0b5a3b999a9d3cae4df14d46503be97518d867ba7469f1b43cd2a5bd26d6ceea

Analysis

max time kernel
23s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
06/08/2024, 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

998eb1368710dce17285762612ffcdb0N.exe
Size

430KB
MD5

998eb1368710dce17285762612ffcdb0
SHA1

7fa848acf02b27d51f010ce452d7dca741055f0a
SHA256

0b5a3b999a9d3cae4df14d46503be97518d867ba7469f1b43cd2a5bd26d6ceea
SHA512

6590988eb2a3e5f18eab2c1078215b548d677da29fa0a2bb1e011fb1c3e6bc98eeb0b4d7f1cf5f9a70fd7301887131964199da02127cead07b9582072f4b6d4c
SSDEEP

12288:dXCNi9BFae+wm03u+LPNugDklWZumoLSKp:oW7+t0ruNp

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	998eb1368710dce17285762612ffcdb0N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	998eb1368710dce17285762612ffcdb0N.exe
File opened (read-only)	\??\J:	998eb1368710dce17285762612ffcdb0N.exe
File opened (read-only)	\??\S:	998eb1368710dce17285762612ffcdb0N.exe
File opened (read-only)	\??\Y:	998eb1368710dce17285762612ffcdb0N.exe
File opened (read-only)	\??\Z:	998eb1368710dce17285762612ffcdb0N.exe
File opened (read-only)	\??\A:	998eb1368710dce17285762612ffcdb0N.exe
File opened (read-only)	\??\I:	998eb1368710dce17285762612ffcdb0N.exe
File opened (read-only)	\??\L:	998eb1368710dce17285762612ffcdb0N.exe
File opened (read-only)	\??\P:	998eb1368710dce17285762612ffcdb0N.exe
File opened (read-only)	\??\Q:	998eb1368710dce17285762612ffcdb0N.exe
File opened (read-only)	\??\V:	998eb1368710dce17285762612ffcdb0N.exe
File opened (read-only)	\??\B:	998eb1368710dce17285762612ffcdb0N.exe
File opened (read-only)	\??\K:	998eb1368710dce17285762612ffcdb0N.exe
File opened (read-only)	\??\N:	998eb1368710dce17285762612ffcdb0N.exe
File opened (read-only)	\??\R:	998eb1368710dce17285762612ffcdb0N.exe
File opened (read-only)	\??\W:	998eb1368710dce17285762612ffcdb0N.exe
File opened (read-only)	\??\X:	998eb1368710dce17285762612ffcdb0N.exe
File opened (read-only)	\??\G:	998eb1368710dce17285762612ffcdb0N.exe
File opened (read-only)	\??\H:	998eb1368710dce17285762612ffcdb0N.exe
File opened (read-only)	\??\M:	998eb1368710dce17285762612ffcdb0N.exe
File opened (read-only)	\??\O:	998eb1368710dce17285762612ffcdb0N.exe
File opened (read-only)	\??\T:	998eb1368710dce17285762612ffcdb0N.exe
File opened (read-only)	\??\U:	998eb1368710dce17285762612ffcdb0N.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\russian animal trambling [free] titts mistress .mpg.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Windows\System32\DriverStore\Temp\lingerie public 40+ .rar.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\xxx full movie hole shoes .rar.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\swedish fetish horse public wifey .zip.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Windows\SysWOW64\FxsTmp\japanese porn lingerie masturbation .zip.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\black porn lingerie full movie hole redhair .avi.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Windows\SysWOW64\IME\shared\brasilian cumshot beast uncut .mpg.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\blowjob masturbation cock .mpg.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Windows\SysWOW64\IME\shared\indian beastiality sperm voyeur (Curtney).avi.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Windows\SysWOW64\FxsTmp\tyrkish beastiality xxx uncut hole redhair .rar.exe	998eb1368710dce17285762612ffcdb0N.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\xxx full movie traffic .mpg.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Program Files (x86)\Google\Update\Download\american kicking sperm [free] .avi.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\lingerie uncut .zip.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\gay several models bondage .rar.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Program Files\DVD Maker\Shared\beast big feet black hairunshaved (Jade).rar.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\bukkake big YEâPSè& .mpeg.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\hardcore lesbian fishy .mpeg.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\brasilian horse horse girls cock .mpeg.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\sperm [bangbus] young .avi.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\gay [milf] mature .rar.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Program Files (x86)\Google\Temp\hardcore [bangbus] feet (Britney,Karin).mpg.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Program Files\Windows Journal\Templates\lingerie sleeping titts sweet (Sarah).avi.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\japanese cum gay girls traffic .avi.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\horse [milf] sm (Britney,Jade).mpeg.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\lingerie [milf] hole .mpg.exe	998eb1368710dce17285762612ffcdb0N.exe

Drops file in Windows directory 31 IoCs

description	ioc	Process
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\tyrkish animal trambling [bangbus] pregnant .rar.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Windows\PLA\Templates\beast several models glans .mpeg.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\danish cum lesbian catfight (Jade).rar.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Windows\SoftwareDistribution\Download\american kicking hardcore hidden .rar.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Windows\mssrv.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\sperm public hole .mpg.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\hardcore public .mpg.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\japanese animal gay lesbian (Melissa).zip.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\gay hot (!) .mpg.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\american kicking sperm voyeur hole stockings .mpeg.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\trambling full movie cock girly .mpeg.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\indian horse lesbian lesbian .zip.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\xxx lesbian cock .mpeg.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\xxx sleeping (Liz).zip.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\brasilian nude lingerie masturbation leather .rar.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Windows\assembly\tmp\italian cum bukkake masturbation .mpg.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\sperm several models shoes (Anniston,Curtney).avi.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\fucking public hole bedroom .avi.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\swedish gang bang blowjob [bangbus] titts upskirt (Sylvia).mpeg.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\fucking licking fishy .mpeg.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\danish gang bang lingerie voyeur sweet .zip.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\italian action gay girls cock blondie .zip.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Windows\Downloaded Program Files\black nude xxx hot (!) feet leather (Curtney).rar.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\swedish nude blowjob [bangbus] 50+ .mpg.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\black action horse [bangbus] .mpg.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E41.tmp\tyrkish animal beast uncut .rar.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\beast girls hole .mpg.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\bukkake public feet .avi.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Windows\assembly\temp\black animal hardcore catfight wifey (Sonja,Sylvia).rar.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Windows\security\templates\horse hidden pregnant .avi.exe	998eb1368710dce17285762612ffcdb0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\gay lesbian ash (Ashley,Sylvia).zip.exe	998eb1368710dce17285762612ffcdb0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	998eb1368710dce17285762612ffcdb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	998eb1368710dce17285762612ffcdb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	998eb1368710dce17285762612ffcdb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	998eb1368710dce17285762612ffcdb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	998eb1368710dce17285762612ffcdb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	998eb1368710dce17285762612ffcdb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	998eb1368710dce17285762612ffcdb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	998eb1368710dce17285762612ffcdb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	998eb1368710dce17285762612ffcdb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	998eb1368710dce17285762612ffcdb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	998eb1368710dce17285762612ffcdb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	998eb1368710dce17285762612ffcdb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	998eb1368710dce17285762612ffcdb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	998eb1368710dce17285762612ffcdb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	998eb1368710dce17285762612ffcdb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	998eb1368710dce17285762612ffcdb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	998eb1368710dce17285762612ffcdb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	998eb1368710dce17285762612ffcdb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	998eb1368710dce17285762612ffcdb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	998eb1368710dce17285762612ffcdb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	998eb1368710dce17285762612ffcdb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	998eb1368710dce17285762612ffcdb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	998eb1368710dce17285762612ffcdb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	998eb1368710dce17285762612ffcdb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	998eb1368710dce17285762612ffcdb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	998eb1368710dce17285762612ffcdb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	998eb1368710dce17285762612ffcdb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	998eb1368710dce17285762612ffcdb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	998eb1368710dce17285762612ffcdb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	998eb1368710dce17285762612ffcdb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	998eb1368710dce17285762612ffcdb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	998eb1368710dce17285762612ffcdb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	998eb1368710dce17285762612ffcdb0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2488	998eb1368710dce17285762612ffcdb0N.exe
2468	998eb1368710dce17285762612ffcdb0N.exe
2488	998eb1368710dce17285762612ffcdb0N.exe
2680	998eb1368710dce17285762612ffcdb0N.exe
2756	998eb1368710dce17285762612ffcdb0N.exe
2468	998eb1368710dce17285762612ffcdb0N.exe
2488	998eb1368710dce17285762612ffcdb0N.exe
2600	998eb1368710dce17285762612ffcdb0N.exe
3020	998eb1368710dce17285762612ffcdb0N.exe
2468	998eb1368710dce17285762612ffcdb0N.exe
2588	998eb1368710dce17285762612ffcdb0N.exe
612	998eb1368710dce17285762612ffcdb0N.exe
2488	998eb1368710dce17285762612ffcdb0N.exe
2756	998eb1368710dce17285762612ffcdb0N.exe
2680	998eb1368710dce17285762612ffcdb0N.exe
2468	998eb1368710dce17285762612ffcdb0N.exe
2884	998eb1368710dce17285762612ffcdb0N.exe
1816	998eb1368710dce17285762612ffcdb0N.exe
2756	998eb1368710dce17285762612ffcdb0N.exe
2872	998eb1368710dce17285762612ffcdb0N.exe
2968	998eb1368710dce17285762612ffcdb0N.exe
1096	998eb1368710dce17285762612ffcdb0N.exe
2488	998eb1368710dce17285762612ffcdb0N.exe
1488	998eb1368710dce17285762612ffcdb0N.exe
2588	998eb1368710dce17285762612ffcdb0N.exe
2600	998eb1368710dce17285762612ffcdb0N.exe
1820	998eb1368710dce17285762612ffcdb0N.exe
3020	998eb1368710dce17285762612ffcdb0N.exe
2680	998eb1368710dce17285762612ffcdb0N.exe
612	998eb1368710dce17285762612ffcdb0N.exe
2860	998eb1368710dce17285762612ffcdb0N.exe
2340	998eb1368710dce17285762612ffcdb0N.exe
2328	998eb1368710dce17285762612ffcdb0N.exe
2756	998eb1368710dce17285762612ffcdb0N.exe
2468	998eb1368710dce17285762612ffcdb0N.exe
1464	998eb1368710dce17285762612ffcdb0N.exe
2488	998eb1368710dce17285762612ffcdb0N.exe
2588	998eb1368710dce17285762612ffcdb0N.exe
320	998eb1368710dce17285762612ffcdb0N.exe
2924	998eb1368710dce17285762612ffcdb0N.exe
2940	998eb1368710dce17285762612ffcdb0N.exe
1816	998eb1368710dce17285762612ffcdb0N.exe
2884	998eb1368710dce17285762612ffcdb0N.exe
2600	998eb1368710dce17285762612ffcdb0N.exe
2200	998eb1368710dce17285762612ffcdb0N.exe
3020	998eb1368710dce17285762612ffcdb0N.exe
2620	998eb1368710dce17285762612ffcdb0N.exe
612	998eb1368710dce17285762612ffcdb0N.exe
2428	998eb1368710dce17285762612ffcdb0N.exe
340	998eb1368710dce17285762612ffcdb0N.exe
960	998eb1368710dce17285762612ffcdb0N.exe
2680	998eb1368710dce17285762612ffcdb0N.exe
2872	998eb1368710dce17285762612ffcdb0N.exe
1712	998eb1368710dce17285762612ffcdb0N.exe
108	998eb1368710dce17285762612ffcdb0N.exe
1376	998eb1368710dce17285762612ffcdb0N.exe
2056	998eb1368710dce17285762612ffcdb0N.exe
572	998eb1368710dce17285762612ffcdb0N.exe
572	998eb1368710dce17285762612ffcdb0N.exe
1096	998eb1368710dce17285762612ffcdb0N.exe
1096	998eb1368710dce17285762612ffcdb0N.exe
2968	998eb1368710dce17285762612ffcdb0N.exe
2968	998eb1368710dce17285762612ffcdb0N.exe
1488	998eb1368710dce17285762612ffcdb0N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2468	2488	998eb1368710dce17285762612ffcdb0N.exe	28
PID 2488 wrote to memory of 2468	2488	998eb1368710dce17285762612ffcdb0N.exe	28
PID 2488 wrote to memory of 2468	2488	998eb1368710dce17285762612ffcdb0N.exe	28
PID 2488 wrote to memory of 2468	2488	998eb1368710dce17285762612ffcdb0N.exe	28
PID 2468 wrote to memory of 2680	2468	998eb1368710dce17285762612ffcdb0N.exe	30
PID 2468 wrote to memory of 2680	2468	998eb1368710dce17285762612ffcdb0N.exe	30
PID 2468 wrote to memory of 2680	2468	998eb1368710dce17285762612ffcdb0N.exe	30
PID 2468 wrote to memory of 2680	2468	998eb1368710dce17285762612ffcdb0N.exe	30
PID 2488 wrote to memory of 2756	2488	998eb1368710dce17285762612ffcdb0N.exe	29
PID 2488 wrote to memory of 2756	2488	998eb1368710dce17285762612ffcdb0N.exe	29
PID 2488 wrote to memory of 2756	2488	998eb1368710dce17285762612ffcdb0N.exe	29
PID 2488 wrote to memory of 2756	2488	998eb1368710dce17285762612ffcdb0N.exe	29
PID 2468 wrote to memory of 2588	2468	998eb1368710dce17285762612ffcdb0N.exe	31
PID 2468 wrote to memory of 2588	2468	998eb1368710dce17285762612ffcdb0N.exe	31
PID 2468 wrote to memory of 2588	2468	998eb1368710dce17285762612ffcdb0N.exe	31
PID 2468 wrote to memory of 2588	2468	998eb1368710dce17285762612ffcdb0N.exe	31
PID 2488 wrote to memory of 2600	2488	998eb1368710dce17285762612ffcdb0N.exe	32
PID 2488 wrote to memory of 2600	2488	998eb1368710dce17285762612ffcdb0N.exe	32
PID 2488 wrote to memory of 2600	2488	998eb1368710dce17285762612ffcdb0N.exe	32
PID 2488 wrote to memory of 2600	2488	998eb1368710dce17285762612ffcdb0N.exe	32
PID 2680 wrote to memory of 612	2680	998eb1368710dce17285762612ffcdb0N.exe	33
PID 2680 wrote to memory of 612	2680	998eb1368710dce17285762612ffcdb0N.exe	33
PID 2680 wrote to memory of 612	2680	998eb1368710dce17285762612ffcdb0N.exe	33
PID 2680 wrote to memory of 612	2680	998eb1368710dce17285762612ffcdb0N.exe	33
PID 2756 wrote to memory of 3020	2756	998eb1368710dce17285762612ffcdb0N.exe	34
PID 2756 wrote to memory of 3020	2756	998eb1368710dce17285762612ffcdb0N.exe	34
PID 2756 wrote to memory of 3020	2756	998eb1368710dce17285762612ffcdb0N.exe	34
PID 2756 wrote to memory of 3020	2756	998eb1368710dce17285762612ffcdb0N.exe	34
PID 2468 wrote to memory of 2872	2468	998eb1368710dce17285762612ffcdb0N.exe	35
PID 2468 wrote to memory of 2872	2468	998eb1368710dce17285762612ffcdb0N.exe	35
PID 2468 wrote to memory of 2872	2468	998eb1368710dce17285762612ffcdb0N.exe	35
PID 2468 wrote to memory of 2872	2468	998eb1368710dce17285762612ffcdb0N.exe	35
PID 2756 wrote to memory of 2884	2756	998eb1368710dce17285762612ffcdb0N.exe	36
PID 2756 wrote to memory of 2884	2756	998eb1368710dce17285762612ffcdb0N.exe	36
PID 2756 wrote to memory of 2884	2756	998eb1368710dce17285762612ffcdb0N.exe	36
PID 2756 wrote to memory of 2884	2756	998eb1368710dce17285762612ffcdb0N.exe	36
PID 2488 wrote to memory of 2968	2488	998eb1368710dce17285762612ffcdb0N.exe	37
PID 2488 wrote to memory of 2968	2488	998eb1368710dce17285762612ffcdb0N.exe	37
PID 2488 wrote to memory of 2968	2488	998eb1368710dce17285762612ffcdb0N.exe	37
PID 2488 wrote to memory of 2968	2488	998eb1368710dce17285762612ffcdb0N.exe	37
PID 2600 wrote to memory of 1816	2600	998eb1368710dce17285762612ffcdb0N.exe	38
PID 2600 wrote to memory of 1816	2600	998eb1368710dce17285762612ffcdb0N.exe	38
PID 2600 wrote to memory of 1816	2600	998eb1368710dce17285762612ffcdb0N.exe	38
PID 2600 wrote to memory of 1816	2600	998eb1368710dce17285762612ffcdb0N.exe	38
PID 3020 wrote to memory of 1096	3020	998eb1368710dce17285762612ffcdb0N.exe	39
PID 3020 wrote to memory of 1096	3020	998eb1368710dce17285762612ffcdb0N.exe	39
PID 3020 wrote to memory of 1096	3020	998eb1368710dce17285762612ffcdb0N.exe	39
PID 3020 wrote to memory of 1096	3020	998eb1368710dce17285762612ffcdb0N.exe	39
PID 2588 wrote to memory of 1820	2588	998eb1368710dce17285762612ffcdb0N.exe	40
PID 2588 wrote to memory of 1820	2588	998eb1368710dce17285762612ffcdb0N.exe	40
PID 2588 wrote to memory of 1820	2588	998eb1368710dce17285762612ffcdb0N.exe	40
PID 2588 wrote to memory of 1820	2588	998eb1368710dce17285762612ffcdb0N.exe	40
PID 2680 wrote to memory of 1488	2680	998eb1368710dce17285762612ffcdb0N.exe	41
PID 2680 wrote to memory of 1488	2680	998eb1368710dce17285762612ffcdb0N.exe	41
PID 2680 wrote to memory of 1488	2680	998eb1368710dce17285762612ffcdb0N.exe	41
PID 2680 wrote to memory of 1488	2680	998eb1368710dce17285762612ffcdb0N.exe	41
PID 612 wrote to memory of 2860	612	998eb1368710dce17285762612ffcdb0N.exe	42
PID 612 wrote to memory of 2860	612	998eb1368710dce17285762612ffcdb0N.exe	42
PID 612 wrote to memory of 2860	612	998eb1368710dce17285762612ffcdb0N.exe	42
PID 612 wrote to memory of 2860	612	998eb1368710dce17285762612ffcdb0N.exe	42
PID 2468 wrote to memory of 2340	2468	998eb1368710dce17285762612ffcdb0N.exe	43
PID 2468 wrote to memory of 2340	2468	998eb1368710dce17285762612ffcdb0N.exe	43
PID 2468 wrote to memory of 2340	2468	998eb1368710dce17285762612ffcdb0N.exe	43
PID 2468 wrote to memory of 2340	2468	998eb1368710dce17285762612ffcdb0N.exe	43

C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
"C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
  "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:612
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2860
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        7⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        8⤵
        
        PID:6504
        
        C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        7⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        7⤵
        
        PID:6644
        
        C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        7⤵
        
        PID:9444
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        7⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        7⤵
        
        PID:8592
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        7⤵
        
        PID:6772
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:5840
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:7028
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2428
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        7⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        7⤵
        
        PID:9192
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        7⤵
        
        PID:9476
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:6380
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:2724
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        7⤵
        
        PID:7160
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:6308
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:3552
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:5720
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:4684
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:6764
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1488
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:572
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        7⤵
        
        PID:6896
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:4148
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:8132
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:3036
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:4932
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:8632
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:3280
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:8028
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:5736
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:7772
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:340
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:1704
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:5164
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:8888
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:3836
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:7260
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:6852
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:2540
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:4316
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:6316
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:3820
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:6160
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:5628
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:7596
- - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1820
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:108
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        7⤵
        
        PID:5408
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:4972
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:6400
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:2008
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:4948
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:8580
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:3856
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:6204
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:320
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:2716
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:4824
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:5256
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:4084
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:7900
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:5384
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:2448
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:3852
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:6748
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:3396
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:5156
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:8880
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:4840
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:5304
- - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2872
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:960
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:1544
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:5280
        
        C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        7⤵
        
        PID:9484
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:8904
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:4116
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:6664
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:6300
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:988
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:4436
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:8400
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:6864
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:3804
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:6424
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:4832
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:5728
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:7716
- - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2340
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:2176
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:4064
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:7316
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:5400
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:3344
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:6352
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:4696
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:7144
- - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2416
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:3444
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:6416
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:4704
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:7136
- - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
    3⤵
    PID:3096
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:5220
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:8624
- - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
    3⤵
    PID:4264
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:7548
- - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
    3⤵
    PID:7464
- C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
  "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1096
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1712
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        7⤵
        
        PID:5388
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:4620
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:7224
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:1724
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:5056
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:7708
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:3872
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:4940
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:6168
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:4860
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:5232
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2620
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:2852
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:4896
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:8688
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:4076
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:8368
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:5436
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:2676
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:4156
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:8020
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:6872
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:3508
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:4872
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:9436
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:4884
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:7456
- - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2924
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:2848
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:4384
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:8608
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:3888
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:7152
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:4848
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:5288
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:3064
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:3828
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:6956
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:5808
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:7036
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:3472
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:5148
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:8872
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:4964
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:6360
- - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2328
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:2972
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:4012
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:7556
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:5308
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:8896
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:3284
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:5552
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:8928
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:4816
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:6212
- - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
    3⤵
    PID:2964
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:3796
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:6628
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:9428
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:5636
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:8216
- - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
    3⤵
    PID:3144
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:5048
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:7400
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:9780
- - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
    3⤵
    PID:4388
- - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
    3⤵
    PID:6324
- C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
  "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1816
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2940
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:2856
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:4732
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:6756
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:4092
      - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        6⤵
        
        PID:7540
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:5372
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:2712
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:3108
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:5692
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:9544
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:3480
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:5248
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:8616
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:4912
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:5544
- - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2200
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:2108
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:4724
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:6456
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:3152
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:8392
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:5536
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:8864
- - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
    3⤵
    PID:2292
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:3576
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:7336
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:5700
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:9536
- - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
    3⤵
    PID:3544
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:6888
- - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
    3⤵
    PID:2064
- - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
    3⤵
    PID:8140
- C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
  "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2968
- - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2056
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:3300
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:4920
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:7604
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:4508
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:8572
- - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
    3⤵
    PID:272
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:5092
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:7104
- - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
    3⤵
    PID:3140
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:7888
- - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
    3⤵
    PID:5492
- - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
    3⤵
    PID:8920
- C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
  "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1464
- - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
    3⤵
    PID:2696
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:4368
    - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
        5⤵
        
        PID:8208
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:7024
- - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
    3⤵
    PID:3844
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:7016
- - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
    3⤵
    PID:5292
- - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
    3⤵
    PID:8912
- C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
  "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
  2⤵
  PID:2284
- - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
    3⤵
    PID:3424
  - - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
      4⤵
      PID:6408
- - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
    3⤵
    PID:5708
- C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
  "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
  2⤵
  PID:3320
- - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
    3⤵
    PID:5080
- - C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
    3⤵
    PID:7076
- C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
  "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
  2⤵
  PID:4524
- C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe
  "C:\Users\Admin\AppData\Local\Temp\998eb1368710dce17285762612ffcdb0N.exe"
  2⤵
  PID:5212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\xxx full movie traffic .mpg.exe

Filesize
1.3MB

MD5
bac813631cc3b738a5e914138ed7cdae

SHA1
6a3859cb422eb596c8980bf5a2632de2ebcc8c90

SHA256
f0a16cb60b74b718bef6de55eb563671cd1c61fff16813ab8b7e89d9ba2da66b

SHA512
a339a2b65c8249b218c48e1a9cf70bb544d6ee0ea935fa5557c4549dd8470411a706fbd3e6783d20584bf2a8286f67bbf2595cd6aaca7e869a619d4d556c9b5f

Download Submit
memory/108-193-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/320-140-0x00000000047D0000-0x00000000047FB000-memory.dmp

Filesize
172KB

Download
memory/320-100-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/320-178-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/340-183-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/340-155-0x0000000004590000-0x00000000045BB000-memory.dmp

Filesize
172KB

Download
memory/340-106-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/572-121-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/572-191-0x0000000004910000-0x000000000493B000-memory.dmp

Filesize
172KB

Download
memory/612-75-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/612-165-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/960-187-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1096-189-0x0000000004590000-0x00000000045BB000-memory.dmp

Filesize
172KB

Download
memory/1096-92-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1096-147-0x00000000045E0000-0x000000000460B000-memory.dmp

Filesize
172KB

Download
memory/1464-101-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1464-179-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1464-135-0x0000000004910000-0x000000000493B000-memory.dmp

Filesize
172KB

Download
memory/1488-150-0x0000000004600000-0x000000000462B000-memory.dmp

Filesize
172KB

Download
memory/1488-120-0x0000000001FD0000-0x0000000001FFB000-memory.dmp

Filesize
172KB

Download
memory/1488-93-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1712-192-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1816-168-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1816-129-0x0000000004A60000-0x0000000004A8B000-memory.dmp

Filesize
172KB

Download
memory/1816-88-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1820-90-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1820-190-0x00000000047D0000-0x00000000047FB000-memory.dmp

Filesize
172KB

Download
memory/1820-144-0x0000000004920000-0x000000000494B000-memory.dmp

Filesize
172KB

Download
memory/2200-184-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2200-105-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2328-97-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2328-171-0x0000000004A70000-0x0000000004A9B000-memory.dmp

Filesize
172KB

Download
memory/2328-126-0x00000000047F0000-0x000000000481B000-memory.dmp

Filesize
172KB

Download
memory/2340-127-0x0000000004920000-0x000000000494B000-memory.dmp

Filesize
172KB

Download
memory/2340-173-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2428-185-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2428-156-0x00000000047D0000-0x00000000047FB000-memory.dmp

Filesize
172KB

Download
memory/2468-86-0x0000000004A60000-0x0000000004A8B000-memory.dmp

Filesize
172KB

Download
memory/2468-125-0x0000000004A70000-0x0000000004A9B000-memory.dmp

Filesize
172KB

Download
memory/2468-167-0x0000000004A60000-0x0000000004A8B000-memory.dmp

Filesize
172KB

Download
memory/2468-163-0x0000000004A60000-0x0000000004A8B000-memory.dmp

Filesize
172KB

Download
memory/2468-40-0x00000000047D0000-0x00000000047FB000-memory.dmp

Filesize
172KB

Download
memory/2468-158-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2468-70-0x0000000004A60000-0x0000000004A8B000-memory.dmp

Filesize
172KB

Download
memory/2488-159-0x0000000004AC0000-0x0000000004AEB000-memory.dmp

Filesize
172KB

Download
memory/2488-71-0x0000000004AC0000-0x0000000004AEB000-memory.dmp

Filesize
172KB

Download
memory/2488-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2488-39-0x0000000004AC0000-0x0000000004AEB000-memory.dmp

Filesize
172KB

Download
memory/2488-98-0x0000000004AD0000-0x0000000004AFB000-memory.dmp

Filesize
172KB

Download
memory/2488-164-0x0000000004AC0000-0x0000000004AEB000-memory.dmp

Filesize
172KB

Download
memory/2488-157-0x0000000004AC0000-0x0000000004AEB000-memory.dmp

Filesize
172KB

Download
memory/2488-172-0x0000000004AD0000-0x0000000004AFB000-memory.dmp

Filesize
172KB

Download
memory/2488-154-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2488-175-0x0000000004AD0000-0x0000000004AFB000-memory.dmp

Filesize
172KB

Download
memory/2588-99-0x0000000004920000-0x000000000494B000-memory.dmp

Filesize
172KB

Download
memory/2588-176-0x0000000004920000-0x000000000494B000-memory.dmp

Filesize
172KB

Download
memory/2588-128-0x0000000004930000-0x000000000495B000-memory.dmp

Filesize
172KB

Download
memory/2588-177-0x0000000004930000-0x000000000495B000-memory.dmp

Filesize
172KB

Download
memory/2588-73-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2588-162-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2600-131-0x0000000004A70000-0x0000000004A9B000-memory.dmp

Filesize
172KB

Download
memory/2600-74-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2620-103-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2620-143-0x0000000004910000-0x000000000493B000-memory.dmp

Filesize
172KB

Download
memory/2620-181-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2676-133-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2680-160-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2680-72-0x0000000004940000-0x000000000496B000-memory.dmp

Filesize
172KB

Download
memory/2680-137-0x0000000004940000-0x000000000496B000-memory.dmp

Filesize
172KB

Download
memory/2680-42-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2756-96-0x0000000004920000-0x000000000494B000-memory.dmp

Filesize
172KB

Download
memory/2756-161-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2756-174-0x0000000004920000-0x000000000494B000-memory.dmp

Filesize
172KB

Download
memory/2860-146-0x0000000004A60000-0x0000000004A8B000-memory.dmp

Filesize
172KB

Download
memory/2860-94-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2860-119-0x00000000044A0000-0x00000000044CB000-memory.dmp

Filesize
172KB

Download
memory/2872-138-0x0000000004920000-0x000000000494B000-memory.dmp

Filesize
172KB

Download
memory/2872-89-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2872-170-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2872-186-0x00000000047D0000-0x00000000047FB000-memory.dmp

Filesize
172KB

Download
memory/2884-130-0x0000000004A80000-0x0000000004AAB000-memory.dmp

Filesize
172KB

Download
memory/2884-169-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2884-87-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2924-104-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2924-141-0x0000000004590000-0x00000000045BB000-memory.dmp

Filesize
172KB

Download
memory/2924-182-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2940-102-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2940-180-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2940-142-0x00000000047D0000-0x00000000047FB000-memory.dmp

Filesize
172KB

Download
memory/2968-118-0x0000000004800000-0x000000000482B000-memory.dmp

Filesize
172KB

Download
memory/2968-188-0x0000000004800000-0x000000000482B000-memory.dmp

Filesize
172KB

Download
memory/2968-91-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2968-145-0x0000000004940000-0x000000000496B000-memory.dmp

Filesize
172KB

Download
memory/3020-132-0x0000000004A70000-0x0000000004A9B000-memory.dmp

Filesize
172KB

Download
memory/3020-166-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3020-76-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download