9d972130e4e727917ed704d06666e79f6b91d98b78e4e1f69e7e96983afdc1bc

Analysis

max time kernel
25s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21/07/2024, 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e512c5dc235910cef92fda8cb68be310N.exe
Size

780KB
MD5

e512c5dc235910cef92fda8cb68be310
SHA1

2324aa0e5900ece3ebc133f7c5fafb2b641026b0
SHA256

9d972130e4e727917ed704d06666e79f6b91d98b78e4e1f69e7e96983afdc1bc
SHA512

76e332d4d98122948e231a8437dcd41e2994d0dbde1a7e7c1677b18130fdc5d8e17a994454bc149dc1525bbe30e5ca81ee201f9a290f77bce360800db991868d
SSDEEP

12288:JXCNi9BTWLskzcBISneW1cX0pCHKYXfWvG378M3VWuGZu8OOPdl4GMbUej:sWTAopnH1ckcdbV3AuTMdlmX

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	e512c5dc235910cef92fda8cb68be310N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	e512c5dc235910cef92fda8cb68be310N.exe
File opened (read-only)	\??\Q:	e512c5dc235910cef92fda8cb68be310N.exe
File opened (read-only)	\??\R:	e512c5dc235910cef92fda8cb68be310N.exe
File opened (read-only)	\??\V:	e512c5dc235910cef92fda8cb68be310N.exe
File opened (read-only)	\??\W:	e512c5dc235910cef92fda8cb68be310N.exe
File opened (read-only)	\??\Y:	e512c5dc235910cef92fda8cb68be310N.exe
File opened (read-only)	\??\Z:	e512c5dc235910cef92fda8cb68be310N.exe
File opened (read-only)	\??\G:	e512c5dc235910cef92fda8cb68be310N.exe
File opened (read-only)	\??\M:	e512c5dc235910cef92fda8cb68be310N.exe
File opened (read-only)	\??\T:	e512c5dc235910cef92fda8cb68be310N.exe
File opened (read-only)	\??\A:	e512c5dc235910cef92fda8cb68be310N.exe
File opened (read-only)	\??\B:	e512c5dc235910cef92fda8cb68be310N.exe
File opened (read-only)	\??\E:	e512c5dc235910cef92fda8cb68be310N.exe
File opened (read-only)	\??\I:	e512c5dc235910cef92fda8cb68be310N.exe
File opened (read-only)	\??\L:	e512c5dc235910cef92fda8cb68be310N.exe
File opened (read-only)	\??\P:	e512c5dc235910cef92fda8cb68be310N.exe
File opened (read-only)	\??\S:	e512c5dc235910cef92fda8cb68be310N.exe
File opened (read-only)	\??\H:	e512c5dc235910cef92fda8cb68be310N.exe
File opened (read-only)	\??\K:	e512c5dc235910cef92fda8cb68be310N.exe
File opened (read-only)	\??\N:	e512c5dc235910cef92fda8cb68be310N.exe
File opened (read-only)	\??\O:	e512c5dc235910cef92fda8cb68be310N.exe
File opened (read-only)	\??\U:	e512c5dc235910cef92fda8cb68be310N.exe
File opened (read-only)	\??\X:	e512c5dc235910cef92fda8cb68be310N.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\black gay cumshot sleeping bedroom (Sarah,Christine).mpg.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\kicking cum girls .mpeg.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\blowjob girls wifey (Sonja).avi.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\asian cumshot bukkake masturbation circumcision .rar.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Windows\SysWOW64\FxsTmp\chinese beast xxx lesbian .zip.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Windows\SysWOW64\IME\shared\nude public .zip.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\african hardcore girls .mpeg.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\porn kicking catfight titts .rar.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Windows\SysWOW64\FxsTmp\british handjob beast sleeping leather .avi.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Windows\SysWOW64\IME\shared\malaysia nude sperm several models boobs leather .avi.exe	e512c5dc235910cef92fda8cb68be310N.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Update\Download\indian blowjob [bangbus] gorgeoushorny .avi.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\nude hot (!) mature (Ashley).mpg.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Program Files\Windows Journal\Templates\italian fucking xxx big vagina black hairunshaved .mpeg.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\sperm [milf] feet (Christine,Britney).mpeg.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\italian lesbian catfight (Kathrin).avi.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\italian sperm girls cock Œß (Curtney).mpeg.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\french fucking public .zip.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Program Files\DVD Maker\Shared\swedish horse lesbian sleeping mature .avi.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\tyrkish action hidden sm .avi.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Program Files (x86)\Google\Temp\italian fucking blowjob licking titts .avi.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\russian fucking handjob sleeping .mpg.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\bukkake masturbation cock (Sandy).rar.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\african xxx xxx full movie (Samantha).zip.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\malaysia beastiality masturbation wifey .mpg.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\brasilian sperm big granny .rar.exe	e512c5dc235910cef92fda8cb68be310N.exe

Drops file in Windows directory 31 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\gay [free] girly .avi.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E41.tmp\french kicking beast [milf] fishy .zip.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\gay animal licking .mpg.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Windows\security\templates\fetish action several models young .rar.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Windows\assembly\tmp\indian cumshot hardcore hot (!) hole .zip.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\italian nude animal [milf] ash .zip.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\beastiality gay [free] ash stockings (Sonja).zip.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\sperm lesbian fishy .avi.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Windows\SoftwareDistribution\Download\canadian lesbian voyeur ash ash .mpg.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\spanish hardcore gay sleeping hole shoes .zip.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\indian action trambling licking boobs ejaculation .rar.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Windows\PLA\Templates\italian bukkake hidden gorgeoushorny .avi.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\malaysia horse hot (!) balls .avi.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\black lesbian [milf] hairy (Melissa).avi.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\tyrkish gay catfight nipples .avi.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\beastiality horse big .mpeg.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\brasilian lesbian masturbation cock .mpeg.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\handjob hidden cock (Britney,Sarah).mpg.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\american lingerie masturbation boobs lady .avi.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\cum blowjob hidden feet circumcision .rar.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Windows\assembly\temp\lesbian fucking catfight bondage .zip.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\trambling fetish hot (!) legs (Curtney,Sarah).mpg.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Windows\Downloaded Program Files\beastiality kicking public boobs bedroom (Sarah,Jade).zip.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\british gay horse voyeur titts (Sonja,Gina).mpeg.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\lesbian hidden mature .avi.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Windows\mssrv.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\spanish gay horse [milf] legs hotel .mpeg.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\xxx full movie .avi.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\spanish gay horse uncut .mpeg.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\black beast horse lesbian (Tatjana,Janette).mpg.exe	e512c5dc235910cef92fda8cb68be310N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\danish lesbian [free] feet boots .zip.exe	e512c5dc235910cef92fda8cb68be310N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1656	e512c5dc235910cef92fda8cb68be310N.exe
1248	e512c5dc235910cef92fda8cb68be310N.exe
1656	e512c5dc235910cef92fda8cb68be310N.exe
2900	e512c5dc235910cef92fda8cb68be310N.exe
2716	e512c5dc235910cef92fda8cb68be310N.exe
1656	e512c5dc235910cef92fda8cb68be310N.exe
1248	e512c5dc235910cef92fda8cb68be310N.exe
928	e512c5dc235910cef92fda8cb68be310N.exe
1300	e512c5dc235910cef92fda8cb68be310N.exe
2540	e512c5dc235910cef92fda8cb68be310N.exe
1656	e512c5dc235910cef92fda8cb68be310N.exe
2716	e512c5dc235910cef92fda8cb68be310N.exe
2136	e512c5dc235910cef92fda8cb68be310N.exe
2900	e512c5dc235910cef92fda8cb68be310N.exe
1248	e512c5dc235910cef92fda8cb68be310N.exe
1656	e512c5dc235910cef92fda8cb68be310N.exe
2924	e512c5dc235910cef92fda8cb68be310N.exe
2900	e512c5dc235910cef92fda8cb68be310N.exe
1380	e512c5dc235910cef92fda8cb68be310N.exe
928	e512c5dc235910cef92fda8cb68be310N.exe
1300	e512c5dc235910cef92fda8cb68be310N.exe
2848	e512c5dc235910cef92fda8cb68be310N.exe
1812	e512c5dc235910cef92fda8cb68be310N.exe
1496	e512c5dc235910cef92fda8cb68be310N.exe
2544	e512c5dc235910cef92fda8cb68be310N.exe
2716	e512c5dc235910cef92fda8cb68be310N.exe
2208	e512c5dc235910cef92fda8cb68be310N.exe
2864	e512c5dc235910cef92fda8cb68be310N.exe
2540	e512c5dc235910cef92fda8cb68be310N.exe
1248	e512c5dc235910cef92fda8cb68be310N.exe
2136	e512c5dc235910cef92fda8cb68be310N.exe
2180	e512c5dc235910cef92fda8cb68be310N.exe
1656	e512c5dc235910cef92fda8cb68be310N.exe
2320	e512c5dc235910cef92fda8cb68be310N.exe
2064	e512c5dc235910cef92fda8cb68be310N.exe
2900	e512c5dc235910cef92fda8cb68be310N.exe
916	e512c5dc235910cef92fda8cb68be310N.exe
2924	e512c5dc235910cef92fda8cb68be310N.exe
2172	e512c5dc235910cef92fda8cb68be310N.exe
928	e512c5dc235910cef92fda8cb68be310N.exe
1300	e512c5dc235910cef92fda8cb68be310N.exe
1380	e512c5dc235910cef92fda8cb68be310N.exe
1920	e512c5dc235910cef92fda8cb68be310N.exe
2908	e512c5dc235910cef92fda8cb68be310N.exe
2848	e512c5dc235910cef92fda8cb68be310N.exe
2540	e512c5dc235910cef92fda8cb68be310N.exe
1248	e512c5dc235910cef92fda8cb68be310N.exe
2716	e512c5dc235910cef92fda8cb68be310N.exe
1944	e512c5dc235910cef92fda8cb68be310N.exe
1780	e512c5dc235910cef92fda8cb68be310N.exe
1852	e512c5dc235910cef92fda8cb68be310N.exe
880	e512c5dc235910cef92fda8cb68be310N.exe
2136	e512c5dc235910cef92fda8cb68be310N.exe
108	e512c5dc235910cef92fda8cb68be310N.exe
108	e512c5dc235910cef92fda8cb68be310N.exe
2524	e512c5dc235910cef92fda8cb68be310N.exe
2524	e512c5dc235910cef92fda8cb68be310N.exe
1996	e512c5dc235910cef92fda8cb68be310N.exe
1996	e512c5dc235910cef92fda8cb68be310N.exe
1800	e512c5dc235910cef92fda8cb68be310N.exe
1800	e512c5dc235910cef92fda8cb68be310N.exe
788	e512c5dc235910cef92fda8cb68be310N.exe
788	e512c5dc235910cef92fda8cb68be310N.exe
2544	e512c5dc235910cef92fda8cb68be310N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 1248	1656	e512c5dc235910cef92fda8cb68be310N.exe	30
PID 1656 wrote to memory of 1248	1656	e512c5dc235910cef92fda8cb68be310N.exe	30
PID 1656 wrote to memory of 1248	1656	e512c5dc235910cef92fda8cb68be310N.exe	30
PID 1656 wrote to memory of 1248	1656	e512c5dc235910cef92fda8cb68be310N.exe	30
PID 1656 wrote to memory of 2900	1656	e512c5dc235910cef92fda8cb68be310N.exe	31
PID 1656 wrote to memory of 2900	1656	e512c5dc235910cef92fda8cb68be310N.exe	31
PID 1656 wrote to memory of 2900	1656	e512c5dc235910cef92fda8cb68be310N.exe	31
PID 1656 wrote to memory of 2900	1656	e512c5dc235910cef92fda8cb68be310N.exe	31
PID 1248 wrote to memory of 2716	1248	e512c5dc235910cef92fda8cb68be310N.exe	32
PID 1248 wrote to memory of 2716	1248	e512c5dc235910cef92fda8cb68be310N.exe	32
PID 1248 wrote to memory of 2716	1248	e512c5dc235910cef92fda8cb68be310N.exe	32
PID 1248 wrote to memory of 2716	1248	e512c5dc235910cef92fda8cb68be310N.exe	32
PID 2716 wrote to memory of 928	2716	e512c5dc235910cef92fda8cb68be310N.exe	33
PID 2716 wrote to memory of 928	2716	e512c5dc235910cef92fda8cb68be310N.exe	33
PID 2716 wrote to memory of 928	2716	e512c5dc235910cef92fda8cb68be310N.exe	33
PID 2716 wrote to memory of 928	2716	e512c5dc235910cef92fda8cb68be310N.exe	33
PID 1656 wrote to memory of 2540	1656	e512c5dc235910cef92fda8cb68be310N.exe	34
PID 1656 wrote to memory of 2540	1656	e512c5dc235910cef92fda8cb68be310N.exe	34
PID 1656 wrote to memory of 2540	1656	e512c5dc235910cef92fda8cb68be310N.exe	34
PID 1656 wrote to memory of 2540	1656	e512c5dc235910cef92fda8cb68be310N.exe	34
PID 2900 wrote to memory of 1300	2900	e512c5dc235910cef92fda8cb68be310N.exe	35
PID 2900 wrote to memory of 1300	2900	e512c5dc235910cef92fda8cb68be310N.exe	35
PID 2900 wrote to memory of 1300	2900	e512c5dc235910cef92fda8cb68be310N.exe	35
PID 2900 wrote to memory of 1300	2900	e512c5dc235910cef92fda8cb68be310N.exe	35
PID 1248 wrote to memory of 2136	1248	e512c5dc235910cef92fda8cb68be310N.exe	36
PID 1248 wrote to memory of 2136	1248	e512c5dc235910cef92fda8cb68be310N.exe	36
PID 1248 wrote to memory of 2136	1248	e512c5dc235910cef92fda8cb68be310N.exe	36
PID 1248 wrote to memory of 2136	1248	e512c5dc235910cef92fda8cb68be310N.exe	36
PID 1656 wrote to memory of 2924	1656	e512c5dc235910cef92fda8cb68be310N.exe	37
PID 1656 wrote to memory of 2924	1656	e512c5dc235910cef92fda8cb68be310N.exe	37
PID 1656 wrote to memory of 2924	1656	e512c5dc235910cef92fda8cb68be310N.exe	37
PID 1656 wrote to memory of 2924	1656	e512c5dc235910cef92fda8cb68be310N.exe	37
PID 2900 wrote to memory of 1496	2900	e512c5dc235910cef92fda8cb68be310N.exe	38
PID 2900 wrote to memory of 1496	2900	e512c5dc235910cef92fda8cb68be310N.exe	38
PID 2900 wrote to memory of 1496	2900	e512c5dc235910cef92fda8cb68be310N.exe	38
PID 2900 wrote to memory of 1496	2900	e512c5dc235910cef92fda8cb68be310N.exe	38
PID 2716 wrote to memory of 1380	2716	e512c5dc235910cef92fda8cb68be310N.exe	39
PID 2716 wrote to memory of 1380	2716	e512c5dc235910cef92fda8cb68be310N.exe	39
PID 2716 wrote to memory of 1380	2716	e512c5dc235910cef92fda8cb68be310N.exe	39
PID 2716 wrote to memory of 1380	2716	e512c5dc235910cef92fda8cb68be310N.exe	39
PID 2540 wrote to memory of 2208	2540	e512c5dc235910cef92fda8cb68be310N.exe	40
PID 2540 wrote to memory of 2208	2540	e512c5dc235910cef92fda8cb68be310N.exe	40
PID 2540 wrote to memory of 2208	2540	e512c5dc235910cef92fda8cb68be310N.exe	40
PID 2540 wrote to memory of 2208	2540	e512c5dc235910cef92fda8cb68be310N.exe	40
PID 928 wrote to memory of 2544	928	e512c5dc235910cef92fda8cb68be310N.exe	42
PID 928 wrote to memory of 2544	928	e512c5dc235910cef92fda8cb68be310N.exe	42
PID 928 wrote to memory of 2544	928	e512c5dc235910cef92fda8cb68be310N.exe	42
PID 928 wrote to memory of 2544	928	e512c5dc235910cef92fda8cb68be310N.exe	42
PID 1248 wrote to memory of 2848	1248	e512c5dc235910cef92fda8cb68be310N.exe	43
PID 1248 wrote to memory of 2848	1248	e512c5dc235910cef92fda8cb68be310N.exe	43
PID 1248 wrote to memory of 2848	1248	e512c5dc235910cef92fda8cb68be310N.exe	43
PID 1248 wrote to memory of 2848	1248	e512c5dc235910cef92fda8cb68be310N.exe	43
PID 1300 wrote to memory of 1812	1300	e512c5dc235910cef92fda8cb68be310N.exe	41
PID 1300 wrote to memory of 1812	1300	e512c5dc235910cef92fda8cb68be310N.exe	41
PID 1300 wrote to memory of 1812	1300	e512c5dc235910cef92fda8cb68be310N.exe	41
PID 1300 wrote to memory of 1812	1300	e512c5dc235910cef92fda8cb68be310N.exe	41
PID 2136 wrote to memory of 2864	2136	e512c5dc235910cef92fda8cb68be310N.exe	44
PID 2136 wrote to memory of 2864	2136	e512c5dc235910cef92fda8cb68be310N.exe	44
PID 2136 wrote to memory of 2864	2136	e512c5dc235910cef92fda8cb68be310N.exe	44
PID 2136 wrote to memory of 2864	2136	e512c5dc235910cef92fda8cb68be310N.exe	44
PID 1656 wrote to memory of 2180	1656	e512c5dc235910cef92fda8cb68be310N.exe	45
PID 1656 wrote to memory of 2180	1656	e512c5dc235910cef92fda8cb68be310N.exe	45
PID 1656 wrote to memory of 2180	1656	e512c5dc235910cef92fda8cb68be310N.exe	45
PID 1656 wrote to memory of 2180	1656	e512c5dc235910cef92fda8cb68be310N.exe	45

C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
"C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
  "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
    "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:928
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2544
      - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:108
        
        C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        7⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        8⤵
        
        PID:5124
        
        C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        8⤵
        
        PID:8812
        
        C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        7⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        7⤵
        
        PID:9196
      - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        6⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        7⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        7⤵
        
        PID:8212
      - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        6⤵
        
        PID:3916
      - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        6⤵
        
        PID:9460
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2172
      - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        6⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        7⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        7⤵
        
        PID:9452
      - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        6⤵
        
        PID:3580
      - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        6⤵
        
        PID:4772
      - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        6⤵
        
        PID:8260
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:2456
      - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        6⤵
        
        PID:3724
      - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        6⤵
        
        PID:4940
      - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        6⤵
        
        PID:8300
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:3204
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:4348
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:5908
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:8204
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1380
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1920
      - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        6⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        7⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        7⤵
        
        PID:8292
      - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        6⤵
        
        PID:3812
      - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        6⤵
        
        PID:9152
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:2040
      - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        6⤵
        
        PID:3804
      - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        6⤵
        
        PID:5416
      - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        6⤵
        
        PID:2360
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:3380
      - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        6⤵
        
        PID:5640
      - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        6⤵
        
        PID:8924
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:4560
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:8308
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1780
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:2828
      - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        6⤵
        
        PID:5360
      - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        6⤵
        
        PID:9204
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:4056
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:5736
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:8332
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:2816
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:4404
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:5716
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:8896
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:3656
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:8324
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:5760
- - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
    "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2864
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1800
      - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        6⤵
        
        PID:3344
      - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        6⤵
        
        PID:4672
      - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        6⤵
        
        PID:9188
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:1232
      - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        6⤵
        
        PID:4848
      - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        6⤵
        
        PID:8392
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:3932
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:9372
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:880
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:3084
      - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        6⤵
        
        PID:5000
      - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        6⤵
        
        PID:8828
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:4112
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:5344
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:8340
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:2708
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:4608
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:9444
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:3772
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:5580
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:10072
- - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
    "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2848
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2908
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:2956
      - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        6⤵
        
        PID:4744
      - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        6⤵
        
        PID:8284
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:3988
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:9348
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:2700
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:4228
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:9180
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:3688
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:5352
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:8196
- - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
    "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1944
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:1688
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:4780
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:8748
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:4048
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:9108
- - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
    "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
    3⤵
    PID:2796
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:4372
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:5748
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:8316
- - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
    "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
    3⤵
    PID:3732
- - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
    "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
    3⤵
    PID:5596
- C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
  "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
    "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1300
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1812
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2524
      - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        6⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        7⤵
        
        PID:5516
        
        C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        7⤵
        
        PID:8856
      - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        6⤵
        
        PID:4664
      - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        6⤵
        
        PID:9476
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:3016
      - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        6⤵
        
        PID:4988
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:3948
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:5632
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:8932
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:916
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:2884
      - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        6⤵
        
        PID:4156
      - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        6⤵
        
        PID:5724
      - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        6⤵
        
        PID:8840
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:3604
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:5572
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:2252
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:3784
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:5916
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:3320
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:4536
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:8276
- - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
    "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1496
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1996
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:3240
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:4292
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:5968
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:8864
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:2080
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:944
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:3924
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:9468
- - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
    "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2320
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:2148
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:4236
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:9356
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:3552
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:5116
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:8740
- - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
    "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
    3⤵
    PID:1532
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:3700
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:5240
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:8804
- - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
    "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
    3⤵
    PID:3172
- - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
    "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
    3⤵
    PID:4212
- - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
    "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
    3⤵
    PID:5328
- - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
    "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
    3⤵
    PID:8820
- C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
  "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
    "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2208
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:788
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:3328
      - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        6⤵
        
        PID:5268
      - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        6⤵
        
        PID:8788
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:4524
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:7588
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:9864
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:2272
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:5316
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:3940
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:9340
- - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
    "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1852
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:1684
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:5372
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:4064
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:5624
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:8872
- - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
    "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
    3⤵
    PID:2804
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:4320
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:9364
- - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
    "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
    3⤵
    PID:3740
- - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
    "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
    3⤵
    PID:5532
- - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
    "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
    3⤵
    PID:9948
- C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
  "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2924
- - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
    "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2064
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:2476
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:4000
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:5648
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:8940
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:3612
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:5928
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:8728
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:4788
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:2424
- - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
    "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
    3⤵
    PID:2212
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:3648
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:5588
- - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
    "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
    3⤵
    PID:3180
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:4980
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:8888
- - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
    "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
    3⤵
    PID:4328
- - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
    "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
    3⤵
    PID:8220
- C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
  "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2180
- - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
    "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
    3⤵
    PID:1700
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:3544
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:5900
    - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
        5⤵
        
        PID:8992
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:5468
- - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
    "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
    3⤵
    PID:1264
  - - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
      "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
      4⤵
      PID:8380
- - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
    "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
    3⤵
    PID:3540
- - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
    "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
    3⤵
    PID:5708
- - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
    "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
    3⤵
    PID:8848
- C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
  "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
  2⤵
  PID:1604
- - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
    "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
    3⤵
    PID:3480
- - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
    "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
    3⤵
    PID:4720
- - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
    "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
    3⤵
    PID:8796
- C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
  "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
  2⤵
  PID:3036
- - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
    "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
    3⤵
    PID:4964
- - C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
    "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
    3⤵
    PID:8268
- C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
  "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
  2⤵
  PID:4204
- C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
  "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
  2⤵
  PID:5336
- C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe
  "C:\Users\Admin\AppData\Local\Temp\e512c5dc235910cef92fda8cb68be310N.exe"
  2⤵
  PID:8880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\tyrkish action hidden sm .avi.exe

Filesize
1.2MB

MD5
322359cdd888a6832b773acafa16b394

SHA1
ef8ef3261a70883d6707f3e535ade8f9708ab90a

SHA256
372faf7b2457a07fec245aa10abba7e4340b41f0706d1d463a2f93385825a656

SHA512
3ab148940f01066a5f55179c6e8656dfea53ed6b6f1396587c940579b7acfee56a733f31e5f09065179fb9a687f4d1c56292711afdf9d2906c19c605e180df80

Download Submit