dcf64ad33ea1e19d158074980ac013aab09fb4788805baee19087b6886253c08

Analysis

max time kernel
11s
max time network
8s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51c74b388dba351e718b071cc9eb2fb0N.exe
Size

1.4MB
MD5

51c74b388dba351e718b071cc9eb2fb0
SHA1

9dafcbb91084c83548617cc61923a4ee5c6f4fbf
SHA256

dcf64ad33ea1e19d158074980ac013aab09fb4788805baee19087b6886253c08
SHA512

7e84178281d78ea8a5d5aedbf663fb13ce68266570f4b022713f3de628f4e9709a8fd5ade356d727a8c3b2a45334c4507a2e077b2805669897c338800bc0d1b6
SSDEEP

24576:86JiKbJf+kTUTGLCx2YaB5dAsPS3B/7xVjX9flGazgHabk4jDJQTUfx8bMBCjpdx:5xbJf+kEGynaXAsPedL3Ajo2g58UCjpL

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	51c74b388dba351e718b071cc9eb2fb0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	51c74b388dba351e718b071cc9eb2fb0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	51c74b388dba351e718b071cc9eb2fb0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	51c74b388dba351e718b071cc9eb2fb0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	51c74b388dba351e718b071cc9eb2fb0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	51c74b388dba351e718b071cc9eb2fb0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	51c74b388dba351e718b071cc9eb2fb0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	51c74b388dba351e718b071cc9eb2fb0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	51c74b388dba351e718b071cc9eb2fb0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	51c74b388dba351e718b071cc9eb2fb0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	51c74b388dba351e718b071cc9eb2fb0N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	51c74b388dba351e718b071cc9eb2fb0N.exe
File opened (read-only)	\??\X:	51c74b388dba351e718b071cc9eb2fb0N.exe
File opened (read-only)	\??\G:	51c74b388dba351e718b071cc9eb2fb0N.exe
File opened (read-only)	\??\H:	51c74b388dba351e718b071cc9eb2fb0N.exe
File opened (read-only)	\??\N:	51c74b388dba351e718b071cc9eb2fb0N.exe
File opened (read-only)	\??\P:	51c74b388dba351e718b071cc9eb2fb0N.exe
File opened (read-only)	\??\L:	51c74b388dba351e718b071cc9eb2fb0N.exe
File opened (read-only)	\??\M:	51c74b388dba351e718b071cc9eb2fb0N.exe
File opened (read-only)	\??\V:	51c74b388dba351e718b071cc9eb2fb0N.exe
File opened (read-only)	\??\Y:	51c74b388dba351e718b071cc9eb2fb0N.exe
File opened (read-only)	\??\A:	51c74b388dba351e718b071cc9eb2fb0N.exe
File opened (read-only)	\??\I:	51c74b388dba351e718b071cc9eb2fb0N.exe
File opened (read-only)	\??\J:	51c74b388dba351e718b071cc9eb2fb0N.exe
File opened (read-only)	\??\K:	51c74b388dba351e718b071cc9eb2fb0N.exe
File opened (read-only)	\??\Z:	51c74b388dba351e718b071cc9eb2fb0N.exe
File opened (read-only)	\??\W:	51c74b388dba351e718b071cc9eb2fb0N.exe
File opened (read-only)	\??\B:	51c74b388dba351e718b071cc9eb2fb0N.exe
File opened (read-only)	\??\O:	51c74b388dba351e718b071cc9eb2fb0N.exe
File opened (read-only)	\??\T:	51c74b388dba351e718b071cc9eb2fb0N.exe
File opened (read-only)	\??\U:	51c74b388dba351e718b071cc9eb2fb0N.exe
File opened (read-only)	\??\E:	51c74b388dba351e718b071cc9eb2fb0N.exe
File opened (read-only)	\??\Q:	51c74b388dba351e718b071cc9eb2fb0N.exe
File opened (read-only)	\??\R:	51c74b388dba351e718b071cc9eb2fb0N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\FxsTmp\lesbian public cock .avi.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Windows\System32\DriverStore\Temp\tyrkish kicking lesbian hidden (Liz).mpg.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Windows\SysWOW64\FxsTmp\porn bukkake voyeur titts young .zip.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\beast licking hole wifey .rar.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\african trambling public femdom .mpeg.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\xxx several models (Jade).zip.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\japanese fetish fucking hidden sweet .mpeg.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\lingerie public (Liz).rar.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\indian fetish horse hidden glans YEâPSè& .rar.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\sperm several models sm .rar.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\hardcore uncut mature .zip.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\danish beastiality lesbian hidden cock latex .zip.exe	51c74b388dba351e718b071cc9eb2fb0N.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\tyrkish cum lingerie [free] .mpg.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Program Files (x86)\Google\Temp\danish handjob lesbian [bangbus] shower .zip.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Program Files\dotnet\shared\bukkake voyeur glans sm (Sylvia).mpg.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\swedish fetish fucking [bangbus] (Tatjana).zip.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\fucking public mature .zip.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\swedish cumshot xxx uncut young (Christine,Karin).rar.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\brasilian porn bukkake [bangbus] hotel (Sonja,Janette).mpeg.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\swedish nude fucking several models .rar.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\fucking several models cock mistress (Samantha).mpeg.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\italian animal hardcore girls (Samantha).mpeg.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\hardcore uncut sweet .rar.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\lesbian hot (!) fishy .rar.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\japanese cum fucking lesbian hole bedroom .mpg.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Program Files\Common Files\microsoft shared\russian cum trambling voyeur .avi.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Program Files (x86)\Google\Update\Download\indian kicking beast [bangbus] hole hotel (Sylvia).zip.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\beast [milf] .mpeg.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Program Files\Microsoft Office\root\Templates\russian beastiality blowjob hidden .rar.exe	51c74b388dba351e718b071cc9eb2fb0N.exe

Drops file in Windows directory 28 IoCs

description	ioc	Process
File created	C:\Windows\mssrv.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\gay full movie wifey .mpg.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\lingerie uncut feet .zip.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\trambling hot (!) shower .mpg.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\japanese cumshot sperm hot (!) cock ash .mpg.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\xxx [free] shoes .zip.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Windows\SoftwareDistribution\Download\lingerie hidden titts swallow .mpeg.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\black beastiality trambling [free] ¼ë .mpeg.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\brasilian handjob horse hot (!) shower .mpeg.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Windows\CbsTemp\japanese beastiality gay voyeur upskirt .rar.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\italian fetish lesbian [bangbus] titts traffic .zip.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\blowjob masturbation balls .rar.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\indian action horse licking shoes .rar.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\swedish handjob sperm sleeping feet .rar.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Windows\assembly\temp\danish cumshot sperm [free] (Janette).zip.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Windows\assembly\tmp\gay sleeping sm .mpg.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\brasilian beastiality bukkake hidden pregnant .zip.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\trambling licking .rar.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Windows\PLA\Templates\swedish animal xxx [free] feet YEâPSè& (Samantha).mpg.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Windows\InputMethod\SHARED\japanese nude fucking [bangbus] .mpg.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Windows\security\templates\malaysia trambling full movie glans .mpeg.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\xxx lesbian .avi.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\sperm hidden high heels .avi.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\danish porn gay masturbation young .rar.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\italian handjob lesbian voyeur titts .avi.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\brasilian cumshot blowjob sleeping black hairunshaved .zip.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Windows\Downloaded Program Files\beast [milf] glans beautyfull (Janette).mpg.exe	51c74b388dba351e718b071cc9eb2fb0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\bukkake hidden (Karin).avi.exe	51c74b388dba351e718b071cc9eb2fb0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3052	51c74b388dba351e718b071cc9eb2fb0N.exe
3052	51c74b388dba351e718b071cc9eb2fb0N.exe
4140	51c74b388dba351e718b071cc9eb2fb0N.exe
4140	51c74b388dba351e718b071cc9eb2fb0N.exe
3052	51c74b388dba351e718b071cc9eb2fb0N.exe
3052	51c74b388dba351e718b071cc9eb2fb0N.exe
4016	51c74b388dba351e718b071cc9eb2fb0N.exe
4016	51c74b388dba351e718b071cc9eb2fb0N.exe
3596	51c74b388dba351e718b071cc9eb2fb0N.exe
3596	51c74b388dba351e718b071cc9eb2fb0N.exe
4140	51c74b388dba351e718b071cc9eb2fb0N.exe
4140	51c74b388dba351e718b071cc9eb2fb0N.exe
3052	51c74b388dba351e718b071cc9eb2fb0N.exe
3052	51c74b388dba351e718b071cc9eb2fb0N.exe
5068	51c74b388dba351e718b071cc9eb2fb0N.exe
5068	51c74b388dba351e718b071cc9eb2fb0N.exe
5040	51c74b388dba351e718b071cc9eb2fb0N.exe
5040	51c74b388dba351e718b071cc9eb2fb0N.exe
4872	51c74b388dba351e718b071cc9eb2fb0N.exe
4872	51c74b388dba351e718b071cc9eb2fb0N.exe
3052	51c74b388dba351e718b071cc9eb2fb0N.exe
3052	51c74b388dba351e718b071cc9eb2fb0N.exe
4016	51c74b388dba351e718b071cc9eb2fb0N.exe
4140	51c74b388dba351e718b071cc9eb2fb0N.exe
4140	51c74b388dba351e718b071cc9eb2fb0N.exe
4016	51c74b388dba351e718b071cc9eb2fb0N.exe
3276	51c74b388dba351e718b071cc9eb2fb0N.exe
3276	51c74b388dba351e718b071cc9eb2fb0N.exe
3596	51c74b388dba351e718b071cc9eb2fb0N.exe
3596	51c74b388dba351e718b071cc9eb2fb0N.exe
2108	51c74b388dba351e718b071cc9eb2fb0N.exe
2108	51c74b388dba351e718b071cc9eb2fb0N.exe
860	51c74b388dba351e718b071cc9eb2fb0N.exe
860	51c74b388dba351e718b071cc9eb2fb0N.exe
4912	51c74b388dba351e718b071cc9eb2fb0N.exe
4912	51c74b388dba351e718b071cc9eb2fb0N.exe
4140	51c74b388dba351e718b071cc9eb2fb0N.exe
4140	51c74b388dba351e718b071cc9eb2fb0N.exe
4016	51c74b388dba351e718b071cc9eb2fb0N.exe
4016	51c74b388dba351e718b071cc9eb2fb0N.exe
3052	51c74b388dba351e718b071cc9eb2fb0N.exe
3052	51c74b388dba351e718b071cc9eb2fb0N.exe
212	51c74b388dba351e718b071cc9eb2fb0N.exe
212	51c74b388dba351e718b071cc9eb2fb0N.exe
2892	51c74b388dba351e718b071cc9eb2fb0N.exe
2892	51c74b388dba351e718b071cc9eb2fb0N.exe
1528	51c74b388dba351e718b071cc9eb2fb0N.exe
1528	51c74b388dba351e718b071cc9eb2fb0N.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 4140	3052	51c74b388dba351e718b071cc9eb2fb0N.exe	86
PID 3052 wrote to memory of 4140	3052	51c74b388dba351e718b071cc9eb2fb0N.exe	86
PID 3052 wrote to memory of 4140	3052	51c74b388dba351e718b071cc9eb2fb0N.exe	86
PID 4140 wrote to memory of 4016	4140	51c74b388dba351e718b071cc9eb2fb0N.exe	87
PID 4140 wrote to memory of 4016	4140	51c74b388dba351e718b071cc9eb2fb0N.exe	87
PID 4140 wrote to memory of 4016	4140	51c74b388dba351e718b071cc9eb2fb0N.exe	87
PID 3052 wrote to memory of 3596	3052	51c74b388dba351e718b071cc9eb2fb0N.exe	88
PID 3052 wrote to memory of 3596	3052	51c74b388dba351e718b071cc9eb2fb0N.exe	88
PID 3052 wrote to memory of 3596	3052	51c74b388dba351e718b071cc9eb2fb0N.exe	88
PID 4140 wrote to memory of 5068	4140	51c74b388dba351e718b071cc9eb2fb0N.exe	89
PID 4140 wrote to memory of 5068	4140	51c74b388dba351e718b071cc9eb2fb0N.exe	89
PID 4140 wrote to memory of 5068	4140	51c74b388dba351e718b071cc9eb2fb0N.exe	89
PID 4016 wrote to memory of 4872	4016	51c74b388dba351e718b071cc9eb2fb0N.exe	90
PID 4016 wrote to memory of 4872	4016	51c74b388dba351e718b071cc9eb2fb0N.exe	90
PID 4016 wrote to memory of 4872	4016	51c74b388dba351e718b071cc9eb2fb0N.exe	90
PID 3052 wrote to memory of 5040	3052	51c74b388dba351e718b071cc9eb2fb0N.exe	91
PID 3052 wrote to memory of 5040	3052	51c74b388dba351e718b071cc9eb2fb0N.exe	91
PID 3052 wrote to memory of 5040	3052	51c74b388dba351e718b071cc9eb2fb0N.exe	91
PID 3596 wrote to memory of 3276	3596	51c74b388dba351e718b071cc9eb2fb0N.exe	92
PID 3596 wrote to memory of 3276	3596	51c74b388dba351e718b071cc9eb2fb0N.exe	92
PID 3596 wrote to memory of 3276	3596	51c74b388dba351e718b071cc9eb2fb0N.exe	92
PID 4140 wrote to memory of 2108	4140	51c74b388dba351e718b071cc9eb2fb0N.exe	93
PID 4140 wrote to memory of 2108	4140	51c74b388dba351e718b071cc9eb2fb0N.exe	93
PID 4140 wrote to memory of 2108	4140	51c74b388dba351e718b071cc9eb2fb0N.exe	93
PID 4016 wrote to memory of 860	4016	51c74b388dba351e718b071cc9eb2fb0N.exe	94
PID 4016 wrote to memory of 860	4016	51c74b388dba351e718b071cc9eb2fb0N.exe	94
PID 4016 wrote to memory of 860	4016	51c74b388dba351e718b071cc9eb2fb0N.exe	94
PID 3052 wrote to memory of 4912	3052	51c74b388dba351e718b071cc9eb2fb0N.exe	95
PID 3052 wrote to memory of 4912	3052	51c74b388dba351e718b071cc9eb2fb0N.exe	95
PID 3052 wrote to memory of 4912	3052	51c74b388dba351e718b071cc9eb2fb0N.exe	95
PID 5068 wrote to memory of 212	5068	51c74b388dba351e718b071cc9eb2fb0N.exe	96
PID 5068 wrote to memory of 212	5068	51c74b388dba351e718b071cc9eb2fb0N.exe	96
PID 5068 wrote to memory of 212	5068	51c74b388dba351e718b071cc9eb2fb0N.exe	96
PID 3596 wrote to memory of 2892	3596	51c74b388dba351e718b071cc9eb2fb0N.exe	97
PID 3596 wrote to memory of 2892	3596	51c74b388dba351e718b071cc9eb2fb0N.exe	97
PID 3596 wrote to memory of 2892	3596	51c74b388dba351e718b071cc9eb2fb0N.exe	97
PID 5040 wrote to memory of 1528	5040	51c74b388dba351e718b071cc9eb2fb0N.exe	98
PID 5040 wrote to memory of 1528	5040	51c74b388dba351e718b071cc9eb2fb0N.exe	98
PID 5040 wrote to memory of 1528	5040	51c74b388dba351e718b071cc9eb2fb0N.exe	98
PID 4872 wrote to memory of 2832	4872	51c74b388dba351e718b071cc9eb2fb0N.exe	99
PID 4872 wrote to memory of 2832	4872	51c74b388dba351e718b071cc9eb2fb0N.exe	99
PID 4872 wrote to memory of 2832	4872	51c74b388dba351e718b071cc9eb2fb0N.exe	99
PID 3276 wrote to memory of 1148	3276	51c74b388dba351e718b071cc9eb2fb0N.exe	100
PID 3276 wrote to memory of 1148	3276	51c74b388dba351e718b071cc9eb2fb0N.exe	100
PID 3276 wrote to memory of 1148	3276	51c74b388dba351e718b071cc9eb2fb0N.exe	100
PID 4140 wrote to memory of 4396	4140	51c74b388dba351e718b071cc9eb2fb0N.exe	101
PID 4140 wrote to memory of 4396	4140	51c74b388dba351e718b071cc9eb2fb0N.exe	101
PID 4140 wrote to memory of 4396	4140	51c74b388dba351e718b071cc9eb2fb0N.exe	101
PID 3052 wrote to memory of 4312	3052	51c74b388dba351e718b071cc9eb2fb0N.exe	102
PID 3052 wrote to memory of 4312	3052	51c74b388dba351e718b071cc9eb2fb0N.exe	102
PID 3052 wrote to memory of 4312	3052	51c74b388dba351e718b071cc9eb2fb0N.exe	102
PID 2108 wrote to memory of 548	2108	51c74b388dba351e718b071cc9eb2fb0N.exe	103
PID 2108 wrote to memory of 548	2108	51c74b388dba351e718b071cc9eb2fb0N.exe	103
PID 2108 wrote to memory of 548	2108	51c74b388dba351e718b071cc9eb2fb0N.exe	103
PID 4016 wrote to memory of 4424	4016	51c74b388dba351e718b071cc9eb2fb0N.exe	104
PID 4016 wrote to memory of 4424	4016	51c74b388dba351e718b071cc9eb2fb0N.exe	104
PID 4016 wrote to memory of 4424	4016	51c74b388dba351e718b071cc9eb2fb0N.exe	104
PID 860 wrote to memory of 2388	860	51c74b388dba351e718b071cc9eb2fb0N.exe	105
PID 860 wrote to memory of 2388	860	51c74b388dba351e718b071cc9eb2fb0N.exe	105
PID 860 wrote to memory of 2388	860	51c74b388dba351e718b071cc9eb2fb0N.exe	105

C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
"C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
  "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4140
- - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4016
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4872
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:2832
      - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        6⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        7⤵
        
        PID:5744
        
        C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        8⤵
        
        PID:10380
        
        C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        7⤵
        
        PID:7232
        
        C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        7⤵
        
        PID:9904
      - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        6⤵
        
        PID:5280
        
        C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        7⤵
        
        PID:9688
      - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        6⤵
        
        PID:6696
      - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        6⤵
        
        PID:9032
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:832
      - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        6⤵
        
        PID:5880
        
        C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        7⤵
        
        PID:11332
      - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        6⤵
        
        PID:7492
      - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        6⤵
        
        PID:10144
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:4904
      - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        6⤵
        
        PID:8912
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:6520
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:8596
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:11880
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:860
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:2388
      - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        6⤵
        
        PID:5552
        
        C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        7⤵
        
        PID:9568
      - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        6⤵
        
        PID:7048
      - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        6⤵
        
        PID:9388
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:3860
      - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        6⤵
        
        PID:7784
      - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        6⤵
        
        PID:10676
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:6076
      - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        6⤵
        
        PID:11340
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:7888
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:10720
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:4424
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:5268
      - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        6⤵
        
        PID:8804
      - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        6⤵
        
        PID:12240
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:6588
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:8720
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:12020
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:4292
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:6736
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:9180
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:5944
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:10348
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:7468
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:10152
- - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:212
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:3876
      - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        6⤵
        
        PID:5680
        
        C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        7⤵
        
        PID:10324
      - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        6⤵
        
        PID:7156
      - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        6⤵
        
        PID:9824
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:5252
      - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        6⤵
        
        PID:9912
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:6444
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:8392
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:11372
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:2028
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:5832
      - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        6⤵
        
        PID:10864
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:7556
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:10340
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:4536
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:9004
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:6192
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:11388
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:8172
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:10984
- - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:548
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:1560
      - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        6⤵
        
        PID:8812
      - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        6⤵
        
        PID:12252
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:6328
      - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        6⤵
        
        PID:12260
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:8324
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:11316
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:312
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:6704
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:6404
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:6012
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:11144
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:7772
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:10808
- - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
    3⤵
    PID:4396
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:3932
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:6656
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:8728
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:12072
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:6088
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:11364
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:8012
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:10816
- - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
    3⤵
    PID:3388
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:7564
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:10420
- - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
    3⤵
    PID:6024
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:11308
- - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
    3⤵
    PID:7712
- - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
    3⤵
    PID:10692
- C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
  "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3276
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:1148
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:1516
      - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        6⤵
        
        PID:5840
        
        C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        7⤵
        
        PID:10580
      - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        6⤵
        
        PID:7500
      - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        6⤵
        
        PID:10308
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:5320
      - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        6⤵
        
        PID:9560
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:6664
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:8708
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:12044
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:2676
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:5688
      - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        6⤵
        
        PID:10260
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:7148
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:9832
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:5060
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:10028
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:6368
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:12036
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:8372
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:11292
- - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2892
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:1088
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:5820
      - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        6⤵
        
        PID:10588
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:7548
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:10108
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:5288
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:9588
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:6580
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:8700
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:12028
- - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
    3⤵
    PID:4480
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:5812
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:10316
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:7476
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:10136
- - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
    3⤵
    PID:2080
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:8344
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:11324
- - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
    3⤵
    PID:6352
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:11888
- - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
    3⤵
    PID:8336
- - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
    3⤵
    PID:11300
- C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
  "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1528
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:4512
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:5864
      - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        6⤵
        
        PID:10668
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:7460
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:10128
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:5304
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:9872
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:6600
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:8612
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:11916
- - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
    3⤵
    PID:2336
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:5656
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:10060
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:7132
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:9580
- - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
    3⤵
    PID:3584
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:8448
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:11676
- - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
    3⤵
    PID:6148
- - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
    3⤵
    PID:8004
- - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
    3⤵
    PID:10852
- C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
  "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4912
- - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
    3⤵
    PID:5084
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:5664
    - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
        5⤵
        
        PID:9540
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:7184
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:9840
- - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
    3⤵
    PID:4944
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:8904
- - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
    3⤵
    PID:6100
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:11136
- - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
    3⤵
    PID:8020
- - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
    3⤵
    PID:10824
- C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
  "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
  2⤵
  PID:4312
- - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
    3⤵
    PID:5444
  - - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
      4⤵
      PID:9772
- - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
    3⤵
    PID:6756
- - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
    3⤵
    PID:9204
- C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
  "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
  2⤵
  PID:4688
- - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
    3⤵
    PID:8736
- - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
    3⤵
    PID:12172
- C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
  "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
  2⤵
  PID:6048
- - C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
    3⤵
    PID:11096
- C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
  "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
  2⤵
  PID:7856
- C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe
  "C:\Users\Admin\AppData\Local\Temp\51c74b388dba351e718b071cc9eb2fb0N.exe"
  2⤵
  PID:10684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\fucking several models cock mistress (Samantha).mpeg.exe

Filesize
815KB

MD5
45fe1e414af246d25f6eb82858648f68

SHA1
7e1190cd44666c13b4da6213fef196a3d3dc0fec

SHA256
9f9e9ff52a45762d8dd3ced32e12e9f2e826428428b9133ace9aaa0341e3f518

SHA512
04a584e1216afe9d50efd282f7962e15c58449f37419d174318ad57037e8aabe6fc7450bd94b94c6fbdd024867fe66dcb2e6935f9e096e20122c576cd08167d8

Download Submit