47caecf18636f927291636acbc40c3b5fff93b9b5371e5054775aa2deedb8e55

Analysis

max time kernel
27s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4fd9c7c8860fdb39d108aa863444c4f0N.exe
Size

201KB
MD5

4fd9c7c8860fdb39d108aa863444c4f0
SHA1

03d2cbd3b28a1f68365a5a2583a520739e9a3b88
SHA256

47caecf18636f927291636acbc40c3b5fff93b9b5371e5054775aa2deedb8e55
SHA512

2bde0bd8a64a3b21e643bc6bf5640cb7ca0c908ca21623f1d60e746a8b4b69ae6684baf69ad8e5cf4c750a1c975dbc62ba537797f1681b4e842c43ca115d3ddb
SSDEEP

6144:dXC4vgmhbIxs3NBByQop9QBfdZY9ScmsbeL:dXCNi9BsVQ5s9SIK

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	4fd9c7c8860fdb39d108aa863444c4f0N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\X:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\H:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\J:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\M:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\N:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\R:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\T:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\Y:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\Z:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\E:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\I:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\L:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\O:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\W:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\A:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\G:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\K:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\P:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\B:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\Q:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\S:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\V:	4fd9c7c8860fdb39d108aa863444c4f0N.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\american cum lesbian uncut castration (Christine,Jade).zip.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\System32\DriverStore\Temp\tyrkish cumshot lingerie several models titts (Sonja,Melissa).mpeg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\bukkake lesbian titts sm .rar.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\beast lesbian titts YEâPSè& (Sarah).mpg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\SysWOW64\FxsTmp\malaysia bukkake voyeur hole granny .mpg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\trambling girls feet hotel .mpeg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\SysWOW64\FxsTmp\african gay hot (!) .mpeg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\SysWOW64\IME\shared\russian cum blowjob full movie glans mistress .avi.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\lingerie public titts .mpg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\SysWOW64\IME\shared\brasilian beastiality trambling public glans lady (Tatjana).mpg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\hardcore hidden .zip.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Program Files (x86)\Google\Update\Download\japanese porn gay girls cock .avi.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\lesbian hidden titts .mpeg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Program Files\Windows Journal\Templates\blowjob [bangbus] feet (Britney,Janette).avi.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\nude lesbian catfight glans pregnant .mpg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\indian nude xxx [free] (Tatjana).mpg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\swedish kicking beast [bangbus] girly .zip.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\blowjob lesbian pregnant .zip.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\tyrkish fetish hardcore uncut feet .rar.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\danish beastiality sperm masturbation fishy .rar.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\danish kicking sperm voyeur .mpg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\swedish cumshot blowjob catfight hairy .mpg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Program Files\DVD Maker\Shared\swedish beastiality bukkake public ash .rar.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\black animal sperm catfight cock ¼ç .mpeg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\italian handjob fucking [bangbus] (Liz).avi.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe

Drops file in Windows directory 37 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\cumshot horse masturbation glans stockings (Curtney).mpeg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\italian horse gay full movie cock .mpg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\sperm masturbation bedroom .mpeg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\security\templates\american animal beast hidden leather .mpeg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\norwegian xxx lesbian (Melissa).avi.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E41.tmp\blowjob [bangbus] (Karin).zip.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\SoftwareDistribution\Download\xxx uncut .zip.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\bukkake licking cock beautyfull .zip.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\PLA\Templates\italian beastiality bukkake hot (!) glans .avi.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\brasilian handjob beast big swallow .zip.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\american cumshot beast catfight .zip.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\beast several models feet Ôë (Melissa).mpeg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\bukkake girls latex .avi.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\indian porn trambling [free] lady .zip.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\horse horse hot (!) .mpeg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\lingerie uncut redhair (Anniston,Jade).avi.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\hardcore hidden glans .zip.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\assembly\tmp\italian fetish lingerie masturbation cock balls .zip.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\Downloaded Program Files\danish nude gay several models titts granny .zip.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_6.1.7600.16385_none_8419660d1cc97b24\italian cum gay lesbian titts penetration .rar.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\lingerie full movie feet pregnant (Janette).rar.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\swedish gang bang bukkake lesbian .zip.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\danish action lingerie several models hotel .mpg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\xxx [free] feet boots (Curtney).mpg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\mssrv.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\swedish animal hardcore voyeur cock sm (Sylvia).mpeg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\danish handjob xxx sleeping beautyfull .mpg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\indian horse lingerie masturbation blondie (Kathrin,Karin).rar.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\american gang bang gay lesbian .mpeg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\indian kicking trambling girls cock ejaculation (Sylvia).zip.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\swedish porn beast lesbian black hairunshaved (Sonja,Tatjana).avi.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\sperm public .rar.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\assembly\temp\bukkake big black hairunshaved .mpeg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\malaysia lesbian several models hotel .avi.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\italian kicking gay licking cock stockings (Tatjana).rar.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\bukkake voyeur beautyfull .mpeg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\french sperm [free] sweet .mpg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2224	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2804	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2224	4fd9c7c8860fdb39d108aa863444c4f0N.exe
3064	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2804	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2320	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2224	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2496	4fd9c7c8860fdb39d108aa863444c4f0N.exe
928	4fd9c7c8860fdb39d108aa863444c4f0N.exe
996	4fd9c7c8860fdb39d108aa863444c4f0N.exe
3064	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2804	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2224	4fd9c7c8860fdb39d108aa863444c4f0N.exe
1900	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2320	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2496	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2848	4fd9c7c8860fdb39d108aa863444c4f0N.exe
816	4fd9c7c8860fdb39d108aa863444c4f0N.exe
928	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2828	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2960	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2852	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2804	4fd9c7c8860fdb39d108aa863444c4f0N.exe
1624	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2224	4fd9c7c8860fdb39d108aa863444c4f0N.exe
3064	4fd9c7c8860fdb39d108aa863444c4f0N.exe
568	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2320	4fd9c7c8860fdb39d108aa863444c4f0N.exe
1684	4fd9c7c8860fdb39d108aa863444c4f0N.exe
1900	4fd9c7c8860fdb39d108aa863444c4f0N.exe
996	4fd9c7c8860fdb39d108aa863444c4f0N.exe
1932	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2496	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2144	4fd9c7c8860fdb39d108aa863444c4f0N.exe
816	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2392	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2848	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2008	4fd9c7c8860fdb39d108aa863444c4f0N.exe
928	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2180	4fd9c7c8860fdb39d108aa863444c4f0N.exe
1812	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2212	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2828	4fd9c7c8860fdb39d108aa863444c4f0N.exe
1092	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2036	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2804	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2960	4fd9c7c8860fdb39d108aa863444c4f0N.exe
3064	4fd9c7c8860fdb39d108aa863444c4f0N.exe
1432	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2224	4fd9c7c8860fdb39d108aa863444c4f0N.exe
1224	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2852	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2396	4fd9c7c8860fdb39d108aa863444c4f0N.exe
264	4fd9c7c8860fdb39d108aa863444c4f0N.exe
1748	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2320	4fd9c7c8860fdb39d108aa863444c4f0N.exe
1624	4fd9c7c8860fdb39d108aa863444c4f0N.exe
1900	4fd9c7c8860fdb39d108aa863444c4f0N.exe
996	4fd9c7c8860fdb39d108aa863444c4f0N.exe
624	4fd9c7c8860fdb39d108aa863444c4f0N.exe
624	4fd9c7c8860fdb39d108aa863444c4f0N.exe
520	4fd9c7c8860fdb39d108aa863444c4f0N.exe
520	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2568	4fd9c7c8860fdb39d108aa863444c4f0N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2804	2224	4fd9c7c8860fdb39d108aa863444c4f0N.exe	29
PID 2224 wrote to memory of 2804	2224	4fd9c7c8860fdb39d108aa863444c4f0N.exe	29
PID 2224 wrote to memory of 2804	2224	4fd9c7c8860fdb39d108aa863444c4f0N.exe	29
PID 2224 wrote to memory of 2804	2224	4fd9c7c8860fdb39d108aa863444c4f0N.exe	29
PID 2804 wrote to memory of 3064	2804	4fd9c7c8860fdb39d108aa863444c4f0N.exe	30
PID 2804 wrote to memory of 3064	2804	4fd9c7c8860fdb39d108aa863444c4f0N.exe	30
PID 2804 wrote to memory of 3064	2804	4fd9c7c8860fdb39d108aa863444c4f0N.exe	30
PID 2804 wrote to memory of 3064	2804	4fd9c7c8860fdb39d108aa863444c4f0N.exe	30
PID 2224 wrote to memory of 2320	2224	4fd9c7c8860fdb39d108aa863444c4f0N.exe	31
PID 2224 wrote to memory of 2320	2224	4fd9c7c8860fdb39d108aa863444c4f0N.exe	31
PID 2224 wrote to memory of 2320	2224	4fd9c7c8860fdb39d108aa863444c4f0N.exe	31
PID 2224 wrote to memory of 2320	2224	4fd9c7c8860fdb39d108aa863444c4f0N.exe	31
PID 2804 wrote to memory of 2496	2804	4fd9c7c8860fdb39d108aa863444c4f0N.exe	32
PID 2804 wrote to memory of 2496	2804	4fd9c7c8860fdb39d108aa863444c4f0N.exe	32
PID 2804 wrote to memory of 2496	2804	4fd9c7c8860fdb39d108aa863444c4f0N.exe	32
PID 2804 wrote to memory of 2496	2804	4fd9c7c8860fdb39d108aa863444c4f0N.exe	32
PID 3064 wrote to memory of 928	3064	4fd9c7c8860fdb39d108aa863444c4f0N.exe	33
PID 3064 wrote to memory of 928	3064	4fd9c7c8860fdb39d108aa863444c4f0N.exe	33
PID 3064 wrote to memory of 928	3064	4fd9c7c8860fdb39d108aa863444c4f0N.exe	33
PID 3064 wrote to memory of 928	3064	4fd9c7c8860fdb39d108aa863444c4f0N.exe	33
PID 2224 wrote to memory of 996	2224	4fd9c7c8860fdb39d108aa863444c4f0N.exe	34
PID 2224 wrote to memory of 996	2224	4fd9c7c8860fdb39d108aa863444c4f0N.exe	34
PID 2224 wrote to memory of 996	2224	4fd9c7c8860fdb39d108aa863444c4f0N.exe	34
PID 2224 wrote to memory of 996	2224	4fd9c7c8860fdb39d108aa863444c4f0N.exe	34
PID 2320 wrote to memory of 1900	2320	4fd9c7c8860fdb39d108aa863444c4f0N.exe	35
PID 2320 wrote to memory of 1900	2320	4fd9c7c8860fdb39d108aa863444c4f0N.exe	35
PID 2320 wrote to memory of 1900	2320	4fd9c7c8860fdb39d108aa863444c4f0N.exe	35
PID 2320 wrote to memory of 1900	2320	4fd9c7c8860fdb39d108aa863444c4f0N.exe	35
PID 2496 wrote to memory of 2848	2496	4fd9c7c8860fdb39d108aa863444c4f0N.exe	36
PID 2496 wrote to memory of 2848	2496	4fd9c7c8860fdb39d108aa863444c4f0N.exe	36
PID 2496 wrote to memory of 2848	2496	4fd9c7c8860fdb39d108aa863444c4f0N.exe	36
PID 2496 wrote to memory of 2848	2496	4fd9c7c8860fdb39d108aa863444c4f0N.exe	36
PID 928 wrote to memory of 816	928	4fd9c7c8860fdb39d108aa863444c4f0N.exe	37
PID 928 wrote to memory of 816	928	4fd9c7c8860fdb39d108aa863444c4f0N.exe	37
PID 928 wrote to memory of 816	928	4fd9c7c8860fdb39d108aa863444c4f0N.exe	37
PID 928 wrote to memory of 816	928	4fd9c7c8860fdb39d108aa863444c4f0N.exe	37
PID 2804 wrote to memory of 2828	2804	4fd9c7c8860fdb39d108aa863444c4f0N.exe	38
PID 2804 wrote to memory of 2828	2804	4fd9c7c8860fdb39d108aa863444c4f0N.exe	38
PID 2804 wrote to memory of 2828	2804	4fd9c7c8860fdb39d108aa863444c4f0N.exe	38
PID 2804 wrote to memory of 2828	2804	4fd9c7c8860fdb39d108aa863444c4f0N.exe	38
PID 3064 wrote to memory of 2852	3064	4fd9c7c8860fdb39d108aa863444c4f0N.exe	39
PID 3064 wrote to memory of 2852	3064	4fd9c7c8860fdb39d108aa863444c4f0N.exe	39
PID 3064 wrote to memory of 2852	3064	4fd9c7c8860fdb39d108aa863444c4f0N.exe	39
PID 3064 wrote to memory of 2852	3064	4fd9c7c8860fdb39d108aa863444c4f0N.exe	39
PID 2224 wrote to memory of 2960	2224	4fd9c7c8860fdb39d108aa863444c4f0N.exe	40
PID 2224 wrote to memory of 2960	2224	4fd9c7c8860fdb39d108aa863444c4f0N.exe	40
PID 2224 wrote to memory of 2960	2224	4fd9c7c8860fdb39d108aa863444c4f0N.exe	40
PID 2224 wrote to memory of 2960	2224	4fd9c7c8860fdb39d108aa863444c4f0N.exe	40
PID 2320 wrote to memory of 1624	2320	4fd9c7c8860fdb39d108aa863444c4f0N.exe	41
PID 2320 wrote to memory of 1624	2320	4fd9c7c8860fdb39d108aa863444c4f0N.exe	41
PID 2320 wrote to memory of 1624	2320	4fd9c7c8860fdb39d108aa863444c4f0N.exe	41
PID 2320 wrote to memory of 1624	2320	4fd9c7c8860fdb39d108aa863444c4f0N.exe	41
PID 996 wrote to memory of 568	996	4fd9c7c8860fdb39d108aa863444c4f0N.exe	42
PID 996 wrote to memory of 568	996	4fd9c7c8860fdb39d108aa863444c4f0N.exe	42
PID 996 wrote to memory of 568	996	4fd9c7c8860fdb39d108aa863444c4f0N.exe	42
PID 996 wrote to memory of 568	996	4fd9c7c8860fdb39d108aa863444c4f0N.exe	42
PID 1900 wrote to memory of 1684	1900	4fd9c7c8860fdb39d108aa863444c4f0N.exe	43
PID 1900 wrote to memory of 1684	1900	4fd9c7c8860fdb39d108aa863444c4f0N.exe	43
PID 1900 wrote to memory of 1684	1900	4fd9c7c8860fdb39d108aa863444c4f0N.exe	43
PID 1900 wrote to memory of 1684	1900	4fd9c7c8860fdb39d108aa863444c4f0N.exe	43
PID 2496 wrote to memory of 1932	2496	4fd9c7c8860fdb39d108aa863444c4f0N.exe	44
PID 2496 wrote to memory of 1932	2496	4fd9c7c8860fdb39d108aa863444c4f0N.exe	44
PID 2496 wrote to memory of 1932	2496	4fd9c7c8860fdb39d108aa863444c4f0N.exe	44
PID 2496 wrote to memory of 1932	2496	4fd9c7c8860fdb39d108aa863444c4f0N.exe	44

C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
"C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
  "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:928
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:816
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        7⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        8⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        9⤵
        
        PID:7480
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        8⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        7⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        8⤵
        
        PID:7108
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        7⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        7⤵
        
        PID:6236
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        7⤵
        
        PID:3768
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        7⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        8⤵
        
        PID:7768
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        7⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        7⤵
        
        PID:9188
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        7⤵
        
        PID:5616
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        7⤵
        
        PID:9616
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:7440
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2008
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        7⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        8⤵
        
        PID:7976
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        7⤵
        
        PID:6992
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        7⤵
        
        PID:5404
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:4760
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:8732
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:452
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        7⤵
        
        PID:8000
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:5364
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:3216
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:7092
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:4876
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:8248
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:7372
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2852
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1432
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        7⤵
        
        PID:5824
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        7⤵
        
        PID:8320
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:7380
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:2792
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        7⤵
        
        PID:7468
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:7516
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:3748
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:8008
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:5068
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:9124
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1092
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:1948
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:4976
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:9204
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:3944
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:7508
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:7364
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:2996
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:3888
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:8196
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:6932
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:3652
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:7076
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:5228
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:9956
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2848
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2392
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        7⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        8⤵
        
        PID:8204
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        7⤵
        
        PID:5592
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        7⤵
        
        PID:9688
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        7⤵
        
        PID:5416
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:5172
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:9380
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:1532
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        7⤵
        
        PID:8044
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:5300
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:5436
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:3124
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:5332
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:8560
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:4340
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:6984
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1932
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:1032
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        7⤵
        
        PID:7932
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:5316
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:8816
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:3232
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:5388
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:8948
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:4708
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:8240
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:7132
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2568
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:3672
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:6148
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:5212
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:8756
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:2632
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:5308
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:8652
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:4276
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:8336
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:7392
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2828
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2180
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:2736
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:4304
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:7044
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:3876
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:7592
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:5372
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:9828
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:2764
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:4032
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:7984
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:7068
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:3384
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:7052
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:5060
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:8644
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1812
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:2364
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:5180
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:2532
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:3172
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:6964
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:6956
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:2896
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:1552
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:7744
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:7332
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:3540
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:7060
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:5156
- C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
  "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1900
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1684
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:520
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        7⤵
        
        PID:7100
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:5236
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:9872
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:2664
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:5164
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:3324
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:7968
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:7356
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:264
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:3252
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:7036
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:4724
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:7408
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:1892
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:4632
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:1716
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:7340
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:3912
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:7672
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:5380
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:9864
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1624
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2396
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:3192
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:5344
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:2388
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:4660
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:8328
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:7500
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:2528
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:4752
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:8232
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:7400
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:3964
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:7644
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:6300
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1224
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:3164
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:6164
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:4428
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:7432
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:7416
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:2672
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:5188
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:1268
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:3948
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:8016
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:6156
- C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
  "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:568
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:624
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:3520
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:7948
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:5196
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:8636
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:2692
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:5008
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:7424
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:4136
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:6284
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1748
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:3292
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:5396
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:9228
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:4868
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:7524
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:2272
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:4608
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:2436
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:7664
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:3100
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:7940
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:5604
- C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
  "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2960
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2212
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:2164
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:4744
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:7992
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:6292
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:3264
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:8036
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:5624
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:2840
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:3548
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:8312
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:5148
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:8748
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:3636
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:7028
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:5204
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:8692
- C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
  "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2036
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:2780
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:5024
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:7696
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:3200
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:8432
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:6244
- C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
  "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
  2⤵
  PID:2296
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:4332
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:7160
- C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
  "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
  2⤵
  PID:3860
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:7956
- C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
  "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
  2⤵
  PID:5220
- C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
  "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
  2⤵
  PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\swedish kicking beast [bangbus] girly .zip.exe

Filesize
1.2MB

MD5
42f99d9b056981d6c7b1267fa08aa37e

SHA1
57207ab607cf2b98600a33d447b05ddcd91c70cc

SHA256
96bfce0c79d742bd1723e56e6dee02ed280208a2a8ae97bb4bd25c4bca3b60f4

SHA512
f5faa656b913a321b5474626503fb504890a0b700da5bad1d9de7389d1efcaed36c3e6a0a72324c91a208c916e9412581f83591442a92464db9ba9c34ceb2ec5

Download Submit
memory/264-162-0x00000000045D0000-0x00000000045FB000-memory.dmp

Filesize
172KB

Download
memory/264-172-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/452-191-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/520-180-0x0000000004910000-0x000000000493B000-memory.dmp

Filesize
172KB

Download
memory/520-179-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/568-175-0x0000000004930000-0x000000000495B000-memory.dmp

Filesize
172KB

Download
memory/568-149-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/568-144-0x0000000004930000-0x000000000495B000-memory.dmp

Filesize
172KB

Download
memory/568-105-0x0000000004930000-0x000000000495B000-memory.dmp

Filesize
172KB

Download
memory/624-178-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/624-174-0x0000000001ED0000-0x0000000001EFB000-memory.dmp

Filesize
172KB

Download
memory/816-185-0x0000000004A60000-0x0000000004A8B000-memory.dmp

Filesize
172KB

Download
memory/816-141-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/928-157-0x0000000004A60000-0x0000000004A8B000-memory.dmp

Filesize
172KB

Download
memory/928-132-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/928-190-0x0000000004A70000-0x0000000004A9B000-memory.dmp

Filesize
172KB

Download
memory/928-84-0x00000000047E0000-0x000000000480B000-memory.dmp

Filesize
172KB

Download
memory/928-111-0x0000000004A70000-0x0000000004A9B000-memory.dmp

Filesize
172KB

Download
memory/928-139-0x00000000047E0000-0x000000000480B000-memory.dmp

Filesize
172KB

Download
memory/928-69-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/996-133-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/996-70-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1092-165-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1224-156-0x00000000044F0000-0x000000000451B000-memory.dmp

Filesize
172KB

Download
memory/1224-169-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1432-148-0x00000000047D0000-0x00000000047FB000-memory.dmp

Filesize
172KB

Download
memory/1432-168-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1532-189-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1624-147-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1624-124-0x0000000004A70000-0x0000000004A9B000-memory.dmp

Filesize
172KB

Download
memory/1684-177-0x00000000047C0000-0x00000000047EB000-memory.dmp

Filesize
172KB

Download
memory/1684-150-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1684-106-0x00000000047C0000-0x00000000047EB000-memory.dmp

Filesize
172KB

Download
memory/1748-173-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1748-103-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1812-131-0x00000000047D0000-0x00000000047FB000-memory.dmp

Filesize
172KB

Download
memory/1812-161-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1900-71-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1932-152-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1932-112-0x0000000004930000-0x000000000495B000-memory.dmp

Filesize
172KB

Download
memory/1932-89-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2008-158-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2036-166-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2144-154-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2144-113-0x0000000004810000-0x000000000483B000-memory.dmp

Filesize
172KB

Download
memory/2144-167-0x0000000004830000-0x000000000485B000-memory.dmp

Filesize
172KB

Download
memory/2180-160-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2212-164-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2224-121-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2224-127-0x0000000005120000-0x000000000514B000-memory.dmp

Filesize
172KB

Download
memory/2224-130-0x0000000005AD0000-0x0000000005AFB000-memory.dmp

Filesize
172KB

Download
memory/2224-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2224-122-0x0000000004990000-0x00000000049BB000-memory.dmp

Filesize
172KB

Download
memory/2224-87-0x0000000005D60000-0x0000000005D8B000-memory.dmp

Filesize
172KB

Download
memory/2224-30-0x0000000005120000-0x000000000514B000-memory.dmp

Filesize
172KB

Download
memory/2224-117-0x00000000061B0000-0x00000000061DB000-memory.dmp

Filesize
172KB

Download
memory/2320-128-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2320-123-0x0000000004A80000-0x0000000004AAB000-memory.dmp

Filesize
172KB

Download
memory/2392-155-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2396-171-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2496-109-0x0000000004920000-0x000000000494B000-memory.dmp

Filesize
172KB

Download
memory/2496-68-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2496-83-0x00000000047D0000-0x00000000047FB000-memory.dmp

Filesize
172KB

Download
memory/2496-138-0x00000000047D0000-0x00000000047FB000-memory.dmp

Filesize
172KB

Download
memory/2496-181-0x0000000004920000-0x000000000494B000-memory.dmp

Filesize
172KB

Download
memory/2496-88-0x0000000004920000-0x000000000494B000-memory.dmp

Filesize
172KB

Download
memory/2568-186-0x00000000045A0000-0x00000000045CB000-memory.dmp

Filesize
172KB

Download
memory/2568-183-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2804-115-0x0000000004A70000-0x0000000004A9B000-memory.dmp

Filesize
172KB

Download
memory/2804-176-0x0000000004A70000-0x0000000004A9B000-memory.dmp

Filesize
172KB

Download
memory/2804-67-0x0000000004A70000-0x0000000004A9B000-memory.dmp

Filesize
172KB

Download
memory/2804-28-0x00000000047F0000-0x000000000481B000-memory.dmp

Filesize
172KB

Download
memory/2804-125-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2828-114-0x0000000004920000-0x000000000494B000-memory.dmp

Filesize
172KB

Download
memory/2828-159-0x0000000004910000-0x000000000493B000-memory.dmp

Filesize
172KB

Download
memory/2828-142-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2848-151-0x00000000047F0000-0x000000000481B000-memory.dmp

Filesize
172KB

Download
memory/2848-90-0x00000000047D0000-0x00000000047FB000-memory.dmp

Filesize
172KB

Download
memory/2848-140-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2848-110-0x00000000047E0000-0x000000000480B000-memory.dmp

Filesize
172KB

Download
memory/2848-188-0x00000000047E0000-0x000000000480B000-memory.dmp

Filesize
172KB

Download
memory/2848-85-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2848-153-0x00000000047D0000-0x00000000047FB000-memory.dmp

Filesize
172KB

Download
memory/2852-118-0x0000000004A60000-0x0000000004A8B000-memory.dmp

Filesize
172KB

Download
memory/2852-145-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2960-182-0x0000000004830000-0x000000000485B000-memory.dmp

Filesize
172KB

Download
memory/2960-146-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2960-116-0x0000000004820000-0x000000000484B000-memory.dmp

Filesize
172KB

Download
memory/3048-187-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3064-126-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3064-184-0x0000000004930000-0x000000000495B000-memory.dmp

Filesize
172KB

Download
memory/3064-143-0x0000000004920000-0x000000000494B000-memory.dmp

Filesize
172KB

Download
memory/3064-86-0x0000000004920000-0x000000000494B000-memory.dmp

Filesize
172KB

Download
memory/3064-29-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3232-163-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3360-170-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download