isrstealer | 5067be80b05a552ddd9ca03d22b822855ffa56a7a28f0ba32d0ced57e9e12810

Analysis

max time kernel
30s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WinJect.exe
Size

540KB
MD5

6abce2783394bf829a97599d04a8def3
SHA1

2a7864232650cf6528c903ec505e4fc1cc59517c
SHA256

29ab5fe35a0f48c4683adf37e978abbfff23c0b2f8b416d58b18690ebf41a66a
SHA512

8c07c4b105296747f6224f161b00250e5fa54c4f7b2ad33313b91f4116917064f4acc315f664688346d0272bc77953c338fe40d4ed6e0fd5e5ad507f12cdf7b4
SSDEEP

6144:dHEUWvcNBG1R741QrIJvnjqHByUkz/urMkHug25ijoBFQi7f0u1WeJiXpH4raGpt:pFG1d4gIJLqcU9OgiioSOLKR4rFMgn

Score

10^/10

isrstealer bootkit discovery persistence spyware stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 2 IoCs

resource	yara_rule
behavioral1/memory/2612-75-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral1/memory/2612-80-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer

Isrstealer family
isrstealer

Executes dropped EXE 28 IoCs

pid	Process
2356	0718i2vupW.exe
2980	0718i2vupW.exe
3020	0718i2vupW.exe
2612	0718i2vupW.exe
1968	0718i2vupW.exe
1952	0718i2vupW.exe
1540	0718i2vupW.exe
3000	0718i2vupW.exe
556	0718i2vupW.exe
2712	0718i2vupW.exe
1228	0718i2vupW.exe
2480	0718i2vupW.exe
1776	0718i2vupW.exe
1932	0718i2vupW.exe
3008	0718i2vupW.exe
2332	0718i2vupW.exe
2780	0718i2vupW.exe
896	0718i2vupW.exe
2916	0718i2vupW.exe
2988	0718i2vupW.exe
604	0718i2vupW.exe
1640	0718i2vupW.exe
2268	0718i2vupW.exe
2424	0718i2vupW.exe
2416	0718i2vupW.exe
2752	0718i2vupW.exe
1668	0718i2vupW.exe
1432	0718i2vupW.exe

Loads dropped DLL 38 IoCs

pid	Process
924	WinJect.exe
924	WinJect.exe
2356	0718i2vupW.exe
2848	Winject.exe
2848	Winject.exe
3020	0718i2vupW.exe
2980	0718i2vupW.exe
1968	0718i2vupW.exe
1512	Winject.exe
1512	Winject.exe
2336	Winject.exe
2336	Winject.exe
1952	0718i2vupW.exe
556	0718i2vupW.exe
3000	0718i2vupW.exe
1228	0718i2vupW.exe
2124	Winject.exe
2124	Winject.exe
2176	Winject.exe
2176	Winject.exe
1776	0718i2vupW.exe
3008	0718i2vupW.exe
1932	0718i2vupW.exe
2780	0718i2vupW.exe
1528	Winject.exe
1528	Winject.exe
2916	0718i2vupW.exe
2988	0718i2vupW.exe
2196	Winject.exe
2196	Winject.exe
1640	0718i2vupW.exe
2268	0718i2vupW.exe
1688	Winject.exe
1688	Winject.exe
2416	0718i2vupW.exe
2752	0718i2vupW.exe
1552	Winject.exe
1552	Winject.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Writes to the Master Boot Record (MBR) 1 TTPs 19 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Winject.exe
File opened for modification	\??\PhysicalDrive0	0718i2vupW.exe
File opened for modification	\??\PhysicalDrive0	Winject.exe
File opened for modification	\??\PhysicalDrive0	0718i2vupW.exe
File opened for modification	\??\PhysicalDrive0	Winject.exe
File opened for modification	\??\PhysicalDrive0	Winject.exe
File opened for modification	\??\PhysicalDrive0	0718i2vupW.exe
File opened for modification	\??\PhysicalDrive0	0718i2vupW.exe
File opened for modification	\??\PhysicalDrive0	WinJect.exe
File opened for modification	\??\PhysicalDrive0	0718i2vupW.exe
File opened for modification	\??\PhysicalDrive0	Winject.exe
File opened for modification	\??\PhysicalDrive0	0718i2vupW.exe
File opened for modification	\??\PhysicalDrive0	0718i2vupW.exe
File opened for modification	\??\PhysicalDrive0	Winject.exe
File opened for modification	\??\PhysicalDrive0	Winject.exe
File opened for modification	\??\PhysicalDrive0	Winject.exe
File opened for modification	\??\PhysicalDrive0	Winject.exe
File opened for modification	\??\PhysicalDrive0	0718i2vupW.exe
File opened for modification	\??\PhysicalDrive0	0718i2vupW.exe

Suspicious use of SetThreadContext 28 IoCs

description	pid	Process	procid_target
PID 2064 set thread context of 924	2064	WinJect.exe	30
PID 2416 set thread context of 2848	2416	Winject.exe	34
PID 2356 set thread context of 3020	2356	0718i2vupW.exe	36
PID 3020 set thread context of 2612	3020	0718i2vupW.exe	38
PID 2620 set thread context of 1512	2620	Winject.exe	39
PID 2980 set thread context of 1968	2980	0718i2vupW.exe	40
PID 1968 set thread context of 1540	1968	0718i2vupW.exe	42
PID 1116 set thread context of 2336	1116	Winject.exe	44
PID 1952 set thread context of 556	1952	0718i2vupW.exe	47
PID 556 set thread context of 2712	556	0718i2vupW.exe	48
PID 3000 set thread context of 1228	3000	0718i2vupW.exe	49
PID 1228 set thread context of 2480	1228	0718i2vupW.exe	50
PID 2992 set thread context of 2124	2992	Winject.exe	51
PID 2476 set thread context of 2176	2476	Winject.exe	55
PID 1776 set thread context of 3008	1776	0718i2vupW.exe	58
PID 3008 set thread context of 2332	3008	0718i2vupW.exe	59
PID 1932 set thread context of 2780	1932	0718i2vupW.exe	60
PID 2780 set thread context of 896	2780	0718i2vupW.exe	61
PID 2796 set thread context of 1528	2796	Winject.exe	62
PID 2904 set thread context of 2196	2904	Winject.exe	66
PID 2916 set thread context of 2988	2916	0718i2vupW.exe	65
PID 2988 set thread context of 604	2988	0718i2vupW.exe	67
PID 1780 set thread context of 1688	1780	Winject.exe	71
PID 1640 set thread context of 2268	1640	0718i2vupW.exe	70
PID 2268 set thread context of 2424	2268	0718i2vupW.exe	72
PID 2244 set thread context of 1552	2244	Winject.exe	75
PID 2416 set thread context of 2752	2416	0718i2vupW.exe	76
PID 2752 set thread context of 1668	2752	0718i2vupW.exe	77

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinJect.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinJect.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0718i2vupW.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2612	0718i2vupW.exe
2612	0718i2vupW.exe
2612	0718i2vupW.exe
2612	0718i2vupW.exe
1540	0718i2vupW.exe
1540	0718i2vupW.exe
1540	0718i2vupW.exe
1540	0718i2vupW.exe
2712	0718i2vupW.exe
2712	0718i2vupW.exe
2712	0718i2vupW.exe
2712	0718i2vupW.exe
2480	0718i2vupW.exe
2480	0718i2vupW.exe
2480	0718i2vupW.exe
2480	0718i2vupW.exe
2332	0718i2vupW.exe
2332	0718i2vupW.exe
2332	0718i2vupW.exe
2332	0718i2vupW.exe
896	0718i2vupW.exe
896	0718i2vupW.exe
896	0718i2vupW.exe
896	0718i2vupW.exe
604	0718i2vupW.exe
604	0718i2vupW.exe
604	0718i2vupW.exe
604	0718i2vupW.exe
2424	0718i2vupW.exe
2424	0718i2vupW.exe
2424	0718i2vupW.exe
2424	0718i2vupW.exe
1668	0718i2vupW.exe
1668	0718i2vupW.exe
1668	0718i2vupW.exe
1668	0718i2vupW.exe

Suspicious use of SetWindowsHookEx 49 IoCs

pid	Process
2064	WinJect.exe
924	WinJect.exe
2416	Winject.exe
2356	0718i2vupW.exe
2848	Winject.exe
2620	Winject.exe
3020	0718i2vupW.exe
2980	0718i2vupW.exe
2612	0718i2vupW.exe
1512	Winject.exe
1968	0718i2vupW.exe
1116	Winject.exe
1540	0718i2vupW.exe
1952	0718i2vupW.exe
2336	Winject.exe
3000	0718i2vupW.exe
2992	Winject.exe
556	0718i2vupW.exe
2712	0718i2vupW.exe
1228	0718i2vupW.exe
2480	0718i2vupW.exe
2124	Winject.exe
2476	Winject.exe
1776	0718i2vupW.exe
2176	Winject.exe
1932	0718i2vupW.exe
2796	Winject.exe
3008	0718i2vupW.exe
2332	0718i2vupW.exe
2780	0718i2vupW.exe
896	0718i2vupW.exe
1528	Winject.exe
2904	Winject.exe
2916	0718i2vupW.exe
2196	Winject.exe
2988	0718i2vupW.exe
604	0718i2vupW.exe
1780	Winject.exe
1640	0718i2vupW.exe
1688	Winject.exe
2268	0718i2vupW.exe
2424	0718i2vupW.exe
2244	Winject.exe
2416	0718i2vupW.exe
1552	Winject.exe
2752	0718i2vupW.exe
1668	0718i2vupW.exe
2980	Winject.exe
1432	0718i2vupW.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 924	2064	WinJect.exe	30
PID 2064 wrote to memory of 924	2064	WinJect.exe	30
PID 2064 wrote to memory of 924	2064	WinJect.exe	30
PID 2064 wrote to memory of 924	2064	WinJect.exe	30
PID 2064 wrote to memory of 924	2064	WinJect.exe	30
PID 2064 wrote to memory of 924	2064	WinJect.exe	30
PID 2064 wrote to memory of 924	2064	WinJect.exe	30
PID 2064 wrote to memory of 924	2064	WinJect.exe	30
PID 2064 wrote to memory of 924	2064	WinJect.exe	30
PID 924 wrote to memory of 2416	924	WinJect.exe	31
PID 924 wrote to memory of 2416	924	WinJect.exe	31
PID 924 wrote to memory of 2416	924	WinJect.exe	31
PID 924 wrote to memory of 2416	924	WinJect.exe	31
PID 924 wrote to memory of 2356	924	WinJect.exe	32
PID 924 wrote to memory of 2356	924	WinJect.exe	32
PID 924 wrote to memory of 2356	924	WinJect.exe	32
PID 924 wrote to memory of 2356	924	WinJect.exe	32
PID 2416 wrote to memory of 2848	2416	Winject.exe	34
PID 2416 wrote to memory of 2848	2416	Winject.exe	34
PID 2416 wrote to memory of 2848	2416	Winject.exe	34
PID 2416 wrote to memory of 2848	2416	Winject.exe	34
PID 2416 wrote to memory of 2848	2416	Winject.exe	34
PID 2416 wrote to memory of 2848	2416	Winject.exe	34
PID 2416 wrote to memory of 2848	2416	Winject.exe	34
PID 2416 wrote to memory of 2848	2416	Winject.exe	34
PID 2416 wrote to memory of 2848	2416	Winject.exe	34
PID 2848 wrote to memory of 2620	2848	Winject.exe	35
PID 2848 wrote to memory of 2620	2848	Winject.exe	35
PID 2848 wrote to memory of 2620	2848	Winject.exe	35
PID 2848 wrote to memory of 2620	2848	Winject.exe	35
PID 2356 wrote to memory of 3020	2356	0718i2vupW.exe	36
PID 2356 wrote to memory of 3020	2356	0718i2vupW.exe	36
PID 2356 wrote to memory of 3020	2356	0718i2vupW.exe	36
PID 2356 wrote to memory of 3020	2356	0718i2vupW.exe	36
PID 2356 wrote to memory of 3020	2356	0718i2vupW.exe	36
PID 2356 wrote to memory of 3020	2356	0718i2vupW.exe	36
PID 2356 wrote to memory of 3020	2356	0718i2vupW.exe	36
PID 2356 wrote to memory of 3020	2356	0718i2vupW.exe	36
PID 2848 wrote to memory of 2980	2848	Winject.exe	37
PID 2848 wrote to memory of 2980	2848	Winject.exe	37
PID 2848 wrote to memory of 2980	2848	Winject.exe	37
PID 2848 wrote to memory of 2980	2848	Winject.exe	37
PID 2356 wrote to memory of 3020	2356	0718i2vupW.exe	36
PID 3020 wrote to memory of 2612	3020	0718i2vupW.exe	38
PID 3020 wrote to memory of 2612	3020	0718i2vupW.exe	38
PID 3020 wrote to memory of 2612	3020	0718i2vupW.exe	38
PID 3020 wrote to memory of 2612	3020	0718i2vupW.exe	38
PID 3020 wrote to memory of 2612	3020	0718i2vupW.exe	38
PID 3020 wrote to memory of 2612	3020	0718i2vupW.exe	38
PID 3020 wrote to memory of 2612	3020	0718i2vupW.exe	38
PID 3020 wrote to memory of 2612	3020	0718i2vupW.exe	38
PID 2620 wrote to memory of 1512	2620	Winject.exe	39
PID 2620 wrote to memory of 1512	2620	Winject.exe	39
PID 2620 wrote to memory of 1512	2620	Winject.exe	39
PID 2620 wrote to memory of 1512	2620	Winject.exe	39
PID 2620 wrote to memory of 1512	2620	Winject.exe	39
PID 2620 wrote to memory of 1512	2620	Winject.exe	39
PID 2620 wrote to memory of 1512	2620	Winject.exe	39
PID 2620 wrote to memory of 1512	2620	Winject.exe	39
PID 2620 wrote to memory of 1512	2620	Winject.exe	39
PID 2980 wrote to memory of 1968	2980	0718i2vupW.exe	40
PID 2980 wrote to memory of 1968	2980	0718i2vupW.exe	40
PID 2980 wrote to memory of 1968	2980	0718i2vupW.exe	40
PID 2980 wrote to memory of 1968	2980	0718i2vupW.exe	40

C:\Users\Admin\AppData\Local\Temp\WinJect.exe
"C:\Users\Admin\AppData\Local\Temp\WinJect.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Local\Temp\WinJect.exe
  "C:\Users\Admin\AppData\Local\Temp\WinJect.exe"
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Users\Admin\AppData\Local\Temp\Winject.exe
    "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Users\Admin\AppData\Local\Temp\Winject.exe
      "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
      4⤵
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2620
      - C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        6⤵
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        7⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        8⤵
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        9⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        10⤵
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        11⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        12⤵
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        13⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        14⤵
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        15⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        16⤵
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        17⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        18⤵
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        19⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        20⤵
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        21⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        22⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        23⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        24⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        25⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        26⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        27⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        28⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        29⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        30⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        31⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        32⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        33⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        34⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        35⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        36⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        37⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        38⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        39⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        40⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        41⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        42⤵
        
        PID:492
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        43⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        44⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        45⤵
        
        PID:308
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        46⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        47⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        48⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        49⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        50⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        51⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        52⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        53⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        54⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        55⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        56⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        57⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        58⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        59⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        60⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        61⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        62⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        63⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        64⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        65⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        66⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        67⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        68⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        69⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        70⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        71⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        72⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        73⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        74⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        75⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        76⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        77⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        78⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        79⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        80⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        81⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        82⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        83⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        84⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        85⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        86⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        87⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        88⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        89⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        90⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        91⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        92⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        93⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        94⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        95⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        96⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        97⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        98⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        99⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        100⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        101⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        102⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\Winject.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winject.exe"
        103⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        103⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        101⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        102⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        103⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        99⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        100⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        101⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        97⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        98⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        99⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        95⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        96⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        97⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        93⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        94⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        95⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        91⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        92⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        93⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        89⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        90⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        91⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        87⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        88⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        89⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        85⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        86⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        87⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        83⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        84⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        85⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        81⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        82⤵
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        83⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        79⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        80⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        81⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        77⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        78⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        79⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        75⤵
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        76⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        77⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        73⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        74⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        75⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        71⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        72⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        73⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        69⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        70⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        71⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        67⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        68⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        69⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        65⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        66⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        67⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        63⤵
        
        PID:296
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        64⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        65⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        61⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        62⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        63⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        59⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        60⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        61⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        57⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        58⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        59⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        55⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        56⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        57⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        53⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        54⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        55⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        51⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        52⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        53⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        49⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        50⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        51⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        47⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        48⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        49⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        45⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        46⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        47⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        43⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        44⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        45⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        41⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        42⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        43⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        39⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        40⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        41⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        37⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        38⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        39⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        35⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        36⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        37⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        33⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        34⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        35⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        31⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        32⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        33⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        29⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        30⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        31⤵
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        27⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        28⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        29⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        25⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        26⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        27⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        23⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        24⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        25⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        22⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        23⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:604
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2712
    - - C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2980
      - C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1540
- - C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
    "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
      "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3020
    - - C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0718i2vupW.exe

Filesize
228KB

MD5
4bde2fa501b271311668b79e08c3977e

SHA1
60517822d48cf2b560c2d4681c4e5685e29f9632

SHA256
73903815bf438131d3dee70fb8f7f757f1ae57deb7fddd802685fd14d95c33dd

SHA512
4a39144ed55e44228882b1d30e1d4b6ddc76cbc8037089fdd0e058ad79364a66d13d311827bf181907d3e29b84b6443349624e2d505d1c4d64cea2e48cd684c3

Download Submit
memory/924-6-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/924-14-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/924-12-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/924-4-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/924-3-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/924-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/924-32-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2612-80-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2612-75-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2612-73-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2612-71-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2848-48-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2848-83-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3020-53-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3020-51-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3020-55-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3020-84-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3020-67-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3020-63-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download