836e482241225a1a725ec9ae5b51ff1284dcb4d141e212029eac2bb171ecdfe9

Analysis

max time kernel
12s
max time network
65s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23-07-2024 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40b774565b57b2baaa0fb9ff4b93d200N.exe
Size

1.4MB
MD5

40b774565b57b2baaa0fb9ff4b93d200
SHA1

b648b6779807b915dba741ad9f70e48bd3a0e261
SHA256

836e482241225a1a725ec9ae5b51ff1284dcb4d141e212029eac2bb171ecdfe9
SHA512

e51da9fe882af119a0e7c9ecd905897036088ac0822002e4f9ea7211b01885f0ec3dfa9fba522cbe9958d40c0b7f86ecd0015c6221a76efdd3fe497d49b58141
SSDEEP

24576:864g2QIxGiEegTy5zThwsP7GoogSCmeYZ/FnjUWnLSB/OopYh/2H07f9/aYc859H:5bMEegCTh/Koo5j/jLSM12H4fBVj9d

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	40b774565b57b2baaa0fb9ff4b93d200N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	40b774565b57b2baaa0fb9ff4b93d200N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	40b774565b57b2baaa0fb9ff4b93d200N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	40b774565b57b2baaa0fb9ff4b93d200N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	40b774565b57b2baaa0fb9ff4b93d200N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	40b774565b57b2baaa0fb9ff4b93d200N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	40b774565b57b2baaa0fb9ff4b93d200N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	40b774565b57b2baaa0fb9ff4b93d200N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	40b774565b57b2baaa0fb9ff4b93d200N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	40b774565b57b2baaa0fb9ff4b93d200N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	40b774565b57b2baaa0fb9ff4b93d200N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	40b774565b57b2baaa0fb9ff4b93d200N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	40b774565b57b2baaa0fb9ff4b93d200N.exe
File opened (read-only)	\??\W:	40b774565b57b2baaa0fb9ff4b93d200N.exe
File opened (read-only)	\??\Z:	40b774565b57b2baaa0fb9ff4b93d200N.exe
File opened (read-only)	\??\H:	40b774565b57b2baaa0fb9ff4b93d200N.exe
File opened (read-only)	\??\M:	40b774565b57b2baaa0fb9ff4b93d200N.exe
File opened (read-only)	\??\P:	40b774565b57b2baaa0fb9ff4b93d200N.exe
File opened (read-only)	\??\A:	40b774565b57b2baaa0fb9ff4b93d200N.exe
File opened (read-only)	\??\Y:	40b774565b57b2baaa0fb9ff4b93d200N.exe
File opened (read-only)	\??\T:	40b774565b57b2baaa0fb9ff4b93d200N.exe
File opened (read-only)	\??\X:	40b774565b57b2baaa0fb9ff4b93d200N.exe
File opened (read-only)	\??\B:	40b774565b57b2baaa0fb9ff4b93d200N.exe
File opened (read-only)	\??\G:	40b774565b57b2baaa0fb9ff4b93d200N.exe
File opened (read-only)	\??\K:	40b774565b57b2baaa0fb9ff4b93d200N.exe
File opened (read-only)	\??\L:	40b774565b57b2baaa0fb9ff4b93d200N.exe
File opened (read-only)	\??\N:	40b774565b57b2baaa0fb9ff4b93d200N.exe
File opened (read-only)	\??\O:	40b774565b57b2baaa0fb9ff4b93d200N.exe
File opened (read-only)	\??\Q:	40b774565b57b2baaa0fb9ff4b93d200N.exe
File opened (read-only)	\??\R:	40b774565b57b2baaa0fb9ff4b93d200N.exe
File opened (read-only)	\??\E:	40b774565b57b2baaa0fb9ff4b93d200N.exe
File opened (read-only)	\??\I:	40b774565b57b2baaa0fb9ff4b93d200N.exe
File opened (read-only)	\??\J:	40b774565b57b2baaa0fb9ff4b93d200N.exe
File opened (read-only)	\??\S:	40b774565b57b2baaa0fb9ff4b93d200N.exe
File opened (read-only)	\??\U:	40b774565b57b2baaa0fb9ff4b93d200N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\FxsTmp\hardcore catfight (Karin).rar.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\xxx full movie glans fishy .rar.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\italian cumshot fucking full movie titts mature .zip.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\swedish fetish trambling [milf] (Jade).avi.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\System32\DriverStore\Temp\bukkake full movie ¼ë .rar.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\italian porn bukkake hidden titts upskirt (Curtney).mpg.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\indian fetish sperm uncut glans 40+ .avi.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\american cum trambling [milf] glans stockings (Curtney).mpg.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\SysWOW64\FxsTmp\danish gang bang gay sleeping fishy .mpg.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\gay masturbation .zip.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\sperm sleeping girly .mpeg.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\american cumshot hardcore [free] (Tatjana).mpeg.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\japanese gang bang bukkake full movie glans pregnant (Melissa).avi.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Program Files (x86)\Google\Update\Download\brasilian fetish hardcore public (Samantha).avi.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\xxx [bangbus] cock .mpeg.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\russian fetish lingerie hot (!) titts mistress (Jade).rar.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Program Files (x86)\Google\Temp\blowjob hot (!) cock .avi.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Program Files\dotnet\shared\british lingerie [free] (Liz).rar.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\russian gang bang beast voyeur feet penetration (Jade).avi.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\american nude trambling girls hotel .mpeg.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\fucking hidden wifey .zip.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Program Files\Common Files\microsoft shared\hardcore full movie hole Ôï .rar.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\beast hot (!) (Sylvia).rar.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\lingerie hot (!) 40+ .rar.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\japanese kicking blowjob [bangbus] balls .mpeg.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\malaysia horse full movie mature .zip.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\black cumshot horse lesbian cock (Christine,Liz).mpeg.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Program Files\Microsoft Office\root\Templates\black gang bang trambling [milf] titts (Gina,Sylvia).zip.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\trambling hidden (Janette).avi.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe

Drops file in Windows directory 49 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\blowjob full movie high heels (Sandy,Tatjana).avi.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\porn lingerie sleeping leather .mpeg.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\black beastiality lesbian [milf] cock .mpg.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\assembly\temp\horse hidden .mpg.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\brasilian handjob hardcore hot (!) hole leather .mpeg.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\xxx hidden (Karin).zip.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\nude horse full movie balls .rar.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\hardcore [bangbus] titts femdom (Janette).avi.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\italian cum sperm sleeping glans blondie .zip.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\CbsTemp\russian animal hardcore [milf] glans beautyfull .rar.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\horse voyeur young .rar.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\brasilian action trambling several models titts ash (Sylvia).mpg.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\russian kicking beast public .rar.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\swedish animal blowjob [bangbus] gorgeoushorny .mpg.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\indian handjob lingerie big redhair .mpeg.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\spanish beast licking lady .mpg.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\german blowjob voyeur hole girly .mpg.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\german blowjob voyeur .avi.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\mssrv.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\InputMethod\SHARED\blowjob full movie sm .avi.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\japanese animal horse several models wifey .rar.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\porn horse hidden penetration .mpeg.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\american handjob trambling several models hole beautyfull (Samantha).mpg.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\trambling public young .avi.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\cumshot horse [bangbus] (Liz).mpg.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\chinese trambling several models hole .rar.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\indian horse trambling [milf] glans .rar.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\lingerie hidden (Curtney).rar.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\SoftwareDistribution\Download\indian action xxx hidden (Karin).mpeg.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\horse [free] (Karin).avi.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\xxx full movie fishy (Sonja,Curtney).avi.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\beast [free] ¤ç .mpeg.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\hardcore licking circumcision .zip.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\danish animal fucking full movie titts 50+ (Janette).mpeg.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\brasilian handjob beast several models feet sm .zip.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\asian lesbian lesbian .rar.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\PLA\Templates\trambling several models .zip.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\security\templates\black porn bukkake [bangbus] cock (Jenna,Sylvia).avi.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\british blowjob big titts penetration .zip.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\chinese fucking sleeping cock hotel .avi.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\russian animal hardcore full movie .mpg.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\lesbian public .mpeg.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\italian action gay girls hole .zip.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\german gay [free] .mpeg.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\Downloaded Program Files\horse licking .mpg.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\brasilian cumshot sperm uncut glans .mpg.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\assembly\tmp\black cum gay voyeur feet castration (Samantha).rar.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\blowjob hot (!) titts shoes .rar.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\tyrkish fetish fucking voyeur .zip.exe	40b774565b57b2baaa0fb9ff4b93d200N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
2356	40b774565b57b2baaa0fb9ff4b93d200N.exe
2356	40b774565b57b2baaa0fb9ff4b93d200N.exe
3020	40b774565b57b2baaa0fb9ff4b93d200N.exe
3020	40b774565b57b2baaa0fb9ff4b93d200N.exe
2356	40b774565b57b2baaa0fb9ff4b93d200N.exe
2356	40b774565b57b2baaa0fb9ff4b93d200N.exe
4448	40b774565b57b2baaa0fb9ff4b93d200N.exe
4448	40b774565b57b2baaa0fb9ff4b93d200N.exe
440	40b774565b57b2baaa0fb9ff4b93d200N.exe
440	40b774565b57b2baaa0fb9ff4b93d200N.exe
2356	40b774565b57b2baaa0fb9ff4b93d200N.exe
2356	40b774565b57b2baaa0fb9ff4b93d200N.exe
3020	40b774565b57b2baaa0fb9ff4b93d200N.exe
3020	40b774565b57b2baaa0fb9ff4b93d200N.exe
3276	40b774565b57b2baaa0fb9ff4b93d200N.exe
3276	40b774565b57b2baaa0fb9ff4b93d200N.exe
3684	40b774565b57b2baaa0fb9ff4b93d200N.exe
3684	40b774565b57b2baaa0fb9ff4b93d200N.exe
3584	40b774565b57b2baaa0fb9ff4b93d200N.exe
3584	40b774565b57b2baaa0fb9ff4b93d200N.exe
4448	40b774565b57b2baaa0fb9ff4b93d200N.exe
4448	40b774565b57b2baaa0fb9ff4b93d200N.exe
4740	40b774565b57b2baaa0fb9ff4b93d200N.exe
4740	40b774565b57b2baaa0fb9ff4b93d200N.exe
2356	40b774565b57b2baaa0fb9ff4b93d200N.exe
2356	40b774565b57b2baaa0fb9ff4b93d200N.exe
3020	40b774565b57b2baaa0fb9ff4b93d200N.exe
3020	40b774565b57b2baaa0fb9ff4b93d200N.exe
440	40b774565b57b2baaa0fb9ff4b93d200N.exe
440	40b774565b57b2baaa0fb9ff4b93d200N.exe
3636	40b774565b57b2baaa0fb9ff4b93d200N.exe
3636	40b774565b57b2baaa0fb9ff4b93d200N.exe
4264	40b774565b57b2baaa0fb9ff4b93d200N.exe
4264	40b774565b57b2baaa0fb9ff4b93d200N.exe
4764	40b774565b57b2baaa0fb9ff4b93d200N.exe
4764	40b774565b57b2baaa0fb9ff4b93d200N.exe
4448	40b774565b57b2baaa0fb9ff4b93d200N.exe
4448	40b774565b57b2baaa0fb9ff4b93d200N.exe
3276	40b774565b57b2baaa0fb9ff4b93d200N.exe
3276	40b774565b57b2baaa0fb9ff4b93d200N.exe
2356	40b774565b57b2baaa0fb9ff4b93d200N.exe
2356	40b774565b57b2baaa0fb9ff4b93d200N.exe
3768	40b774565b57b2baaa0fb9ff4b93d200N.exe
3768	40b774565b57b2baaa0fb9ff4b93d200N.exe
4812	40b774565b57b2baaa0fb9ff4b93d200N.exe
4812	40b774565b57b2baaa0fb9ff4b93d200N.exe
440	40b774565b57b2baaa0fb9ff4b93d200N.exe
440	40b774565b57b2baaa0fb9ff4b93d200N.exe
3020	40b774565b57b2baaa0fb9ff4b93d200N.exe
3020	40b774565b57b2baaa0fb9ff4b93d200N.exe
4824	40b774565b57b2baaa0fb9ff4b93d200N.exe
4824	40b774565b57b2baaa0fb9ff4b93d200N.exe
1132	40b774565b57b2baaa0fb9ff4b93d200N.exe
1132	40b774565b57b2baaa0fb9ff4b93d200N.exe
3684	40b774565b57b2baaa0fb9ff4b93d200N.exe
3684	40b774565b57b2baaa0fb9ff4b93d200N.exe
1556	40b774565b57b2baaa0fb9ff4b93d200N.exe
1556	40b774565b57b2baaa0fb9ff4b93d200N.exe
3584	40b774565b57b2baaa0fb9ff4b93d200N.exe
3584	40b774565b57b2baaa0fb9ff4b93d200N.exe
4740	40b774565b57b2baaa0fb9ff4b93d200N.exe
4740	40b774565b57b2baaa0fb9ff4b93d200N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 3020	2356	40b774565b57b2baaa0fb9ff4b93d200N.exe	87
PID 2356 wrote to memory of 3020	2356	40b774565b57b2baaa0fb9ff4b93d200N.exe	87
PID 2356 wrote to memory of 3020	2356	40b774565b57b2baaa0fb9ff4b93d200N.exe	87
PID 2356 wrote to memory of 4448	2356	40b774565b57b2baaa0fb9ff4b93d200N.exe	91
PID 2356 wrote to memory of 4448	2356	40b774565b57b2baaa0fb9ff4b93d200N.exe	91
PID 2356 wrote to memory of 4448	2356	40b774565b57b2baaa0fb9ff4b93d200N.exe	91
PID 3020 wrote to memory of 440	3020	40b774565b57b2baaa0fb9ff4b93d200N.exe	92
PID 3020 wrote to memory of 440	3020	40b774565b57b2baaa0fb9ff4b93d200N.exe	92
PID 3020 wrote to memory of 440	3020	40b774565b57b2baaa0fb9ff4b93d200N.exe	92
PID 4448 wrote to memory of 3276	4448	40b774565b57b2baaa0fb9ff4b93d200N.exe	94
PID 4448 wrote to memory of 3276	4448	40b774565b57b2baaa0fb9ff4b93d200N.exe	94
PID 4448 wrote to memory of 3276	4448	40b774565b57b2baaa0fb9ff4b93d200N.exe	94
PID 2356 wrote to memory of 3684	2356	40b774565b57b2baaa0fb9ff4b93d200N.exe	95
PID 2356 wrote to memory of 3684	2356	40b774565b57b2baaa0fb9ff4b93d200N.exe	95
PID 2356 wrote to memory of 3684	2356	40b774565b57b2baaa0fb9ff4b93d200N.exe	95
PID 3020 wrote to memory of 3584	3020	40b774565b57b2baaa0fb9ff4b93d200N.exe	96
PID 3020 wrote to memory of 3584	3020	40b774565b57b2baaa0fb9ff4b93d200N.exe	96
PID 3020 wrote to memory of 3584	3020	40b774565b57b2baaa0fb9ff4b93d200N.exe	96
PID 440 wrote to memory of 4740	440	40b774565b57b2baaa0fb9ff4b93d200N.exe	97
PID 440 wrote to memory of 4740	440	40b774565b57b2baaa0fb9ff4b93d200N.exe	97
PID 440 wrote to memory of 4740	440	40b774565b57b2baaa0fb9ff4b93d200N.exe	97
PID 4448 wrote to memory of 4764	4448	40b774565b57b2baaa0fb9ff4b93d200N.exe	99
PID 4448 wrote to memory of 4764	4448	40b774565b57b2baaa0fb9ff4b93d200N.exe	99
PID 4448 wrote to memory of 4764	4448	40b774565b57b2baaa0fb9ff4b93d200N.exe	99
PID 2356 wrote to memory of 3636	2356	40b774565b57b2baaa0fb9ff4b93d200N.exe	100
PID 2356 wrote to memory of 3636	2356	40b774565b57b2baaa0fb9ff4b93d200N.exe	100
PID 2356 wrote to memory of 3636	2356	40b774565b57b2baaa0fb9ff4b93d200N.exe	100
PID 3276 wrote to memory of 4264	3276	40b774565b57b2baaa0fb9ff4b93d200N.exe	101
PID 3276 wrote to memory of 4264	3276	40b774565b57b2baaa0fb9ff4b93d200N.exe	101
PID 3276 wrote to memory of 4264	3276	40b774565b57b2baaa0fb9ff4b93d200N.exe	101
PID 3020 wrote to memory of 3768	3020	40b774565b57b2baaa0fb9ff4b93d200N.exe	102
PID 3020 wrote to memory of 3768	3020	40b774565b57b2baaa0fb9ff4b93d200N.exe	102
PID 3020 wrote to memory of 3768	3020	40b774565b57b2baaa0fb9ff4b93d200N.exe	102
PID 440 wrote to memory of 4812	440	40b774565b57b2baaa0fb9ff4b93d200N.exe	103
PID 440 wrote to memory of 4812	440	40b774565b57b2baaa0fb9ff4b93d200N.exe	103
PID 440 wrote to memory of 4812	440	40b774565b57b2baaa0fb9ff4b93d200N.exe	103
PID 3684 wrote to memory of 1132	3684	40b774565b57b2baaa0fb9ff4b93d200N.exe	104
PID 3684 wrote to memory of 1132	3684	40b774565b57b2baaa0fb9ff4b93d200N.exe	104
PID 3684 wrote to memory of 1132	3684	40b774565b57b2baaa0fb9ff4b93d200N.exe	104
PID 3584 wrote to memory of 4824	3584	40b774565b57b2baaa0fb9ff4b93d200N.exe	105
PID 3584 wrote to memory of 4824	3584	40b774565b57b2baaa0fb9ff4b93d200N.exe	105
PID 3584 wrote to memory of 4824	3584	40b774565b57b2baaa0fb9ff4b93d200N.exe	105
PID 4740 wrote to memory of 1556	4740	40b774565b57b2baaa0fb9ff4b93d200N.exe	106
PID 4740 wrote to memory of 1556	4740	40b774565b57b2baaa0fb9ff4b93d200N.exe	106
PID 4740 wrote to memory of 1556	4740	40b774565b57b2baaa0fb9ff4b93d200N.exe	106
PID 4448 wrote to memory of 1996	4448	40b774565b57b2baaa0fb9ff4b93d200N.exe	108
PID 4448 wrote to memory of 1996	4448	40b774565b57b2baaa0fb9ff4b93d200N.exe	108
PID 4448 wrote to memory of 1996	4448	40b774565b57b2baaa0fb9ff4b93d200N.exe	108
PID 2356 wrote to memory of 3748	2356	40b774565b57b2baaa0fb9ff4b93d200N.exe	109
PID 2356 wrote to memory of 3748	2356	40b774565b57b2baaa0fb9ff4b93d200N.exe	109
PID 2356 wrote to memory of 3748	2356	40b774565b57b2baaa0fb9ff4b93d200N.exe	109
PID 3276 wrote to memory of 3288	3276	40b774565b57b2baaa0fb9ff4b93d200N.exe	110
PID 3276 wrote to memory of 3288	3276	40b774565b57b2baaa0fb9ff4b93d200N.exe	110
PID 3276 wrote to memory of 3288	3276	40b774565b57b2baaa0fb9ff4b93d200N.exe	110
PID 3636 wrote to memory of 3080	3636	40b774565b57b2baaa0fb9ff4b93d200N.exe	111
PID 3636 wrote to memory of 3080	3636	40b774565b57b2baaa0fb9ff4b93d200N.exe	111
PID 3636 wrote to memory of 3080	3636	40b774565b57b2baaa0fb9ff4b93d200N.exe	111
PID 440 wrote to memory of 4040	440	40b774565b57b2baaa0fb9ff4b93d200N.exe	112
PID 440 wrote to memory of 4040	440	40b774565b57b2baaa0fb9ff4b93d200N.exe	112
PID 440 wrote to memory of 4040	440	40b774565b57b2baaa0fb9ff4b93d200N.exe	112
PID 3020 wrote to memory of 2296	3020	40b774565b57b2baaa0fb9ff4b93d200N.exe	113
PID 3020 wrote to memory of 2296	3020	40b774565b57b2baaa0fb9ff4b93d200N.exe	113
PID 3020 wrote to memory of 2296	3020	40b774565b57b2baaa0fb9ff4b93d200N.exe	113
PID 3584 wrote to memory of 4560	3584	40b774565b57b2baaa0fb9ff4b93d200N.exe	114

C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
"C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
  "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:440
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4740
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1556
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:700
        
        C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        7⤵
        
        PID:6916
        
        C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        8⤵
        
        PID:12224
        
        C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        7⤵
        
        PID:10092
        
        C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        7⤵
        
        PID:13176
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:5804
        
        C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        7⤵
        
        PID:11296
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:7752
        
        C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        7⤵
        
        PID:12348
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:9980
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:12988
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:4860
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:6840
        
        C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        7⤵
        
        PID:13668
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:8944
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:9860
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:13200
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:5376
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:6964
        
        C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        7⤵
        
        PID:12456
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:10100
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:13160
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:5664
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:12576
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:7336
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:12480
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:10004
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:12996
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4812
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:5096
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:6900
        
        C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        7⤵
        
        PID:12208
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:9820
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:12768
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:5796
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:10980
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:13748
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:7744
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:12460
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:9940
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:13096
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:4040
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:5928
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:12584
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:7820
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:12176
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:9884
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:12780
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:5276
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:3156
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:12216
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:10036
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:13112
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:5696
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:11124
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:15216
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:7552
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:12192
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:9972
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:12740
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3584
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4824
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:2344
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:7080
        
        C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        7⤵
        
        PID:3416
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:10116
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:13644
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:5752
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:12568
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:7792
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:12100
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:9908
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:12760
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:4560
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:6360
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:12504
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:8608
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:9876
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:12848
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:5368
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:6892
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:12520
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:10148
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:13652
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:5680
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:10672
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:13740
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:7320
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:12336
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:10012
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:13612
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3768
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:3216
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:7160
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:12528
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:9988
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:12980
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:5760
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:10924
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:14904
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:7760
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:12108
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:9804
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:12732
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    PID:2296
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:5784
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:13676
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:7784
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:12116
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:9924
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:13076
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    PID:5268
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:7132
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:12232
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:10028
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:13152
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    PID:5704
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:11032
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:13700
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    PID:7704
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:12156
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    PID:9828
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    PID:12724
- C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
  "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3276
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:4264
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:2252
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:6824
        
        C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        7⤵
        
        PID:12488
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:8932
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:9868
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:13068
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:5388
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:6924
        
        C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        7⤵
        
        PID:12948
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:10060
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:13120
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:5672
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:10932
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:14172
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:7776
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:11844
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:9932
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:13104
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:3288
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:5240
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:7012
        
        C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        7⤵
        
        PID:12560
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:10068
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:13192
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:5712
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:11060
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:7736
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:12276
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:9844
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:12748
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:5136
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:6948
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:12496
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:10140
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:13636
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:5736
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:11004
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:15124
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:7728
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:12148
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:9956
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:12956
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:4764
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:1864
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:6316
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:12552
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:7836
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:12092
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:9892
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:15140
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:5432
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:7120
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:12512
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:10108
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:13128
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:5656
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:10972
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:13732
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:7344
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:12400
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:10020
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:13004
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    PID:1996
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:6696
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:12536
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:8916
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:9852
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:13660
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    PID:5128
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:7152
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:12200
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:10044
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:13168
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    PID:5744
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:10964
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:13724
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    PID:7768
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:12124
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    PID:9836
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    PID:13472
- C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
  "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1132
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:4072
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:6908
      - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        6⤵
        
        PID:12472
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:10076
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:13136
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:5776
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:10956
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:13708
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:7812
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:12132
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:9948
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:14896
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    PID:2080
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:7004
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:12384
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:10132
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:13684
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    PID:5356
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:7064
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:12544
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:10124
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:13628
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    PID:5688
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:10940
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:14888
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    PID:7468
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:12328
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    PID:9996
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    PID:12972
- C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
  "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3636
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    PID:3080
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:5936
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:10948
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:13716
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:7828
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:12376
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:9900
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:12964
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    PID:5212
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:7088
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:12140
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:9776
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:13692
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    PID:5720
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:10680
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:15132
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    PID:7712
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:12184
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    PID:9964
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    PID:13208
- C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
  "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
  2⤵
  PID:3748
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    PID:5168
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:6956
    - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
        5⤵
        
        PID:12368
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:10084
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:13184
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    PID:5728
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:11248
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    PID:7720
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:12168
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    PID:9916
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    PID:13620
- C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
  "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
  2⤵
  PID:2764
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    PID:7020
  - - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
      "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
      4⤵
      PID:12284
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    PID:10052
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    PID:13144
- C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
  "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
  2⤵
  PID:5768
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    PID:11052
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    PID:15408
- C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
  "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
  2⤵
  PID:7800
- - C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
    "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
    3⤵
    PID:12080
- C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
  "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
  2⤵
  PID:9812
- C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe
  "C:\Users\Admin\AppData\Local\Temp\40b774565b57b2baaa0fb9ff4b93d200N.exe"
  2⤵
  PID:12840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\xxx [bangbus] cock .mpeg.exe

Filesize
943KB

MD5
022c44e9abd8251fbb20d7bdb80fdbf8

SHA1
d6446845bd183fa9f8c656b9f2b96a521897a8ac

SHA256
19280d722b70fa25da58cbfb783368e85c3e5fd431259f935993b62aad744318

SHA512
12ec5a24bc75e65460afed7d590178a7ca56c12b43a7bc341cf988753b7af00d822991b8157c33e422768a43334e578c121ad6a04a63bcb55a36a3adcc5fb258

Download Submit