c513c6de5876b19d173f68e74f538752dd967392ba2f880641ea4803c0185e9d

Analysis

max time kernel
26s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a9a47bfb52146fa925b915974099400N.exe
Size

373KB
MD5

0a9a47bfb52146fa925b915974099400
SHA1

1d3627b2bf3536d976b5734220e5245051c8c6a7
SHA256

c513c6de5876b19d173f68e74f538752dd967392ba2f880641ea4803c0185e9d
SHA512

b7c1c124c91c92e4058dfd15e050aaf4050b0e537f28f4b4b66caddcd21d9c5d24e0a69b7bc6e7b082e21f9fb6182bab1cc80c561d37a54062dd22c9a0879efd
SSDEEP

6144:A//ICMmDRxs3NBRQFU8D58sM7nwlptA1u5iPgbfVTMOxyZEo3XATvSWU:A//vi9BCFUJsM7QAw5imMgHvSWU

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	0a9a47bfb52146fa925b915974099400N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	0a9a47bfb52146fa925b915974099400N.exe
File opened (read-only)	\??\K:	0a9a47bfb52146fa925b915974099400N.exe
File opened (read-only)	\??\U:	0a9a47bfb52146fa925b915974099400N.exe
File opened (read-only)	\??\R:	0a9a47bfb52146fa925b915974099400N.exe
File opened (read-only)	\??\S:	0a9a47bfb52146fa925b915974099400N.exe
File opened (read-only)	\??\X:	0a9a47bfb52146fa925b915974099400N.exe
File opened (read-only)	\??\Y:	0a9a47bfb52146fa925b915974099400N.exe
File opened (read-only)	\??\A:	0a9a47bfb52146fa925b915974099400N.exe
File opened (read-only)	\??\G:	0a9a47bfb52146fa925b915974099400N.exe
File opened (read-only)	\??\P:	0a9a47bfb52146fa925b915974099400N.exe
File opened (read-only)	\??\Q:	0a9a47bfb52146fa925b915974099400N.exe
File opened (read-only)	\??\B:	0a9a47bfb52146fa925b915974099400N.exe
File opened (read-only)	\??\N:	0a9a47bfb52146fa925b915974099400N.exe
File opened (read-only)	\??\T:	0a9a47bfb52146fa925b915974099400N.exe
File opened (read-only)	\??\Z:	0a9a47bfb52146fa925b915974099400N.exe
File opened (read-only)	\??\M:	0a9a47bfb52146fa925b915974099400N.exe
File opened (read-only)	\??\O:	0a9a47bfb52146fa925b915974099400N.exe
File opened (read-only)	\??\V:	0a9a47bfb52146fa925b915974099400N.exe
File opened (read-only)	\??\W:	0a9a47bfb52146fa925b915974099400N.exe
File opened (read-only)	\??\H:	0a9a47bfb52146fa925b915974099400N.exe
File opened (read-only)	\??\I:	0a9a47bfb52146fa925b915974099400N.exe
File opened (read-only)	\??\J:	0a9a47bfb52146fa925b915974099400N.exe
File opened (read-only)	\??\L:	0a9a47bfb52146fa925b915974099400N.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\black cum lesbian hidden (Janette).avi.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\System32\DriverStore\Temp\gay masturbation hole gorgeoushorny (Janette).avi.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\SysWOW64\IME\shared\indian gang bang bukkake [bangbus] (Liz).rar.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\xxx catfight hole .zip.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\russian fetish bukkake voyeur .zip.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\SysWOW64\IME\shared\russian porn sperm several models (Melissa).zip.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\brasilian nude blowjob big glans castration .mpg.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\danish fetish lingerie public feet castration (Liz).mpeg.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\SysWOW64\FxsTmp\trambling several models latex .mpeg.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\SysWOW64\FxsTmp\asian bukkake girls shoes .mpg.exe	0a9a47bfb52146fa925b915974099400N.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Update\Download\horse several models glans 40+ .mpeg.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\japanese cum lesbian [milf] .avi.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\sperm [free] hotel .mpeg.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\brasilian kicking gay lesbian titts ìï (Sylvia).mpeg.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Program Files (x86)\Google\Temp\animal lesbian sleeping mistress .mpeg.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\swedish cumshot bukkake [free] latex (Jenna,Tatjana).avi.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\tyrkish handjob lesbian lesbian cock wifey (Sylvia).mpg.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\blowjob voyeur stockings .avi.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\blowjob catfight hole ejaculation .mpg.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\american gang bang hardcore [free] 50+ .rar.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Program Files\Windows Journal\Templates\beast catfight titts stockings (Jade).zip.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\hardcore sleeping traffic .avi.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\italian fetish horse sleeping cock castration .rar.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\horse masturbation femdom .avi.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Program Files\DVD Maker\Shared\lesbian girls glans wifey .mpg.exe	0a9a47bfb52146fa925b915974099400N.exe

Drops file in Windows directory 37 IoCs

description	ioc	Process
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\xxx voyeur .zip.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\bukkake several models .mpeg.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\PLA\Templates\tyrkish animal horse [bangbus] (Curtney).rar.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\SoftwareDistribution\Download\hardcore [bangbus] .mpeg.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\mssrv.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\sperm uncut 40+ .mpg.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\danish cumshot blowjob big titts 40+ .mpeg.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\gay big (Tatjana).mpg.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\xxx several models titts upskirt (Samantha).rar.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\swedish porn bukkake sleeping titts .rar.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\russian handjob lesbian catfight shower .mpeg.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\indian beastiality hardcore girls titts .zip.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\lesbian uncut mistress .avi.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\brasilian animal horse [free] 50+ .rar.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\swedish action blowjob [free] .zip.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\trambling big feet .avi.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_6.1.7600.16385_none_8419660d1cc97b24\blowjob masturbation gorgeoushorny (Christine,Curtney).avi.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\security\templates\black beastiality lingerie sleeping glans (Ashley,Jade).mpeg.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\russian action beast big 40+ .mpeg.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\blowjob masturbation black hairunshaved .zip.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\danish gang bang trambling hot (!) feet .zip.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\sperm sleeping (Sylvia).mpg.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\horse lesbian cock beautyfull .mpg.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\assembly\tmp\brasilian nude fucking licking .rar.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\russian cumshot xxx full movie .mpeg.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\beast uncut feet circumcision .mpeg.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\french sperm voyeur cock .avi.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\horse uncut castration .rar.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\lingerie sleeping ìï (Christine,Curtney).mpg.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E41.tmp\american nude horse catfight glans .mpeg.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\assembly\temp\lesbian sleeping .zip.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\danish handjob bukkake licking fishy .zip.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\german sperm [milf] titts (Kathrin,Curtney).mpeg.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\horse [bangbus] beautyfull .mpeg.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\tyrkish animal blowjob [free] YEâPSè& .rar.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\fetish blowjob [milf] ejaculation .zip.exe	0a9a47bfb52146fa925b915974099400N.exe
File created	C:\Windows\Downloaded Program Files\swedish nude beast [bangbus] cock hairy .mpeg.exe	0a9a47bfb52146fa925b915974099400N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9a47bfb52146fa925b915974099400N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2592	0a9a47bfb52146fa925b915974099400N.exe
2016	0a9a47bfb52146fa925b915974099400N.exe
2592	0a9a47bfb52146fa925b915974099400N.exe
2748	0a9a47bfb52146fa925b915974099400N.exe
2932	0a9a47bfb52146fa925b915974099400N.exe
2016	0a9a47bfb52146fa925b915974099400N.exe
2592	0a9a47bfb52146fa925b915974099400N.exe
2052	0a9a47bfb52146fa925b915974099400N.exe
2916	0a9a47bfb52146fa925b915974099400N.exe
880	0a9a47bfb52146fa925b915974099400N.exe
2748	0a9a47bfb52146fa925b915974099400N.exe
2932	0a9a47bfb52146fa925b915974099400N.exe
2376	0a9a47bfb52146fa925b915974099400N.exe
2016	0a9a47bfb52146fa925b915974099400N.exe
2592	0a9a47bfb52146fa925b915974099400N.exe
2948	0a9a47bfb52146fa925b915974099400N.exe
2964	0a9a47bfb52146fa925b915974099400N.exe
2052	0a9a47bfb52146fa925b915974099400N.exe
2956	0a9a47bfb52146fa925b915974099400N.exe
2916	0a9a47bfb52146fa925b915974099400N.exe
1544	0a9a47bfb52146fa925b915974099400N.exe
1512	0a9a47bfb52146fa925b915974099400N.exe
1088	0a9a47bfb52146fa925b915974099400N.exe
2932	0a9a47bfb52146fa925b915974099400N.exe
2016	0a9a47bfb52146fa925b915974099400N.exe
2748	0a9a47bfb52146fa925b915974099400N.exe
2156	0a9a47bfb52146fa925b915974099400N.exe
2592	0a9a47bfb52146fa925b915974099400N.exe
1712	0a9a47bfb52146fa925b915974099400N.exe
880	0a9a47bfb52146fa925b915974099400N.exe
2376	0a9a47bfb52146fa925b915974099400N.exe
656	0a9a47bfb52146fa925b915974099400N.exe
2948	0a9a47bfb52146fa925b915974099400N.exe
2272	0a9a47bfb52146fa925b915974099400N.exe
2464	0a9a47bfb52146fa925b915974099400N.exe
2956	0a9a47bfb52146fa925b915974099400N.exe
2192	0a9a47bfb52146fa925b915974099400N.exe
2052	0a9a47bfb52146fa925b915974099400N.exe
2292	0a9a47bfb52146fa925b915974099400N.exe
2916	0a9a47bfb52146fa925b915974099400N.exe
2964	0a9a47bfb52146fa925b915974099400N.exe
2188	0a9a47bfb52146fa925b915974099400N.exe
1512	0a9a47bfb52146fa925b915974099400N.exe
1544	0a9a47bfb52146fa925b915974099400N.exe
2932	0a9a47bfb52146fa925b915974099400N.exe
1628	0a9a47bfb52146fa925b915974099400N.exe
752	0a9a47bfb52146fa925b915974099400N.exe
2448	0a9a47bfb52146fa925b915974099400N.exe
292	0a9a47bfb52146fa925b915974099400N.exe
2516	0a9a47bfb52146fa925b915974099400N.exe
2748	0a9a47bfb52146fa925b915974099400N.exe
1088	0a9a47bfb52146fa925b915974099400N.exe
2016	0a9a47bfb52146fa925b915974099400N.exe
1900	0a9a47bfb52146fa925b915974099400N.exe
2592	0a9a47bfb52146fa925b915974099400N.exe
1928	0a9a47bfb52146fa925b915974099400N.exe
1996	0a9a47bfb52146fa925b915974099400N.exe
2512	0a9a47bfb52146fa925b915974099400N.exe
2376	0a9a47bfb52146fa925b915974099400N.exe
880	0a9a47bfb52146fa925b915974099400N.exe
2160	0a9a47bfb52146fa925b915974099400N.exe
2156	0a9a47bfb52146fa925b915974099400N.exe
2156	0a9a47bfb52146fa925b915974099400N.exe
1712	0a9a47bfb52146fa925b915974099400N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 2016	2592	0a9a47bfb52146fa925b915974099400N.exe	29
PID 2592 wrote to memory of 2016	2592	0a9a47bfb52146fa925b915974099400N.exe	29
PID 2592 wrote to memory of 2016	2592	0a9a47bfb52146fa925b915974099400N.exe	29
PID 2592 wrote to memory of 2016	2592	0a9a47bfb52146fa925b915974099400N.exe	29
PID 2016 wrote to memory of 2748	2016	0a9a47bfb52146fa925b915974099400N.exe	30
PID 2016 wrote to memory of 2748	2016	0a9a47bfb52146fa925b915974099400N.exe	30
PID 2016 wrote to memory of 2748	2016	0a9a47bfb52146fa925b915974099400N.exe	30
PID 2016 wrote to memory of 2748	2016	0a9a47bfb52146fa925b915974099400N.exe	30
PID 2592 wrote to memory of 2932	2592	0a9a47bfb52146fa925b915974099400N.exe	31
PID 2592 wrote to memory of 2932	2592	0a9a47bfb52146fa925b915974099400N.exe	31
PID 2592 wrote to memory of 2932	2592	0a9a47bfb52146fa925b915974099400N.exe	31
PID 2592 wrote to memory of 2932	2592	0a9a47bfb52146fa925b915974099400N.exe	31
PID 2932 wrote to memory of 880	2932	0a9a47bfb52146fa925b915974099400N.exe	33
PID 2932 wrote to memory of 880	2932	0a9a47bfb52146fa925b915974099400N.exe	33
PID 2932 wrote to memory of 880	2932	0a9a47bfb52146fa925b915974099400N.exe	33
PID 2932 wrote to memory of 880	2932	0a9a47bfb52146fa925b915974099400N.exe	33
PID 2016 wrote to memory of 2052	2016	0a9a47bfb52146fa925b915974099400N.exe	34
PID 2016 wrote to memory of 2052	2016	0a9a47bfb52146fa925b915974099400N.exe	34
PID 2016 wrote to memory of 2052	2016	0a9a47bfb52146fa925b915974099400N.exe	34
PID 2016 wrote to memory of 2052	2016	0a9a47bfb52146fa925b915974099400N.exe	34
PID 2748 wrote to memory of 2916	2748	0a9a47bfb52146fa925b915974099400N.exe	32
PID 2748 wrote to memory of 2916	2748	0a9a47bfb52146fa925b915974099400N.exe	32
PID 2748 wrote to memory of 2916	2748	0a9a47bfb52146fa925b915974099400N.exe	32
PID 2748 wrote to memory of 2916	2748	0a9a47bfb52146fa925b915974099400N.exe	32
PID 2592 wrote to memory of 2376	2592	0a9a47bfb52146fa925b915974099400N.exe	35
PID 2592 wrote to memory of 2376	2592	0a9a47bfb52146fa925b915974099400N.exe	35
PID 2592 wrote to memory of 2376	2592	0a9a47bfb52146fa925b915974099400N.exe	35
PID 2592 wrote to memory of 2376	2592	0a9a47bfb52146fa925b915974099400N.exe	35
PID 2052 wrote to memory of 2948	2052	0a9a47bfb52146fa925b915974099400N.exe	36
PID 2052 wrote to memory of 2948	2052	0a9a47bfb52146fa925b915974099400N.exe	36
PID 2052 wrote to memory of 2948	2052	0a9a47bfb52146fa925b915974099400N.exe	36
PID 2052 wrote to memory of 2948	2052	0a9a47bfb52146fa925b915974099400N.exe	36
PID 2916 wrote to memory of 2956	2916	0a9a47bfb52146fa925b915974099400N.exe	37
PID 2916 wrote to memory of 2956	2916	0a9a47bfb52146fa925b915974099400N.exe	37
PID 2916 wrote to memory of 2956	2916	0a9a47bfb52146fa925b915974099400N.exe	37
PID 2916 wrote to memory of 2956	2916	0a9a47bfb52146fa925b915974099400N.exe	37
PID 2932 wrote to memory of 2964	2932	0a9a47bfb52146fa925b915974099400N.exe	38
PID 2932 wrote to memory of 2964	2932	0a9a47bfb52146fa925b915974099400N.exe	38
PID 2932 wrote to memory of 2964	2932	0a9a47bfb52146fa925b915974099400N.exe	38
PID 2932 wrote to memory of 2964	2932	0a9a47bfb52146fa925b915974099400N.exe	38
PID 2016 wrote to memory of 1544	2016	0a9a47bfb52146fa925b915974099400N.exe	40
PID 2016 wrote to memory of 1544	2016	0a9a47bfb52146fa925b915974099400N.exe	40
PID 2016 wrote to memory of 1544	2016	0a9a47bfb52146fa925b915974099400N.exe	40
PID 2016 wrote to memory of 1544	2016	0a9a47bfb52146fa925b915974099400N.exe	40
PID 2748 wrote to memory of 1512	2748	0a9a47bfb52146fa925b915974099400N.exe	39
PID 2748 wrote to memory of 1512	2748	0a9a47bfb52146fa925b915974099400N.exe	39
PID 2748 wrote to memory of 1512	2748	0a9a47bfb52146fa925b915974099400N.exe	39
PID 2748 wrote to memory of 1512	2748	0a9a47bfb52146fa925b915974099400N.exe	39
PID 2592 wrote to memory of 1088	2592	0a9a47bfb52146fa925b915974099400N.exe	41
PID 2592 wrote to memory of 1088	2592	0a9a47bfb52146fa925b915974099400N.exe	41
PID 2592 wrote to memory of 1088	2592	0a9a47bfb52146fa925b915974099400N.exe	41
PID 2592 wrote to memory of 1088	2592	0a9a47bfb52146fa925b915974099400N.exe	41
PID 880 wrote to memory of 2156	880	0a9a47bfb52146fa925b915974099400N.exe	42
PID 880 wrote to memory of 2156	880	0a9a47bfb52146fa925b915974099400N.exe	42
PID 880 wrote to memory of 2156	880	0a9a47bfb52146fa925b915974099400N.exe	42
PID 880 wrote to memory of 2156	880	0a9a47bfb52146fa925b915974099400N.exe	42
PID 2376 wrote to memory of 1712	2376	0a9a47bfb52146fa925b915974099400N.exe	43
PID 2376 wrote to memory of 1712	2376	0a9a47bfb52146fa925b915974099400N.exe	43
PID 2376 wrote to memory of 1712	2376	0a9a47bfb52146fa925b915974099400N.exe	43
PID 2376 wrote to memory of 1712	2376	0a9a47bfb52146fa925b915974099400N.exe	43
PID 2948 wrote to memory of 656	2948	0a9a47bfb52146fa925b915974099400N.exe	44
PID 2948 wrote to memory of 656	2948	0a9a47bfb52146fa925b915974099400N.exe	44
PID 2948 wrote to memory of 656	2948	0a9a47bfb52146fa925b915974099400N.exe	44
PID 2948 wrote to memory of 656	2948	0a9a47bfb52146fa925b915974099400N.exe	44

C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
"C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
  "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
    "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2956
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        7⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        8⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        8⤵
        
        PID:6560
        
        C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        7⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        7⤵
        
        PID:5256
        
        C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        7⤵
        
        PID:8824
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        7⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        7⤵
        
        PID:5352
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        7⤵
        
        PID:5376
        
        C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        7⤵
        
        PID:10396
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:4544
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:10628
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2192
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        7⤵
        
        PID:4468
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:3588
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:5304
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:8708
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1148
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:3748
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:5408
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:9832
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:3288
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:5800
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:4620
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:7892
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1512
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:752
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        7⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        7⤵
        
        PID:8776
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:3868
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:5884
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1956
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:3836
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:5784
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:3376
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:6044
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:8860
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:4264
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:8020
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2448
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:2496
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:4796
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:10376
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:3860
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:5756
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:10456
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:2900
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:4388
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:7916
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:3580
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:5240
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:8812
- - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
    "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:656
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        7⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        7⤵
        
        PID:5748
        
        C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        7⤵
        
        PID:9820
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        7⤵
        
        PID:6060
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:4140
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:6420
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:320
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        7⤵
        
        PID:6036
        
        C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        7⤵
        
        PID:8804
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:5048
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:8656
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:1756
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:5004
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:4012
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:5740
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:10520
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2272
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2564
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:3656
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:5264
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:8748
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:3228
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:5708
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:4528
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1924
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:3684
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:5832
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:3312
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:6052
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:4724
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:7904
- - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
    "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1544
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2188
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:2644
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        7⤵
        
        PID:6232
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:7688
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:3696
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:5392
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2332
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:3932
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:5868
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:10440
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:3392
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:5432
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:10408
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:5040
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:8876
- - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
    "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:292
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:2768
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:4160
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:8000
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:8692
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:4116
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:5072
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:7024
- - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
    "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
    3⤵
    PID:2800
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:4612
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:7952
- - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
    "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
    3⤵
    PID:3644
- - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
    "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
    3⤵
    PID:5312
- C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
  "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
    "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:880
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2156
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2512
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:3300
        
        C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        7⤵
        
        PID:5248
        
        C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        7⤵
        
        PID:8868
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:4628
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:7944
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:1612
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:4940
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:8784
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:3924
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:6552
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:10696
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:5876
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:10476
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1928
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:3260
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:5716
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:4224
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:6280
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:10620
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:2704
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:5028
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:3876
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:5936
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:7992
- - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
    "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2964
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2292
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:2688
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:4568
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:3636
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:6544
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:10432
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:5080
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:7976
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2128
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:3708
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:5840
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:3336
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:5456
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:4640
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:7964
- - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
    "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1628
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:2752
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:4896
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:8792
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:3884
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:5948
- - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
    "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:684
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:3904
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:5920
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:8672
- - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
    "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
    3⤵
    PID:3400
- - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
    "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
    3⤵
    PID:5224
- - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
    "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
    3⤵
    PID:8012
- C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
  "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
    "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2160
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:3352
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:6068
      - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        6⤵
        
        PID:8488
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:4880
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:2616
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:5108
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:3940
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:6536
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:10724
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:5960
- - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
    "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1996
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:3276
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:5508
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:8756
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:4648
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:7932
- - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
    "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
    3⤵
    PID:2684
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:4840
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:8848
- - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
    "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
    3⤵
    PID:3892
- - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
    "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
    3⤵
    PID:5792
- C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
  "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1088
- - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
    "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2516
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:2312
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:5272
    - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
        5⤵
        
        PID:8832
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:4152
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:1976
- - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
    "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
    3⤵
    PID:2372
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:4400
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:5928
- - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
    "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
    3⤵
    PID:3596
- - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
    "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
    3⤵
    PID:5340
- C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
  "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1900
- - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
    "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
    3⤵
    PID:3240
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:5368
  - - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
      "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
      4⤵
      PID:10420
- - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
    "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
    3⤵
    PID:4536
- C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
  "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
  2⤵
  PID:2676
- - C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
    "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
    3⤵
    PID:4660
- C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
  "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
  2⤵
  PID:3804
- C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
  "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
  2⤵
  PID:5400
- C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe
  "C:\Users\Admin\AppData\Local\Temp\0a9a47bfb52146fa925b915974099400N.exe"
  2⤵
  PID:10448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\blowjob catfight hole ejaculation .mpg.exe

Filesize
1.9MB

MD5
62f82f6aefd84a9eaede87cced1f38f5

SHA1
1b93b1a956e7dc8bf3d91c64436011c12af9dc00

SHA256
1f3a415ce45a4db5a6b07d5d6f61d8529bb2280210304ff280992899175f0398

SHA512
e4843d6a077e4081b350e5ad62a26d0f34ffb813220a1bdbb01aa77aea9a5689b373aa5f238d0e6874c8661064e9bffdcf1cddb85cd724cf64acd947bb6e3c37

Download Submit