5ae321a4379ebd4e01f7e02ae94c5be67712eeef3437324bb5234406ef51dfd9

Analysis

max time kernel
25s
max time network
18s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
16/07/2024, 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f19b5c81d8a669fba241880c6497340N.exe
Size

517KB
MD5

6f19b5c81d8a669fba241880c6497340
SHA1

560376f70b83b6f61c66a5bddbd852660d133b53
SHA256

5ae321a4379ebd4e01f7e02ae94c5be67712eeef3437324bb5234406ef51dfd9
SHA512

7fd3f245e5bf9096640dcf8b2ef30fcd81f861f02cdbbb9a80b0d1ffa5dd3b77fa3f884b09b1a0b7b5294f62e2d29825ad8b7a978993710a80581dafde4c9721
SSDEEP

12288:bPKL8qO4DuG+uFsXO51cOQ0TmQbT2NFk20RIgM4jTJiN4N+W:bSL//FsXOUOtVT2NDujTg40W

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 62 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2268-0-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/files/0x0007000000018b62-5.dat	upx
behavioral1/memory/2952-11-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/2884-32-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/2476-72-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/2476-85-0x0000000001D50000-0x0000000001D6D000-memory.dmp	upx
behavioral1/memory/2268-84-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/2952-87-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1884-89-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1060-91-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/580-93-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1556-95-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/2028-97-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/796-98-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1504-100-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/580-99-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1556-103-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1884-106-0x0000000004900000-0x000000000491D000-memory.dmp	upx
behavioral1/memory/2028-105-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1796-107-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/2572-110-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1344-111-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/2572-123-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1092-124-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/2820-131-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/2884-132-0x0000000004940000-0x000000000495D000-memory.dmp	upx
behavioral1/memory/2708-134-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/2820-135-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/2512-138-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/2708-137-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/2940-147-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/672-154-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1324-153-0x0000000004A60000-0x0000000004A7D000-memory.dmp	upx
behavioral1/memory/2996-155-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/3108-161-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/3128-162-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/3312-167-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/3108-169-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/3328-171-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/3128-172-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/3312-179-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1092-183-0x00000000047C0000-0x00000000047DD000-memory.dmp	upx
behavioral1/memory/3708-194-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1188-196-0x0000000004920000-0x000000000493D000-memory.dmp	upx
behavioral1/memory/3972-201-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/3780-204-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/4016-205-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/3920-209-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/3972-206-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/3168-211-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/3264-212-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/3272-214-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/4068-215-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/3168-223-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/4036-225-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/3272-226-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/4068-228-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/3264-224-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/4108-229-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/4160-232-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/4200-234-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/4036-233-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	6f19b5c81d8a669fba241880c6497340N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	6f19b5c81d8a669fba241880c6497340N.exe
File opened (read-only)	\??\L:	6f19b5c81d8a669fba241880c6497340N.exe
File opened (read-only)	\??\R:	6f19b5c81d8a669fba241880c6497340N.exe
File opened (read-only)	\??\S:	6f19b5c81d8a669fba241880c6497340N.exe
File opened (read-only)	\??\T:	6f19b5c81d8a669fba241880c6497340N.exe
File opened (read-only)	\??\V:	6f19b5c81d8a669fba241880c6497340N.exe
File opened (read-only)	\??\Y:	6f19b5c81d8a669fba241880c6497340N.exe
File opened (read-only)	\??\I:	6f19b5c81d8a669fba241880c6497340N.exe
File opened (read-only)	\??\O:	6f19b5c81d8a669fba241880c6497340N.exe
File opened (read-only)	\??\U:	6f19b5c81d8a669fba241880c6497340N.exe
File opened (read-only)	\??\W:	6f19b5c81d8a669fba241880c6497340N.exe
File opened (read-only)	\??\E:	6f19b5c81d8a669fba241880c6497340N.exe
File opened (read-only)	\??\G:	6f19b5c81d8a669fba241880c6497340N.exe
File opened (read-only)	\??\K:	6f19b5c81d8a669fba241880c6497340N.exe
File opened (read-only)	\??\M:	6f19b5c81d8a669fba241880c6497340N.exe
File opened (read-only)	\??\N:	6f19b5c81d8a669fba241880c6497340N.exe
File opened (read-only)	\??\Q:	6f19b5c81d8a669fba241880c6497340N.exe
File opened (read-only)	\??\Z:	6f19b5c81d8a669fba241880c6497340N.exe
File opened (read-only)	\??\B:	6f19b5c81d8a669fba241880c6497340N.exe
File opened (read-only)	\??\H:	6f19b5c81d8a669fba241880c6497340N.exe
File opened (read-only)	\??\J:	6f19b5c81d8a669fba241880c6497340N.exe
File opened (read-only)	\??\P:	6f19b5c81d8a669fba241880c6497340N.exe
File opened (read-only)	\??\X:	6f19b5c81d8a669fba241880c6497340N.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IME\shared\swedish horse hardcore several models feet bondage .zip.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\horse hidden feet (Britney,Sarah).rar.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\bukkake uncut hole .rar.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\SysWOW64\IME\shared\hardcore catfight hole .avi.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\swedish nude xxx several models titts girly (Janette).mpeg.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\System32\DriverStore\Temp\lingerie sleeping .zip.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\xxx catfight feet swallow .rar.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\SysWOW64\FxsTmp\fucking hot (!) titts (Ashley,Melissa).zip.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\fucking big girly .mpeg.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\SysWOW64\FxsTmp\canadian blowjob girls black hairunshaved .mpeg.exe	6f19b5c81d8a669fba241880c6497340N.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\hardcore hot (!) bedroom (Christine,Karin).mpg.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\swedish nude lesbian licking granny .mpeg.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\japanese action sperm sleeping .mpg.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\black gang bang horse [bangbus] cock wifey .avi.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Program Files (x86)\Google\Temp\danish kicking blowjob licking (Curtney).mpeg.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\beast masturbation mature .mpg.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\japanese cumshot bukkake several models cock lady .avi.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\japanese gang bang gay [bangbus] glans pregnant .avi.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\beast licking penetration .mpg.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Program Files\DVD Maker\Shared\brasilian animal beast big hole .rar.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Program Files\Windows Journal\Templates\hardcore catfight (Jade).rar.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Program Files (x86)\Google\Update\Download\tyrkish animal trambling catfight (Melissa).mpg.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\swedish horse lesbian voyeur glans .rar.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\american action horse [free] .avi.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\lingerie several models sweet .rar.exe	6f19b5c81d8a669fba241880c6497340N.exe

Drops file in Windows directory 36 IoCs

description	ioc	Process
File created	C:\Windows\assembly\temp\xxx [milf] feet .rar.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\assembly\tmp\italian porn hardcore full movie balls .avi.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\swedish handjob hardcore several models titts redhair .avi.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\swedish horse gay [milf] 50+ .avi.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\japanese beastiality xxx hidden latex .zip.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E41.tmp\indian animal xxx catfight titts shower (Liz).rar.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\tyrkish cumshot trambling uncut hotel (Christine,Liz).rar.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\security\templates\lingerie [free] hairy .mpeg.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\indian nude lesbian full movie glans hotel .mpg.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\xxx [free] (Sarah).zip.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\beastiality bukkake lesbian titts latex .zip.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\brasilian action trambling masturbation ash (Sonja,Sarah).mpeg.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\black handjob fucking catfight titts girly (Samantha).mpg.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\swedish action lesbian voyeur glans .mpeg.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\american animal lingerie [free] .zip.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_6.1.7600.16385_none_8419660d1cc97b24\indian handjob beast several models cock shower (Samantha).mpeg.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\german xxx voyeur (Jade).avi.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\black nude hardcore [milf] upskirt .avi.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\bukkake catfight (Liz).zip.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\PLA\Templates\swedish horse gay full movie hairy .mpeg.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\hardcore [milf] (Samantha).mpg.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\tyrkish handjob bukkake full movie mistress .zip.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\Downloaded Program Files\japanese horse bukkake girls feet fishy (Melissa).mpg.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\african hardcore several models YEâPSè& .mpeg.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\mssrv.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\beast several models feet castration (Janette).rar.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\danish kicking trambling [milf] titts fishy .zip.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\horse masturbation (Karin).avi.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\tyrkish gang bang lesbian voyeur (Curtney).mpg.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\xxx hot (!) lady .zip.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\american cumshot lingerie hot (!) .rar.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\black porn lingerie full movie (Jade).avi.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\beast masturbation hole .zip.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\SoftwareDistribution\Download\danish handjob hardcore uncut .zip.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\italian gang bang beast full movie leather .rar.exe	6f19b5c81d8a669fba241880c6497340N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\black cum bukkake licking redhair .avi.exe	6f19b5c81d8a669fba241880c6497340N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2268	6f19b5c81d8a669fba241880c6497340N.exe
2952	6f19b5c81d8a669fba241880c6497340N.exe
2268	6f19b5c81d8a669fba241880c6497340N.exe
2884	6f19b5c81d8a669fba241880c6497340N.exe
2924	6f19b5c81d8a669fba241880c6497340N.exe
2268	6f19b5c81d8a669fba241880c6497340N.exe
2952	6f19b5c81d8a669fba241880c6497340N.exe
2476	6f19b5c81d8a669fba241880c6497340N.exe
1188	6f19b5c81d8a669fba241880c6497340N.exe
1924	6f19b5c81d8a669fba241880c6497340N.exe
2884	6f19b5c81d8a669fba241880c6497340N.exe
2268	6f19b5c81d8a669fba241880c6497340N.exe
2952	6f19b5c81d8a669fba241880c6497340N.exe
1324	6f19b5c81d8a669fba241880c6497340N.exe
2924	6f19b5c81d8a669fba241880c6497340N.exe
2764	6f19b5c81d8a669fba241880c6497340N.exe
1352	6f19b5c81d8a669fba241880c6497340N.exe
2268	6f19b5c81d8a669fba241880c6497340N.exe
2884	6f19b5c81d8a669fba241880c6497340N.exe
3060	6f19b5c81d8a669fba241880c6497340N.exe
2476	6f19b5c81d8a669fba241880c6497340N.exe
2952	6f19b5c81d8a669fba241880c6497340N.exe
1884	6f19b5c81d8a669fba241880c6497340N.exe
796	6f19b5c81d8a669fba241880c6497340N.exe
1060	6f19b5c81d8a669fba241880c6497340N.exe
580	6f19b5c81d8a669fba241880c6497340N.exe
2924	6f19b5c81d8a669fba241880c6497340N.exe
1188	6f19b5c81d8a669fba241880c6497340N.exe
1924	6f19b5c81d8a669fba241880c6497340N.exe
2232	6f19b5c81d8a669fba241880c6497340N.exe
1324	6f19b5c81d8a669fba241880c6497340N.exe
1556	6f19b5c81d8a669fba241880c6497340N.exe
2028	6f19b5c81d8a669fba241880c6497340N.exe
2268	6f19b5c81d8a669fba241880c6497340N.exe
2764	6f19b5c81d8a669fba241880c6497340N.exe
2884	6f19b5c81d8a669fba241880c6497340N.exe
1796	6f19b5c81d8a669fba241880c6497340N.exe
1468	6f19b5c81d8a669fba241880c6497340N.exe
1352	6f19b5c81d8a669fba241880c6497340N.exe
1504	6f19b5c81d8a669fba241880c6497340N.exe
2596	6f19b5c81d8a669fba241880c6497340N.exe
2952	6f19b5c81d8a669fba241880c6497340N.exe
2476	6f19b5c81d8a669fba241880c6497340N.exe
1064	6f19b5c81d8a669fba241880c6497340N.exe
1900	6f19b5c81d8a669fba241880c6497340N.exe
3060	6f19b5c81d8a669fba241880c6497340N.exe
2228	6f19b5c81d8a669fba241880c6497340N.exe
1884	6f19b5c81d8a669fba241880c6497340N.exe
1500	6f19b5c81d8a669fba241880c6497340N.exe
2924	6f19b5c81d8a669fba241880c6497340N.exe
1164	6f19b5c81d8a669fba241880c6497340N.exe
2572	6f19b5c81d8a669fba241880c6497340N.exe
1344	6f19b5c81d8a669fba241880c6497340N.exe
1344	6f19b5c81d8a669fba241880c6497340N.exe
796	6f19b5c81d8a669fba241880c6497340N.exe
796	6f19b5c81d8a669fba241880c6497340N.exe
1188	6f19b5c81d8a669fba241880c6497340N.exe
1188	6f19b5c81d8a669fba241880c6497340N.exe
1932	6f19b5c81d8a669fba241880c6497340N.exe
1932	6f19b5c81d8a669fba241880c6497340N.exe
2352	6f19b5c81d8a669fba241880c6497340N.exe
2352	6f19b5c81d8a669fba241880c6497340N.exe
1924	6f19b5c81d8a669fba241880c6497340N.exe
1924	6f19b5c81d8a669fba241880c6497340N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2952	2268	6f19b5c81d8a669fba241880c6497340N.exe	30
PID 2268 wrote to memory of 2952	2268	6f19b5c81d8a669fba241880c6497340N.exe	30
PID 2268 wrote to memory of 2952	2268	6f19b5c81d8a669fba241880c6497340N.exe	30
PID 2268 wrote to memory of 2952	2268	6f19b5c81d8a669fba241880c6497340N.exe	30
PID 2268 wrote to memory of 2884	2268	6f19b5c81d8a669fba241880c6497340N.exe	31
PID 2268 wrote to memory of 2884	2268	6f19b5c81d8a669fba241880c6497340N.exe	31
PID 2268 wrote to memory of 2884	2268	6f19b5c81d8a669fba241880c6497340N.exe	31
PID 2268 wrote to memory of 2884	2268	6f19b5c81d8a669fba241880c6497340N.exe	31
PID 2952 wrote to memory of 2924	2952	6f19b5c81d8a669fba241880c6497340N.exe	32
PID 2952 wrote to memory of 2924	2952	6f19b5c81d8a669fba241880c6497340N.exe	32
PID 2952 wrote to memory of 2924	2952	6f19b5c81d8a669fba241880c6497340N.exe	32
PID 2952 wrote to memory of 2924	2952	6f19b5c81d8a669fba241880c6497340N.exe	32
PID 2884 wrote to memory of 1188	2884	6f19b5c81d8a669fba241880c6497340N.exe	33
PID 2884 wrote to memory of 1188	2884	6f19b5c81d8a669fba241880c6497340N.exe	33
PID 2884 wrote to memory of 1188	2884	6f19b5c81d8a669fba241880c6497340N.exe	33
PID 2884 wrote to memory of 1188	2884	6f19b5c81d8a669fba241880c6497340N.exe	33
PID 2924 wrote to memory of 2476	2924	6f19b5c81d8a669fba241880c6497340N.exe	34
PID 2924 wrote to memory of 2476	2924	6f19b5c81d8a669fba241880c6497340N.exe	34
PID 2924 wrote to memory of 2476	2924	6f19b5c81d8a669fba241880c6497340N.exe	34
PID 2924 wrote to memory of 2476	2924	6f19b5c81d8a669fba241880c6497340N.exe	34
PID 2268 wrote to memory of 1924	2268	6f19b5c81d8a669fba241880c6497340N.exe	35
PID 2268 wrote to memory of 1924	2268	6f19b5c81d8a669fba241880c6497340N.exe	35
PID 2268 wrote to memory of 1924	2268	6f19b5c81d8a669fba241880c6497340N.exe	35
PID 2268 wrote to memory of 1924	2268	6f19b5c81d8a669fba241880c6497340N.exe	35
PID 2952 wrote to memory of 1324	2952	6f19b5c81d8a669fba241880c6497340N.exe	36
PID 2952 wrote to memory of 1324	2952	6f19b5c81d8a669fba241880c6497340N.exe	36
PID 2952 wrote to memory of 1324	2952	6f19b5c81d8a669fba241880c6497340N.exe	36
PID 2952 wrote to memory of 1324	2952	6f19b5c81d8a669fba241880c6497340N.exe	36
PID 2268 wrote to memory of 2764	2268	6f19b5c81d8a669fba241880c6497340N.exe	38
PID 2268 wrote to memory of 2764	2268	6f19b5c81d8a669fba241880c6497340N.exe	38
PID 2268 wrote to memory of 2764	2268	6f19b5c81d8a669fba241880c6497340N.exe	38
PID 2268 wrote to memory of 2764	2268	6f19b5c81d8a669fba241880c6497340N.exe	38
PID 2884 wrote to memory of 1352	2884	6f19b5c81d8a669fba241880c6497340N.exe	39
PID 2884 wrote to memory of 1352	2884	6f19b5c81d8a669fba241880c6497340N.exe	39
PID 2884 wrote to memory of 1352	2884	6f19b5c81d8a669fba241880c6497340N.exe	39
PID 2884 wrote to memory of 1352	2884	6f19b5c81d8a669fba241880c6497340N.exe	39
PID 2476 wrote to memory of 1884	2476	6f19b5c81d8a669fba241880c6497340N.exe	37
PID 2476 wrote to memory of 1884	2476	6f19b5c81d8a669fba241880c6497340N.exe	37
PID 2476 wrote to memory of 1884	2476	6f19b5c81d8a669fba241880c6497340N.exe	37
PID 2476 wrote to memory of 1884	2476	6f19b5c81d8a669fba241880c6497340N.exe	37
PID 2952 wrote to memory of 3060	2952	6f19b5c81d8a669fba241880c6497340N.exe	40
PID 2952 wrote to memory of 3060	2952	6f19b5c81d8a669fba241880c6497340N.exe	40
PID 2952 wrote to memory of 3060	2952	6f19b5c81d8a669fba241880c6497340N.exe	40
PID 2952 wrote to memory of 3060	2952	6f19b5c81d8a669fba241880c6497340N.exe	40
PID 2924 wrote to memory of 1060	2924	6f19b5c81d8a669fba241880c6497340N.exe	41
PID 2924 wrote to memory of 1060	2924	6f19b5c81d8a669fba241880c6497340N.exe	41
PID 2924 wrote to memory of 1060	2924	6f19b5c81d8a669fba241880c6497340N.exe	41
PID 2924 wrote to memory of 1060	2924	6f19b5c81d8a669fba241880c6497340N.exe	41
PID 1924 wrote to memory of 796	1924	6f19b5c81d8a669fba241880c6497340N.exe	42
PID 1924 wrote to memory of 796	1924	6f19b5c81d8a669fba241880c6497340N.exe	42
PID 1924 wrote to memory of 796	1924	6f19b5c81d8a669fba241880c6497340N.exe	42
PID 1924 wrote to memory of 796	1924	6f19b5c81d8a669fba241880c6497340N.exe	42
PID 1188 wrote to memory of 580	1188	6f19b5c81d8a669fba241880c6497340N.exe	43
PID 1188 wrote to memory of 580	1188	6f19b5c81d8a669fba241880c6497340N.exe	43
PID 1188 wrote to memory of 580	1188	6f19b5c81d8a669fba241880c6497340N.exe	43
PID 1188 wrote to memory of 580	1188	6f19b5c81d8a669fba241880c6497340N.exe	43
PID 1324 wrote to memory of 2232	1324	6f19b5c81d8a669fba241880c6497340N.exe	44
PID 1324 wrote to memory of 2232	1324	6f19b5c81d8a669fba241880c6497340N.exe	44
PID 1324 wrote to memory of 2232	1324	6f19b5c81d8a669fba241880c6497340N.exe	44
PID 1324 wrote to memory of 2232	1324	6f19b5c81d8a669fba241880c6497340N.exe	44
PID 2268 wrote to memory of 1556	2268	6f19b5c81d8a669fba241880c6497340N.exe	45
PID 2268 wrote to memory of 1556	2268	6f19b5c81d8a669fba241880c6497340N.exe	45
PID 2268 wrote to memory of 1556	2268	6f19b5c81d8a669fba241880c6497340N.exe	45
PID 2268 wrote to memory of 1556	2268	6f19b5c81d8a669fba241880c6497340N.exe	45

C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
"C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
  "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
    "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2476
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1884
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        7⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        8⤵
        
        PID:5424
        
        C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        8⤵
        
        PID:10180
        
        C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        7⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        8⤵
        
        PID:8652
        
        C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        7⤵
        
        PID:7072
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        7⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        7⤵
        
        PID:6848
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        7⤵
        
        PID:7696
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:5444
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:9544
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2596
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        7⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        8⤵
        
        PID:9196
        
        C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        7⤵
        
        PID:8640
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        7⤵
        
        PID:7932
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:5740
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:8632
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:2708
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        7⤵
        
        PID:8288
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:5512
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:9936
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:3540
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:6176
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:4700
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:9144
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1060
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1344
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        7⤵
        
        PID:6088
        
        C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        7⤵
        
        PID:10044
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:4984
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:6360
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:10116
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:280
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:4640
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:9264
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:4068
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:6236
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:9664
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2228
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:2092
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:5224
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:9628
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:3928
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:8756
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:7052
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:2512
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:4108
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:8736
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:5272
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:10204
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:3772
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:7908
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:5324
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:9680
- - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
    "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1324
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2232
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:1760
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        7⤵
        
        PID:6272
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:5040
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:5172
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:1052
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:4964
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:10212
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:4048
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:8744
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:5376
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:10236
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1932
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:3312
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:6372
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:2008
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:5068
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:6104
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:1480
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:948
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:5176
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:9808
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:3168
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:9152
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:5196
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:1528
- - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
    "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3060
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1064
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:1916
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:5184
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:9648
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:3272
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:8508
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:6228
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:10016
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:2780
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:4036
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:6244
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:10108
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:3528
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:7512
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:4824
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:9460
- - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
    "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1504
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:2940
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:4224
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:2540
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:7616
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:3796
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:7924
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:5460
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:9568
- - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
    "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
    3⤵
    PID:2148
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:4016
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:7828
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:5476
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:9752
- - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
    "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
    3⤵
    PID:3288
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:5928
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:10168
- - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
    "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
    3⤵
    PID:5024
- - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
    "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
    3⤵
    PID:5164
- C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
  "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
    "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1188
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:580
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2352
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        7⤵
        
        PID:5244
        
        C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        7⤵
        
        PID:9848
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:4976
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:6304
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:10160
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:2996
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:5032
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:9528
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:3264
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:6188
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:10392
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2572
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:3152
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:5232
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:8596
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:4576
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:8948
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:8660
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:1984
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:4796
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:5452
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:9640
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:3920
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:8492
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:6108
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:10196
- - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
    "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1352
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1468
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:3008
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        7⤵
        
        PID:8532
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:5204
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:3552
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:6544
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:9656
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:4692
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:8800
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:9160
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:1544
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:3760
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:7916
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:5316
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:9784
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:3172
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:6080
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:10220
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:4608
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:9248
- - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
    "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:2716
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:4092
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:8500
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:5332
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:9996
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:3504
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:7636
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:4764
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:8524
- - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
    "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
    3⤵
    PID:2564
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:3780
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:7900
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:5468
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:9908
- - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
    "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
    3⤵
    PID:1968
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:4732
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:9468
- - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
    "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
    3⤵
    PID:4544
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:8968
- - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
    "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
    3⤵
    PID:8616
- C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
  "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
    "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:796
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1500
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:3108
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:5772
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:8516
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:4416
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:8604
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:1588
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:4804
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:9184
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:3816
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:5816
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:928
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:5496
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:10152
- - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
    "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1164
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:3128
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:5560
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:9256
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:4568
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:8332
- - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
    "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
    3⤵
    PID:2392
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:4880
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:9560
- - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
    "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
    3⤵
    PID:4060
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:1688
- - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
    "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
    3⤵
    PID:7044
- C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
  "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2764
- - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
    "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1796
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:3012
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:3336
      - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        6⤵
        
        PID:8764
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:6920
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:3496
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:5392
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:4812
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:8960
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:9168
- - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
    "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
    3⤵
    PID:2060
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:3624
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:4996
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:9764
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:5152
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:9672
- - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
    "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
    3⤵
    PID:1572
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:5004
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:9704
- - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
    "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
    3⤵
    PID:4192
- - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
    "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
    3⤵
    PID:7060
- C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
  "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1556
- - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
    "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
    3⤵
    PID:2820
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:3972
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:6064
    - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
        5⤵
        
        PID:9956
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:6016
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:10188
- - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
    "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
    3⤵
    PID:3404
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:7520
- - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
    "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
    3⤵
    PID:4956
- - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
    "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
    3⤵
    PID:6316
- - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
    "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
    3⤵
    PID:9744
- C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
  "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
  2⤵
  PID:1092
- - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
    "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
    3⤵
    PID:3612
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:6564
  - - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
      "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
      4⤵
      PID:9948
- - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
    "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
    3⤵
    PID:5380
- - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
    "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
    3⤵
    PID:9552
- C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
  "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
  2⤵
  PID:1852
- - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
    "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
    3⤵
    PID:5968
- - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
    "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
    3⤵
    PID:10228
- C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
  "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
  2⤵
  PID:4200
- - C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
    "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
    3⤵
    PID:5780
- C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe
  "C:\Users\Admin\AppData\Local\Temp\6f19b5c81d8a669fba241880c6497340N.exe"
  2⤵
  PID:6928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\japanese action sperm sleeping .mpg.exe

Filesize
815KB

MD5
48ee1a11001e8607a3a771a4abc80221

SHA1
4df4fc047e3bdd779eb76a420333cace2f7c3488

SHA256
7ff2557e18ee382ef6ad65b4353be624877c7e79311cdbd61b138ce179526a1a

SHA512
ebc6e13d6d61b238ff11b57ee22dc027617f51dfed130635802cf8405fb602b17cc67ad286a2ab9615694c6e0a66e9519c9a7e2fc8af49057fe6aa3a91ef4dc8

Download Submit
memory/580-93-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/580-216-0x0000000004920000-0x000000000493D000-memory.dmp

Filesize
116KB

Download
memory/580-99-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/672-154-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/796-122-0x0000000004570000-0x000000000458D000-memory.dmp

Filesize
116KB

Download
memory/796-98-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1060-91-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1064-210-0x00000000047E0000-0x00000000047FD000-memory.dmp

Filesize
116KB

Download
memory/1064-217-0x00000000047E0000-0x00000000047FD000-memory.dmp

Filesize
116KB

Download
memory/1092-183-0x00000000047C0000-0x00000000047DD000-memory.dmp

Filesize
116KB

Download
memory/1092-124-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1188-196-0x0000000004920000-0x000000000493D000-memory.dmp

Filesize
116KB

Download
memory/1188-92-0x0000000004900000-0x000000000491D000-memory.dmp

Filesize
116KB

Download
memory/1324-153-0x0000000004A60000-0x0000000004A7D000-memory.dmp

Filesize
116KB

Download
memory/1324-101-0x0000000004A50000-0x0000000004A6D000-memory.dmp

Filesize
116KB

Download
memory/1344-111-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1352-168-0x0000000002030000-0x000000000204D000-memory.dmp

Filesize
116KB

Download
memory/1352-160-0x0000000002030000-0x000000000204D000-memory.dmp

Filesize
116KB

Download
memory/1504-100-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1556-181-0x0000000004920000-0x000000000493D000-memory.dmp

Filesize
116KB

Download
memory/1556-95-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1556-103-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1760-192-0x00000000047C0000-0x00000000047DD000-memory.dmp

Filesize
116KB

Download
memory/1796-107-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1884-106-0x0000000004900000-0x000000000491D000-memory.dmp

Filesize
116KB

Download
memory/1884-89-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2028-133-0x0000000001E70000-0x0000000001E8D000-memory.dmp

Filesize
116KB

Download
memory/2028-105-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2028-136-0x0000000001E70000-0x0000000001E8D000-memory.dmp

Filesize
116KB

Download
memory/2028-97-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2148-207-0x00000000047C0000-0x00000000047DD000-memory.dmp

Filesize
116KB

Download
memory/2148-202-0x00000000047C0000-0x00000000047DD000-memory.dmp

Filesize
116KB

Download
memory/2232-231-0x0000000004A60000-0x0000000004A7D000-memory.dmp

Filesize
116KB

Download
memory/2232-218-0x0000000004A60000-0x0000000004A7D000-memory.dmp

Filesize
116KB

Download
memory/2268-86-0x0000000004A70000-0x0000000004A8D000-memory.dmp

Filesize
116KB

Download
memory/2268-0-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2268-84-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2268-31-0x0000000004A70000-0x0000000004A8D000-memory.dmp

Filesize
116KB

Download
memory/2268-88-0x0000000004A70000-0x0000000004A8D000-memory.dmp

Filesize
116KB

Download
memory/2268-10-0x0000000004A70000-0x0000000004A8D000-memory.dmp

Filesize
116KB

Download
memory/2476-85-0x0000000001D50000-0x0000000001D6D000-memory.dmp

Filesize
116KB

Download
memory/2476-72-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2512-138-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2512-227-0x0000000002020000-0x000000000203D000-memory.dmp

Filesize
116KB

Download
memory/2564-200-0x0000000004460000-0x000000000447D000-memory.dmp

Filesize
116KB

Download
memory/2564-193-0x0000000004460000-0x000000000447D000-memory.dmp

Filesize
116KB

Download
memory/2572-123-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2572-110-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2708-208-0x0000000001EC0000-0x0000000001EDD000-memory.dmp

Filesize
116KB

Download
memory/2708-134-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2708-137-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2708-203-0x0000000001EC0000-0x0000000001EDD000-memory.dmp

Filesize
116KB

Download
memory/2716-213-0x0000000000860000-0x000000000087D000-memory.dmp

Filesize
116KB

Download
memory/2764-130-0x00000000045D0000-0x00000000045ED000-memory.dmp

Filesize
116KB

Download
memory/2780-230-0x0000000004910000-0x000000000492D000-memory.dmp

Filesize
116KB

Download
memory/2820-131-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2820-135-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2884-71-0x0000000001EA0000-0x0000000001EBD000-memory.dmp

Filesize
116KB

Download
memory/2884-104-0x0000000004940000-0x000000000495D000-memory.dmp

Filesize
116KB

Download
memory/2884-96-0x0000000004940000-0x000000000495D000-memory.dmp

Filesize
116KB

Download
memory/2884-32-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2884-132-0x0000000004940000-0x000000000495D000-memory.dmp

Filesize
116KB

Download
memory/2884-90-0x0000000001EA0000-0x0000000001EBD000-memory.dmp

Filesize
116KB

Download
memory/2924-199-0x0000000000710000-0x000000000072D000-memory.dmp

Filesize
116KB

Download
memory/2940-147-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2952-87-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2952-11-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2952-33-0x0000000002110000-0x000000000212D000-memory.dmp

Filesize
116KB

Download
memory/2996-155-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3060-139-0x0000000004A60000-0x0000000004A7D000-memory.dmp

Filesize
116KB

Download
memory/3108-161-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3108-169-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3128-172-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3128-162-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3168-223-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3168-211-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3264-212-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3264-224-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3272-226-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3272-214-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3312-179-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3312-167-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3328-171-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3708-194-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3780-204-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3920-209-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3972-206-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3972-201-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4016-205-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4036-225-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4036-233-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4068-228-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4068-215-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4108-229-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4160-232-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4200-234-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download