.exe
        
        C:\Users\Admin\AppData\Local\Temp\gathlcjiay.exe
        40⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\gathlcjiay.exe
        
        C:\Users\Admin\AppData\Local\Temp\gathlcjiay.exe update yspibkzveo.exe
        41⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\yspibkzveo.exe
        
        C:\Users\Admin\AppData\Local\Temp\yspibkzveo.exe
        41⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\yspibkzveo.exe
        
        C:\Users\Admin\AppData\Local\Temp\yspibkzveo.exe update vukywpyfuc.exe
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:5184
        
        C:\Users\Admin\AppData\Local\Temp\vukywpyfuc.exe
        
        C:\Users\Admin\AppData\Local\Temp\vukywpyfuc.exe
        42⤵
        
        PID:5368
        
        C:\Users\Admin\AppData\Local\Temp\vukywpyfuc.exe
        
        C:\Users\Admin\AppData\Local\Temp\vukywpyfuc.exe update iparvctclt.exe
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\iparvctclt.exe
        
        C:\Users\Admin\AppData\Local\Temp\iparvctclt.exe
        43⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\iparvctclt.exe
        
        C:\Users\Admin\AppData\Local\Temp\iparvctclt.exe update kzdsfsgaej.exe
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\kzdsfsgaej.exe
        
        C:\Users\Admin\AppData\Local\Temp\kzdsfsgaej.exe
        44⤵
        
        PID:5580
        
        C:\Users\Admin\AppData\Local\Temp\kzdsfsgaej.exe
        
        C:\Users\Admin\AppData\Local\Temp\kzdsfsgaej.exe update xuulpzxkmz.exe
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\xuulpzxkmz.exe
        
        C:\Users\Admin\AppData\Local\Temp\xuulpzxkmz.exe
        45⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\xuulpzxkmz.exe
        
        C:\Users\Admin\AppData\Local\Temp\xuulpzxkmz.exe update ifwenewdfr.exe
        46⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\ifwenewdfr.exe
        
        C:\Users\Admin\AppData\Local\Temp\ifwenewdfr.exe
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\ifwenewdfr.exe
        
        C:\Users\Admin\AppData\Local\Temp\ifwenewdfr.exe update kmvsupkhdt.exe
        47⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\kmvsupkhdt.exe
        
        C:\Users\Admin\AppData\Local\Temp\kmvsupkhdt.exe
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:5216
        
        C:\Users\Admin\AppData\Local\Temp\kmvsupkhdt.exe
        
        C:\Users\Admin\AppData\Local\Temp\kmvsupkhdt.exe update ceinzpddml.exe
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\ceinzpddml.exe
        
        C:\Users\Admin\AppData\Local\Temp\ceinzpddml.exe
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\ceinzpddml.exe
        
        C:\Users\Admin\AppData\Local\Temp\ceinzpddml.exe update cmiwegxmrk.exe
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\cmiwegxmrk.exe
        
        C:\Users\Admin\AppData\Local\Temp\cmiwegxmrk.exe
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\cmiwegxmrk.exe
        
        C:\Users\Admin\AppData\Local\Temp\cmiwegxmrk.exe update zolmzmowiq.exe
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\zolmzmowiq.exe
        
        C:\Users\Admin\AppData\Local\Temp\zolmzmowiq.exe
        50⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\zolmzmowiq.exe
        
        C:\Users\Admin\AppData\Local\Temp\zolmzmowiq.exe update uxqandkqmc.exe
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\uxqandkqmc.exe
        
        C:\Users\Admin\AppData\Local\Temp\uxqandkqmc.exe
        51⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\uxqandkqmc.exe
        
        C:\Users\Admin\AppData\Local\Temp\uxqandkqmc.exe update vjnwtbukfw.exe
        52⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\vjnwtbukfw.exe
        
        C:\Users\Admin\AppData\Local\Temp\vjnwtbukfw.exe
        52⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\vjnwtbukfw.exe
        
        C:\Users\Admin\AppData\Local\Temp\vjnwtbukfw.exe update fjceccokik.exe
        53⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\fjceccokik.exe
        
        C:\Users\Admin\AppData\Local\Temp\fjceccokik.exe
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:6032
        
        C:\Users\Admin\AppData\Local\Temp\fjceccokik.exe
        
        C:\Users\Admin\AppData\Local\Temp\fjceccokik.exe update sdtpnigtzs.exe
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\sdtpnigtzs.exe
        
        C:\Users\Admin\AppData\Local\Temp\sdtpnigtzs.exe
        54⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\sdtpnigtzs.exe
        
        C:\Users\Admin\AppData\Local\Temp\sdtpnigtzs.exe update rmstyrumcs.exe
        55⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\rmstyrumcs.exe
        
        C:\Users\Admin\AppData\Local\Temp\rmstyrumcs.exe
        55⤵
        
        PID:5264
        
        C:\Users\Admin\AppData\Local\Temp\rmstyrumcs.exe
        
        C:\Users\Admin\AppData\Local\Temp\rmstyrumcs.exe update kxqwxjhkmk.exe
        56⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\kxqwxjhkmk.exe
        
        C:\Users\Admin\AppData\Local\Temp\kxqwxjhkmk.exe
        56⤵
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\kxqwxjhkmk.exe
        
        C:\Users\Admin\AppData\Local\Temp\kxqwxjhkmk.exe update zmczbdeeqt.exe
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\zmczbdeeqt.exe
        
        C:\Users\Admin\AppData\Local\Temp\zmczbdeeqt.exe
        57⤵
        
        PID:5604
        
        C:\Users\Admin\AppData\Local\Temp\zmczbdeeqt.exe
        
        C:\Users\Admin\AppData\Local\Temp\zmczbdeeqt.exe update zfnvuksuzu.exe
        58⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\zfnvuksuzu.exe
        
        C:\Users\Admin\AppData\Local\Temp\zfnvuksuzu.exe
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\zfnvuksuzu.exe
        
        C:\Users\Admin\AppData\Local\Temp\zfnvuksuzu.exe update rjnivwqkxy.exe
        59⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\rjnivwqkxy.exe
        
        C:\Users\Admin\AppData\Local\Temp\rjnivwqkxy.exe
        59⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\rjnivwqkxy.exe
        
        C:\Users\Admin\AppData\Local\Temp\rjnivwqkxy.exe update rnkmbchwiz.exe
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\rnkmbchwiz.exe
        
        C:\Users\Admin\AppData\Local\Temp\rnkmbchwiz.exe
        60⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\rnkmbchwiz.exe
        
        C:\Users\Admin\AppData\Local\Temp\rnkmbchwiz.exe update zwqhbazjtc.exe
        61⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\zwqhbazjtc.exe
        
        C:\Users\Admin\AppData\Local\Temp\zwqhbazjtc.exe
        61⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\zwqhbazjtc.exe
        
        C:\Users\Admin\AppData\Local\Temp\zwqhbazjtc.exe update uovopjwexg.exe
        62⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\uovopjwexg.exe
        
        C:\Users\Admin\AppData\Local\Temp\uovopjwexg.exe
        62⤵
        
        PID:6120
        
        C:\Users\Admin\AppData\Local\Temp\uovopjwexg.exe
        
        C:\Users\Admin\AppData\Local\Temp\uovopjwexg.exe update rwnjcwycqs.exe
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\rwnjcwycqs.exe
        
        C:\Users\Admin\AppData\Local\Temp\rwnjcwycqs.exe
        63⤵
        
        PID:5448
        
        C:\Users\Admin\AppData\Local\Temp\rwnjcwycqs.exe
        
        C:\Users\Admin\AppData\Local\Temp\rwnjcwycqs.exe update ojuhrtjozg.exe
        64⤵
        
        PID:5924
        
        C:\Users\Admin\AppData\Local\Temp\ojuhrtjozg.exe
        
        C:\Users\Admin\AppData\Local\Temp\ojuhrtjozg.exe
        64⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\ojuhrtjozg.exe
        
        C:\Users\Admin\AppData\Local\Temp\ojuhrtjozg.exe update tleantecqe.exe
        65⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\tleantecqe.exe
        
        C:\Users\Admin\AppData\Local\Temp\tleantecqe.exe
        65⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\tleantecqe.exe
        
        C:\Users\Admin\AppData\Local\Temp\tleantecqe.exe update wreocesgng.exe
        66⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\wreocesgng.exe
        
        C:\Users\Admin\AppData\Local\Temp\wreocesgng.exe
        66⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\wreocesgng.exe
        
        C:\Users\Admin\AppData\Local\Temp\wreocesgng.exe update ggfweafhkl.exe
        67⤵
        
        PID:5148
        
        C:\Users\Admin\AppData\Local\Temp\ggfweafhkl.exe
        
        C:\Users\Admin\AppData\Local\Temp\ggfweafhkl.exe
        67⤵
        
        PID:6108
        
        C:\Users\Admin\AppData\Local\Temp\ggfweafhkl.exe
        
        C:\Users\Admin\AppData\Local\Temp\ggfweafhkl.exe update ogeaprbrvm.exe
        68⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\ogeaprbrvm.exe
        
        C:\Users\Admin\AppData\Local\Temp\ogeaprbrvm.exe
        68⤵
        
        PID:5484
        
        C:\Users\Admin\AppData\Local\Temp\ogeaprbrvm.exe
        
        C:\Users\Admin\AppData\Local\Temp\ogeaprbrvm.exe update osbvvxklff.exe
        69⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\osbvvxklff.exe
        
        C:\Users\Admin\AppData\Local\Temp\osbvvxklff.exe
        69⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\osbvvxklff.exe
        
        C:\Users\Admin\AppData\Local\Temp\osbvvxklff.exe update glyetxjgrw.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\glyetxjgrw.exe
        
        C:\Users\Admin\AppData\Local\Temp\glyetxjgrw.exe
        70⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\glyetxjgrw.exe
        
        C:\Users\Admin\AppData\Local\Temp\glyetxjgrw.exe update gaxhqabdtm.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:6020
        
        C:\Users\Admin\AppData\Local\Temp\gaxhqabdtm.exe
        
        C:\Users\Admin\AppData\Local\Temp\gaxhqabdtm.exe
        71⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\gaxhqabdtm.exe
        
        C:\Users\Admin\AppData\Local\Temp\gaxhqabdtm.exe update jlaahyocec.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\jlaahyocec.exe
        
        C:\Users\Admin\AppData\Local\Temp\jlaahyocec.exe
        72⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\jlaahyocec.exe
        
        C:\Users\Admin\AppData\Local\Temp\jlaahyocec.exe update yxgyxuiovh.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\yxgyxuiovh.exe
        
        C:\Users\Admin\AppData\Local\Temp\yxgyxuiovh.exe
        73⤵
        
        PID:5176
        
        C:\Users\Admin\AppData\Local\Temp\yxgyxuiovh.exe
        
        C:\Users\Admin\AppData\Local\Temp\yxgyxuiovh.exe update iekzmwakyw.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\iekzmwakyw.exe
        
        C:\Users\Admin\AppData\Local\Temp\iekzmwakyw.exe
        74⤵
        
        PID:5652
        
        C:\Users\Admin\AppData\Local\Temp\iekzmwakyw.exe
        
        C:\Users\Admin\AppData\Local\Temp\iekzmwakyw.exe update gnokyouvdo.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\gnokyouvdo.exe
        
        C:\Users\Admin\AppData\Local\Temp\gnokyouvdo.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\gnokyouvdo.exe
        
        C:\Users\Admin\AppData\Local\Temp\gnokyouvdo.exe update tlttdtxykz.exe
        76⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tlttdtxykz.exe
        
        C:\Users\Admin\AppData\Local\Temp\tlttdtxykz.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\tlttdtxykz.exe
        
        C:\Users\Admin\AppData\Local\Temp\tlttdtxykz.exe update golsrzmavn.exe
        77⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\golsrzmavn.exe
        
        C:\Users\Admin\AppData\Local\Temp\golsrzmavn.exe
        77⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\golsrzmavn.exe
        
        C:\Users\Admin\AppData\Local\Temp\golsrzmavn.exe update lbqdkdeise.exe
        78⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\lbqdkdeise.exe
        
        C:\Users\Admin\AppData\Local\Temp\lbqdkdeise.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:5452
        
        C:\Users\Admin\AppData\Local\Temp\lbqdkdeise.exe
        
        C:\Users\Admin\AppData\Local\Temp\lbqdkdeise.exe update dmcyvsbzcg.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\dmcyvsbzcg.exe
        
        C:\Users\Admin\AppData\Local\Temp\dmcyvsbzcg.exe
        79⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\dmcyvsbzcg.exe
        
        C:\Users\Admin\AppData\Local\Temp\dmcyvsbzcg.exe update nqnxhjhbdq.exe
        80⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\nqnxhjhbdq.exe
        
        C:\Users\Admin\AppData\Local\Temp\nqnxhjhbdq.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\nqnxhjhbdq.exe
        
        C:\Users\Admin\AppData\Local\Temp\nqnxhjhbdq.exe update ahtdglrizs.exe
        81⤵
        
        PID:4632

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ajqbnrbudz.exe

Filesize
10.4MB

MD5
a6b9a03e7f577639f468ea5f1ca94667

SHA1
1e19f1ba039f02f8026fb15769c66d272f315076

SHA256
be7399ca5f5ec6f9d28a2536cc799a5455373d79e978201cc0da780388db9c40

SHA512
7354bcfe9abc470dd98933335652ad23c874c7688b8cdd9dc95e4f5315eae227bac1d9afed79026280ced4a3733e7ef398e3a2be4caa4f6e6445d354bb14d41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bmwgxdkbtn.exe

Filesize
10.4MB

MD5
735753ffbfedcd20691259d33dc43c47

SHA1
c67d00f218caaafd56da12e6018eecef7589d0b9

SHA256
0b3b2b3d9d2249c4c2fd1d57ddafe09a3c9cee31ff9076cbf250ae0dce48942d

SHA512
1b200622eeffa9b01a6ad50954b2de87d95801ba6b1e8a89edb8478b0168d2faeae19f601e42db29e659ea02d8fc398ed204865591037dd7af07291ac8c83897

Download Submit
C:\Users\Admin\AppData\Local\Temp\brvuevlmra.exe

Filesize
10.4MB

MD5
8c93ef74b694a9b6f3e8d985e3c26da1

SHA1
3ba95cb8c326fa0fe9d03abf25246dea3c05f8ea

SHA256
266b5d3d2431357206920f62645c7d54f7fdf18747803b52acbbc4daf4963ef6

SHA512
c3979e65bf4581464fb1698e1c0960abfa41f644714ed1dd262d2f8daa90533a032bc12d2f4960967fc70e96c070cffcd7a92e6d0ca10c909abd21e8e9ee7fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\frrjicwrju.exe

Filesize
10.4MB

MD5
736e474c50bccea56367c46039fd97cf

SHA1
ee3c8c076ad6343d8244a42b933252ca53d95e54

SHA256
2e5900ce41c4ad590b686d7d3fa0d29b3f659a268ce158b8368f794ab0ebbdd1

SHA512
4861df3a873eb5d064cb7e8f30319288ab5e9045639bfb1f8fed787bfe5f3aa351e21450245dd0c2a472b9464343461ba90c5c374634dda15a6a24cf03ac0771

Download Submit
C:\Users\Admin\AppData\Local\Temp\guiuxmqpuk.exe

Filesize
10.4MB

MD5
156c0d54362e5e65f52c9e4442d64983

SHA1
8956ee650f878853c1be8b83cd10e552587fb1b9

SHA256
a76622c780e8014c4dbe9e41ec34419d95a86e0155e3fcb8b70e59ef73e42923

SHA512
7f73d5fbee6e80f92505816112cbb3e4190c77f99dafa4a3adae3853ba8686b885f5e62804aa87528e2b9ba0ca5f5438051494ea2de6958df2a8b0be79aadbd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ihqdwcpowb.exe

Filesize
10.4MB

MD5
a47516f1a8f9ffc2312ea1c180014f47

SHA1
036fe300d508f6248fc20865da9cb78af78ebdf7

SHA256
5df91c567cb75ad69d388be200863e51ec78887c835d70114b3e6d884e7b2ec6

SHA512
6ea394ff79ecafa953a7155ff560d49286467006619e9ae5c48e49f94d8a3594e2687b55a8dcee7c71b92f5f04e11fbe618976e5c36b61c60284bb7fdcea2279

Download Submit
C:\Users\Admin\AppData\Local\Temp\jzjpuhvfdo.exe

Filesize
10.4MB

MD5
7bef232f7f606295329a72f01dffca9e

SHA1
80ac7582cdc075ad6aa4d0c7e1ffdf5b49186342

SHA256
57a0b5f5a3109b144b911c683cdf6fab20d8f110c481993402a60d1e0a2240ab

SHA512
107a47a0d8e5d96dd6f2d3c64c7792658de161daef29ac4d5b428f122e2d57624339669f1d5f53c8514a997ebb205f1e232888e0c94d45cf880ca8685f13cf44

Download Submit
C:\Users\Admin\AppData\Local\Temp\kefgiooqbi.exe

Filesize
10.4MB

MD5
d5f64961b9b2792d044aba8b29e0348c

SHA1
734281e80c294457b4921ed00756d7b12afaaf79

SHA256
5482e9d4f818a4270d9184a7976b966ee1d4e4bdc90946f026d8ece28742005a

SHA512
978c724f569db728a5bfb144202f34d4b88e0c64b0287e295906292a5dd859ffb59a45b5a4234468e97515c5550c4d78cd9c8d8b882c5920f18730b0dc85cfa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nfgjzmvnlu.exe

Filesize
10.4MB

MD5
63fa7d0977e82fc5daab6d9cf61a6d78

SHA1
b56b00ba239a1bfb421fd6d049b48a89b7fb99b7

SHA256
d35ef839052178fddc2bc0df2dd0852f909e5fe0a5a49f8f7cf3c3ccc59a2598

SHA512
7af127bd1902bfa551ac9b7772136721fcccfb62f9f440d347eed1648d0cad873ac79f9b2f86144977bc7b0dd13519a05a42dce1bc6b65be7289aca4f8a1f5d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaqzvbeyn.exe

Filesize
10.4MB

MD5
a0851e7ab4096bffe6caedfee85a34c9

SHA1
9649698bf2050f42fb01191d183230184a441095

SHA256
b9532e35db0487d688db386a6ff3dc4713d727beebedcd1af40c474bcbae4f87

SHA512
a4e4184bf28ea0ef7bacee21897a2f3fd54c7d135f840d615b3298c13329aa8b73b7effea4de9032fe3cfdc766a45d9d5c0005383b2bbbdc758d188ec2813464

Download Submit
C:\Users\Admin\AppData\Local\Temp\oultwhapxm.exe

Filesize
10.4MB

MD5
6cb90cfb257a4da205c90849db452147

SHA1
147c76006af88a2fb21b0bc6a8cfe78cb98cb41e

SHA256
439b860cdf683955da5679e8854cb183b5e1a85d3cca430445ef6e55756df123

SHA512
2b58ea4e32757244421eb56100e360c5790b2f53589782da79ab8d98a2d5466b6d8c27a264c2867ffef876f1742c6b289575efc804bbd3dcf77127e58e22982e

Download Submit
C:\Users\Admin\AppData\Local\Temp\slinptoejg.exe

Filesize
10.4MB

MD5
69f23f0e5f94a4d8ea522407f55c2a05

SHA1
cd54cdd345ac9a4fe150e04646a520593f736c00

SHA256
89c0daa8da403123fbe1ada6a16f86ad844ae453914f46844796489b87d655eb

SHA512
c8fd52fd57be84ea533cbe80138e32853aa7676dcefedae6978dc93a050d69fc44538107cd972b18e3306edffc82297b0647a4fa823a288fa00e11f29fd4718c

Download Submit
C:\Users\Admin\AppData\Local\Temp\twdlshndnr.exe

Filesize
10.4MB

MD5
f4a2ee59ff301923d4b40efe4f754aba

SHA1
e7c0ff425baffaffebbfde469d2043b3716f372b

SHA256
90553a17eb9b71326abaeb67f822e19402f85448ed157975633817f0508cfd33

SHA512
fbd352bddaaef30021d52481810a1eb5a42f9a69276f17864a66f65a6bf11a36b14af80e064f0caa64d36e378998369c7c9489c8eeeb3354a2563c0ca607926c

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
44e7588d536a464f1fd472bd6b1e23aa

SHA1
d5f85c3b4bad8051afc9fb52d507072d93bb91f4

SHA256
75eb1875bcc3907cbdc406a683e2ee7f9f6fd5d1c78cb2bc94b027a77c4f7b6d

SHA512
c6b2849e193e57a8aed65099b0ad5c49e9173a967aa5bf034c976a8c88ae413549a608d8106e142b610917527095313fb399f42d9284d493c362159807f0448d

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
3831c6316f4bc4f1d2b8a11d68fac048

SHA1
5d1f0d626349fd728f686eefe7fe7953277ec36e

SHA256
b1180db953c093ec3570043167afc3a32b87cff709aa56c1427310620c959be1

SHA512
24a9a3c8503cd81f342ba6b0f76c3360a72932f66c687a449837ed5df4148df30cb27f5f225aeecb6f2352607a6d96ead45e44161d3f649ed9979a07b7a911ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
d690832b6a9f40effaf0d4b6d1e7fb22

SHA1
ae48dd927a54219b0913dba0ecc3bbf68ce15443

SHA256
1e9e7a8a2d9bb0fccc05b724bea594e36812cd188fd63b9cee9312c5a46ce9fc

SHA512
b8dcb05b2dc7ab23e38a09345cd81ff37461448efaede20144a3aab26afc7e4a1f503bc86dee467e91ce2ea0bc2eeb4c3cc44d93933b12fcac44c97f865cb4b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
6f290256cc0ec42eee508e91d49b62d9

SHA1
af03680da2d6b211ba3e0015f39680e0d9bde5fd

SHA256
66eb8e82a9810fc8eb982f8326b10f46ab5eb6c826b04ec83d4b9643d83fe89b

SHA512
74d72b3aff5a4ca2e0a94ea26eaa627cbd418e950d51c6125fab257d8b036a3295d6730e1cee8a9fca60fdf1f9b66968f3287962e3b8af91a6d2adc6e95c0a6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
7155f883e264a28ffb97cce7fff549ac

SHA1
b93b1642cc0434d1db8cddacf51e9bffc8280e59

SHA256
8a3867102935cc5985d41dad1ac381b69672273f08a0083bbc53971f844bdb79

SHA512
9b87f122b780eddcc08b23bbed3739a321836e5bf4c19f57d5cdf17e6a31f0ddfa70628f1e0c1b4e382638cc899f7818b668602a7194111e8337647b6ab2f18d

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
3163146139bcfe842be7b0032738c15a

SHA1
4d32977acea038f82d045f86e066420e8be2f59b

SHA256
20b9aa34da66037e44621bd9a3f953c75daa71e3eae5a197cfc40de613ebe091

SHA512
cc22fbacb7e38b492a21e7a5d2302979193a6bc1fe25a6bc170a824cec997ffebb24c71e4e1aa7ce810229ce27977e4c70991f98dadb88b463b1a7292c1c4e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
36fcd4d0cd29955cfd68468394d8d91e

SHA1
118e05fb55801480611b70bbf94739ee5d094e2b

SHA256
22849053693870fa4a2e736d569b6d3f542e08589a938782ceab6eb4775464aa

SHA512
062232d8c1f39683c56d32498c1a6f5c88bd6652d0a9380d99589e15f8cb6ed3866dd6e481dbce290934ce557ce9e91f0998565537e211fa5e222a5e4db5b165

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
de4dc8859e6c1928400c53881dff0db2

SHA1
9c64ee3dff9f3d054a5ad0216e1232e4db5c1abc

SHA256
df798db7c04c301d9c3c1320acbdf51f255d036b50d7081644b244fa4dd7b465

SHA512
dde94cf85ca89ea9de5dde955e096ff872c78bf3e9419e085ddb6438b318d9199c2d905610606fb4c1e0c573a61da0429de33ebe57d2486fb26758be590fc049

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
3b1582ca35658281be4eeeeee2f0f7f3

SHA1
a7f520c90f792092a0279dffbd4bdd06842749e2

SHA256
2475eebe022690ca45764dd7a43c305ae319a0a7c95394e573f97efd7eeb415f

SHA512
1bd1ae5e24dbb030009f4df41c46e3f1a13f6304e731d686fc14cf3985c31699a988a1a2ed9f2c941718ca73002fa97c09024e59e9c753073e053e7f2fe36564

Download Submit
C:\Users\Admin\AppData\Local\Temp\uykbawtjla.exe

Filesize
10.4MB

MD5
8ed617677b265e6ab6898a0e0b4dff3d

SHA1
66f8e7a5a418405d9adaecbecc3c647797aa4c9f

SHA256
9e7274335fde13b46216dce6fafdd726169c8dfc5eaedbd3e1c975aeef31a8dc

SHA512
21103380cf4ef3dcab9f9e67edeb1e0898838bc0f4608c22f1e8d39bf55eaa6a43c39d12578d8ee3ce0c31c98111c0eb743ec26475ab2d1107fd871b3f9d7b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\vjdfuzruwx.exe

Filesize
10.4MB

MD5
538cc4dd0d38cafd9c82cacb2fc84fe9

SHA1
d39a3509ea5627b45fe32334b0d26654c5da9a22

SHA256
f79276401be98f0c1f8428204492845e96c1ced837c1dea86ec9970543e0aa5a

SHA512
67807863aaec8c25ab8a3a505c2747aab604fe2b31c3a373abcd834d8dbcc3ae93e4a8dfdae0043153ed14f6b9c2c938e5a892e8d8def06dd9bf1700ec9af343

Download Submit
C:\Users\Admin\AppData\Local\Temp\xaujhjggvi.exe

Filesize
10.4MB

MD5
d0022e8d94bff1534c0f97b5870e0ceb

SHA1
45909b3d7927765e7240dec9c7218ea84bda3f1b

SHA256
fd0da0c1d2dbb7fe8a880dbedda6435238a35f6125fe44b0ecf6567932f91d85

SHA512
9a48c7004c6154acc8b2177abf156f0e4ad6ca91fa2133a14025d48b3d8dd57eab69a775e894f6c640fd1cee58e03c9cf4466e882fed2c2ab89b948a45f84aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\xckpmsruhb.exe

Filesize
10.4MB

MD5
2e433cba17c1f9f28916798254ffabd3

SHA1
e4f8bd60b7bc63b9efecea40fac360eb5ebf32bb

SHA256
cf421c6ac508595531d9eed0f22e01b1ecf32a1d0e8c05fe68aa627bc6ba5d0b

SHA512
6472718eca575785ee38238d27ab28ca15ebfd57db348e106106d898e99c562f301dcee8887a2506937d49fd4b3d4141370feb88218bbfcaa698dbb5f982c6e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xskclfjjqk.exe

Filesize
10.4MB

MD5
c429a31ee6dbbf9295794ef879611bb2

SHA1
2749b5407f5b22e93b35137601c4a809f75b6127

SHA256
3b0228a0b25a64d6fa8c8d584ccf6860c22fc111285ea14c0628c5cb63ed05b2

SHA512
a36f821c310e1146c4c2b9b313f3d9526d7c253eb552f78dbbcf09a47b40e16f6f9eb427dd3524a3838cd788df55d49f9e4b48b8b3a430af6293319c454685d7

Download Submit
memory/556-16-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1232-82-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1452-116-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1544-7-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1544-5-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1544-3-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/1544-4-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1564-52-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1712-138-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1948-48-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/1948-49-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2064-164-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/2064-165-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2172-162-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2664-94-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2664-93-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/2692-86-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2692-85-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/3116-105-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3188-132-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3312-59-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3624-40-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3684-143-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4036-154-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4108-108-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4144-69-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4144-13-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4144-83-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4144-11-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4516-22-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4616-30-0x0000000002950000-0x0000000002951000-memory.dmp

Filesize
4KB

Download
memory/4616-31-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4640-68-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4664-25-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4908-34-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4924-62-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/4952-42-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/4952-43-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/5180-71-0x00000000005D7000-0x0000000000C65000-memory.dmp

Filesize
6.6MB

Download
memory/5180-2-0x00000000005D7000-0x0000000000C65000-memory.dmp

Filesize
6.6MB

Download
memory/5180-54-0x00000000005D7000-0x0000000000C65000-memory.dmp

Filesize
6.6MB

Download
memory/5180-1-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/5180-0-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/5304-127-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/5304-126-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/5492-96-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/5492-97-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/5880-74-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/6004-151-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/6064-120-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/6064-121-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download