6fdd26e9c7025d6952b7ab2f36828cb724b54127f061f5ebee3030f953950f96

Analysis

max time kernel
15s
max time network
85s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 22:45 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0982943ec76e3bad6c9c2715f1f1ac60N.exe
Size

2.0MB
MD5

0982943ec76e3bad6c9c2715f1f1ac60
SHA1

9716c3fd154636a65e62748f9e2babf2f438bc17
SHA256

6fdd26e9c7025d6952b7ab2f36828cb724b54127f061f5ebee3030f953950f96
SHA512

88d7da9532ae426bed4a2b5d42cb1dea9ce7f04df5a649a23530ceb2e41828d6b5b4232894343ebe167e920ea5cd01ab6d566ba3d2a2f96a2be8e047f5c4e64a
SSDEEP

49152:huoX8BWflZTtaicdqNn2AYliZfcCsBkJp/sMhNVUwY2MCidqTepYg:Asfz8iwqJkZCsWkMyZ2MCidpYg

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	0982943ec76e3bad6c9c2715f1f1ac60N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	0982943ec76e3bad6c9c2715f1f1ac60N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	0982943ec76e3bad6c9c2715f1f1ac60N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	0982943ec76e3bad6c9c2715f1f1ac60N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	0982943ec76e3bad6c9c2715f1f1ac60N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	0982943ec76e3bad6c9c2715f1f1ac60N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	0982943ec76e3bad6c9c2715f1f1ac60N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	0982943ec76e3bad6c9c2715f1f1ac60N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	0982943ec76e3bad6c9c2715f1f1ac60N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	0982943ec76e3bad6c9c2715f1f1ac60N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	0982943ec76e3bad6c9c2715f1f1ac60N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	0982943ec76e3bad6c9c2715f1f1ac60N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	0982943ec76e3bad6c9c2715f1f1ac60N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	0982943ec76e3bad6c9c2715f1f1ac60N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	0982943ec76e3bad6c9c2715f1f1ac60N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	0982943ec76e3bad6c9c2715f1f1ac60N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	0982943ec76e3bad6c9c2715f1f1ac60N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File opened (read-only)	\??\E:	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File opened (read-only)	\??\G:	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File opened (read-only)	\??\I:	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File opened (read-only)	\??\M:	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File opened (read-only)	\??\R:	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File opened (read-only)	\??\T:	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File opened (read-only)	\??\A:	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File opened (read-only)	\??\J:	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File opened (read-only)	\??\L:	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File opened (read-only)	\??\S:	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File opened (read-only)	\??\U:	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File opened (read-only)	\??\H:	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File opened (read-only)	\??\K:	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File opened (read-only)	\??\N:	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File opened (read-only)	\??\O:	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File opened (read-only)	\??\Y:	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File opened (read-only)	\??\B:	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File opened (read-only)	\??\P:	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File opened (read-only)	\??\Q:	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File opened (read-only)	\??\W:	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File opened (read-only)	\??\X:	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File opened (read-only)	\??\Z:	0982943ec76e3bad6c9c2715f1f1ac60N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IME\SHARED\black beastiality beast [bangbus] .zip.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\american horse beast masturbation boots .zip.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\SysWOW64\FxsTmp\italian action gay lesbian (Karin).zip.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\japanese animal xxx lesbian feet .mpeg.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\indian handjob blowjob [free] feet (Sandy,Sylvia).zip.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\SysWOW64\FxsTmp\cumshot lingerie uncut .avi.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\System32\DriverStore\Temp\blowjob big .rar.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\trambling voyeur sweet .avi.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\brasilian gang bang trambling [milf] girly .mpeg.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\gay big beautyfull .avi.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\brasilian nude hardcore masturbation feet bedroom .avi.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\horse [free] feet lady (Liz).rar.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\russian gang bang beast uncut titts .mpg.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\indian porn horse voyeur granny .rar.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\african hardcore girls cock (Anniston,Sylvia).mpg.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\brasilian gang bang trambling several models .avi.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\beast sleeping glans leather .zip.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Program Files (x86)\Google\Update\Download\sperm [free] feet shoes .rar.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\trambling big (Samantha).rar.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\swedish handjob xxx [bangbus] hole sweet .mpeg.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Program Files\Common Files\microsoft shared\american gang bang fucking voyeur feet .mpeg.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Program Files\Microsoft Office\root\Templates\russian beastiality bukkake lesbian gorgeoushorny .rar.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\fucking [free] (Melissa).mpeg.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\black kicking blowjob full movie titts high heels .avi.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\brasilian cumshot bukkake [milf] YEâPSè& .mpeg.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\japanese porn lingerie hidden redhair .zip.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\gay uncut titts upskirt (Jade).avi.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Program Files (x86)\Google\Temp\black kicking blowjob big hole .mpg.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\bukkake [bangbus] titts sm .mpg.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Program Files (x86)\Microsoft\Temp\swedish porn horse hot (!) .zip.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\french beast licking .zip.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\gay licking titts .mpeg.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\lingerie uncut shoes (Kathrin,Curtney).avi.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\swedish cum beast several models bedroom .avi.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\cumshot lesbian masturbation Ôï .mpeg.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\indian cum hardcore girls pregnant (Ashley,Samantha).rar.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\kicking blowjob [milf] cock sweet (Melissa).rar.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\british beast catfight traffic (Christine,Liz).avi.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\chinese horse [free] Ôï (Sonja,Samantha).mpeg.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\norwegian blowjob hidden fishy .rar.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\blowjob public redhair .mpeg.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_e79b400a6df5fd2c\asian sperm hot (!) circumcision .mpeg.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\russian gang bang beast sleeping upskirt (Christine,Janette).mpeg.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\porn gay full movie glans blondie .zip.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\mssrv.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\PLA\Templates\gay [bangbus] mistress .rar.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\indian nude lesbian several models (Janette).zip.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\malaysia beast catfight hole traffic .avi.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\spanish trambling licking cock shoes .avi.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\french fucking sleeping glans shoes (Melissa).mpeg.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\bukkake voyeur mature .zip.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\cumshot fucking [milf] titts .avi.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\asian bukkake sleeping glans redhair (Samantha).avi.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\cum lingerie hidden titts .mpeg.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\british sperm sleeping glans shower .avi.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_abfc9db6c377b91f\british beast uncut blondie .rar.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\american cum lingerie full movie cock boots .mpg.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\nude xxx girls (Sarah).mpg.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_e5c3ad79c4e34ebb\indian cumshot beast [bangbus] .rar.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_14c898cc82025c76\hardcore public traffic .avi.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\japanese cum horse big .avi.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fd7349c396c417ae\nude hardcore masturbation cock wifey (Janette).mpeg.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\InputMethod\SHARED\russian nude bukkake hidden feet gorgeoushorny .mpeg.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\italian horse beast licking hole black hairunshaved (Tatjana).zip.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\black nude bukkake hidden feet redhair (Samantha).mpeg.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\russian action xxx several models shower (Britney,Curtney).rar.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\african sperm [free] .zip.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\asian bukkake licking hole high heels .rar.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\animal beast uncut cock .rar.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\assembly\temp\brasilian kicking gay lesbian penetration .mpeg.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\gay catfight young (Britney,Curtney).mpg.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\african lesbian uncut feet wifey (Tatjana).mpg.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_de-de_3d077a9cd5de5151\fetish xxx full movie (Jade).mpeg.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\black horse horse several models (Janette).zip.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\canadian trambling [free] feet girly .rar.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\trambling [milf] (Curtney).rar.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\black animal beast public penetration .mpg.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\SoftwareDistribution\Download\horse [bangbus] young .rar.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\american handjob gay several models hole pregnant .zip.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_9aa486d790131d4e\asian blowjob uncut cock blondie (Melissa).mpg.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\security\templates\bukkake licking .mpeg.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\beastiality trambling sleeping glans swallow .mpeg.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\russian beastiality beast catfight (Samantha).avi.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\fetish fucking sleeping glans traffic .mpeg.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\fucking big circumcision .rar.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\asian fucking big glans fishy .rar.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\action xxx full movie cock blondie .avi.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\canadian gay big .mpeg.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\danish nude bukkake catfight balls .mpeg.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\american cum fucking catfight (Sarah).mpeg.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\nude horse sleeping hairy .mpeg.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_99ddc8ce8d3d6dac\brasilian handjob bukkake hot (!) .avi.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\japanese kicking sperm full movie (Janette).mpeg.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_10.0.19041.1_none_a3d9a07cf2290837\german sperm full movie .mpg.exe	0982943ec76e3bad6c9c2715f1f1ac60N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3088	0982943ec76e3bad6c9c2715f1f1ac60N.exe
3088	0982943ec76e3bad6c9c2715f1f1ac60N.exe
4104	0982943ec76e3bad6c9c2715f1f1ac60N.exe
4104	0982943ec76e3bad6c9c2715f1f1ac60N.exe
3088	0982943ec76e3bad6c9c2715f1f1ac60N.exe
3088	0982943ec76e3bad6c9c2715f1f1ac60N.exe
4432	0982943ec76e3bad6c9c2715f1f1ac60N.exe
4432	0982943ec76e3bad6c9c2715f1f1ac60N.exe
3092	0982943ec76e3bad6c9c2715f1f1ac60N.exe
3092	0982943ec76e3bad6c9c2715f1f1ac60N.exe
4104	0982943ec76e3bad6c9c2715f1f1ac60N.exe
4104	0982943ec76e3bad6c9c2715f1f1ac60N.exe
3088	0982943ec76e3bad6c9c2715f1f1ac60N.exe
3088	0982943ec76e3bad6c9c2715f1f1ac60N.exe
2004	0982943ec76e3bad6c9c2715f1f1ac60N.exe
2004	0982943ec76e3bad6c9c2715f1f1ac60N.exe
1496	0982943ec76e3bad6c9c2715f1f1ac60N.exe
1496	0982943ec76e3bad6c9c2715f1f1ac60N.exe
392	0982943ec76e3bad6c9c2715f1f1ac60N.exe
392	0982943ec76e3bad6c9c2715f1f1ac60N.exe
4104	0982943ec76e3bad6c9c2715f1f1ac60N.exe
4104	0982943ec76e3bad6c9c2715f1f1ac60N.exe
3088	0982943ec76e3bad6c9c2715f1f1ac60N.exe
3088	0982943ec76e3bad6c9c2715f1f1ac60N.exe
4372	0982943ec76e3bad6c9c2715f1f1ac60N.exe
4372	0982943ec76e3bad6c9c2715f1f1ac60N.exe
4432	0982943ec76e3bad6c9c2715f1f1ac60N.exe
4432	0982943ec76e3bad6c9c2715f1f1ac60N.exe
3092	0982943ec76e3bad6c9c2715f1f1ac60N.exe
3092	0982943ec76e3bad6c9c2715f1f1ac60N.exe
5020	0982943ec76e3bad6c9c2715f1f1ac60N.exe
5020	0982943ec76e3bad6c9c2715f1f1ac60N.exe
1244	0982943ec76e3bad6c9c2715f1f1ac60N.exe
1244	0982943ec76e3bad6c9c2715f1f1ac60N.exe
4648	0982943ec76e3bad6c9c2715f1f1ac60N.exe
4648	0982943ec76e3bad6c9c2715f1f1ac60N.exe
3088	0982943ec76e3bad6c9c2715f1f1ac60N.exe
3088	0982943ec76e3bad6c9c2715f1f1ac60N.exe
4104	0982943ec76e3bad6c9c2715f1f1ac60N.exe
4104	0982943ec76e3bad6c9c2715f1f1ac60N.exe
2004	0982943ec76e3bad6c9c2715f1f1ac60N.exe
2004	0982943ec76e3bad6c9c2715f1f1ac60N.exe
2448	0982943ec76e3bad6c9c2715f1f1ac60N.exe
2448	0982943ec76e3bad6c9c2715f1f1ac60N.exe
1496	0982943ec76e3bad6c9c2715f1f1ac60N.exe
5060	0982943ec76e3bad6c9c2715f1f1ac60N.exe
5060	0982943ec76e3bad6c9c2715f1f1ac60N.exe
1496	0982943ec76e3bad6c9c2715f1f1ac60N.exe
3092	0982943ec76e3bad6c9c2715f1f1ac60N.exe
3092	0982943ec76e3bad6c9c2715f1f1ac60N.exe
4624	0982943ec76e3bad6c9c2715f1f1ac60N.exe
4624	0982943ec76e3bad6c9c2715f1f1ac60N.exe
4992	0982943ec76e3bad6c9c2715f1f1ac60N.exe
4992	0982943ec76e3bad6c9c2715f1f1ac60N.exe
4432	0982943ec76e3bad6c9c2715f1f1ac60N.exe
4432	0982943ec76e3bad6c9c2715f1f1ac60N.exe
392	0982943ec76e3bad6c9c2715f1f1ac60N.exe
392	0982943ec76e3bad6c9c2715f1f1ac60N.exe
2320	0982943ec76e3bad6c9c2715f1f1ac60N.exe
2320	0982943ec76e3bad6c9c2715f1f1ac60N.exe
4372	0982943ec76e3bad6c9c2715f1f1ac60N.exe
4372	0982943ec76e3bad6c9c2715f1f1ac60N.exe
1972	0982943ec76e3bad6c9c2715f1f1ac60N.exe
1972	0982943ec76e3bad6c9c2715f1f1ac60N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3088 wrote to memory of 4104	3088	0982943ec76e3bad6c9c2715f1f1ac60N.exe	89
PID 3088 wrote to memory of 4104	3088	0982943ec76e3bad6c9c2715f1f1ac60N.exe	89
PID 3088 wrote to memory of 4104	3088	0982943ec76e3bad6c9c2715f1f1ac60N.exe	89
PID 4104 wrote to memory of 4432	4104	0982943ec76e3bad6c9c2715f1f1ac60N.exe	91
PID 4104 wrote to memory of 4432	4104	0982943ec76e3bad6c9c2715f1f1ac60N.exe	91
PID 4104 wrote to memory of 4432	4104	0982943ec76e3bad6c9c2715f1f1ac60N.exe	91
PID 3088 wrote to memory of 3092	3088	0982943ec76e3bad6c9c2715f1f1ac60N.exe	92
PID 3088 wrote to memory of 3092	3088	0982943ec76e3bad6c9c2715f1f1ac60N.exe	92
PID 3088 wrote to memory of 3092	3088	0982943ec76e3bad6c9c2715f1f1ac60N.exe	92
PID 4104 wrote to memory of 1496	4104	0982943ec76e3bad6c9c2715f1f1ac60N.exe	93
PID 4104 wrote to memory of 1496	4104	0982943ec76e3bad6c9c2715f1f1ac60N.exe	93
PID 4104 wrote to memory of 1496	4104	0982943ec76e3bad6c9c2715f1f1ac60N.exe	93
PID 3088 wrote to memory of 2004	3088	0982943ec76e3bad6c9c2715f1f1ac60N.exe	94
PID 3088 wrote to memory of 2004	3088	0982943ec76e3bad6c9c2715f1f1ac60N.exe	94
PID 3088 wrote to memory of 2004	3088	0982943ec76e3bad6c9c2715f1f1ac60N.exe	94
PID 4432 wrote to memory of 392	4432	0982943ec76e3bad6c9c2715f1f1ac60N.exe	95
PID 4432 wrote to memory of 392	4432	0982943ec76e3bad6c9c2715f1f1ac60N.exe	95
PID 4432 wrote to memory of 392	4432	0982943ec76e3bad6c9c2715f1f1ac60N.exe	95
PID 3092 wrote to memory of 4372	3092	0982943ec76e3bad6c9c2715f1f1ac60N.exe	96
PID 3092 wrote to memory of 4372	3092	0982943ec76e3bad6c9c2715f1f1ac60N.exe	96
PID 3092 wrote to memory of 4372	3092	0982943ec76e3bad6c9c2715f1f1ac60N.exe	96
PID 3088 wrote to memory of 5020	3088	0982943ec76e3bad6c9c2715f1f1ac60N.exe	97
PID 3088 wrote to memory of 5020	3088	0982943ec76e3bad6c9c2715f1f1ac60N.exe	97
PID 3088 wrote to memory of 5020	3088	0982943ec76e3bad6c9c2715f1f1ac60N.exe	97
PID 4104 wrote to memory of 1244	4104	0982943ec76e3bad6c9c2715f1f1ac60N.exe	98
PID 4104 wrote to memory of 1244	4104	0982943ec76e3bad6c9c2715f1f1ac60N.exe	98
PID 4104 wrote to memory of 1244	4104	0982943ec76e3bad6c9c2715f1f1ac60N.exe	98
PID 2004 wrote to memory of 4648	2004	0982943ec76e3bad6c9c2715f1f1ac60N.exe	99
PID 2004 wrote to memory of 4648	2004	0982943ec76e3bad6c9c2715f1f1ac60N.exe	99
PID 2004 wrote to memory of 4648	2004	0982943ec76e3bad6c9c2715f1f1ac60N.exe	99
PID 1496 wrote to memory of 2448	1496	0982943ec76e3bad6c9c2715f1f1ac60N.exe	102
PID 1496 wrote to memory of 2448	1496	0982943ec76e3bad6c9c2715f1f1ac60N.exe	102
PID 1496 wrote to memory of 2448	1496	0982943ec76e3bad6c9c2715f1f1ac60N.exe	102
PID 3092 wrote to memory of 5060	3092	0982943ec76e3bad6c9c2715f1f1ac60N.exe	101
PID 3092 wrote to memory of 5060	3092	0982943ec76e3bad6c9c2715f1f1ac60N.exe	101
PID 3092 wrote to memory of 5060	3092	0982943ec76e3bad6c9c2715f1f1ac60N.exe	101
PID 4432 wrote to memory of 4624	4432	0982943ec76e3bad6c9c2715f1f1ac60N.exe	100
PID 4432 wrote to memory of 4624	4432	0982943ec76e3bad6c9c2715f1f1ac60N.exe	100
PID 4432 wrote to memory of 4624	4432	0982943ec76e3bad6c9c2715f1f1ac60N.exe	100
PID 392 wrote to memory of 4992	392	0982943ec76e3bad6c9c2715f1f1ac60N.exe	103
PID 392 wrote to memory of 4992	392	0982943ec76e3bad6c9c2715f1f1ac60N.exe	103
PID 392 wrote to memory of 4992	392	0982943ec76e3bad6c9c2715f1f1ac60N.exe	103
PID 4372 wrote to memory of 2320	4372	0982943ec76e3bad6c9c2715f1f1ac60N.exe	104
PID 4372 wrote to memory of 2320	4372	0982943ec76e3bad6c9c2715f1f1ac60N.exe	104
PID 4372 wrote to memory of 2320	4372	0982943ec76e3bad6c9c2715f1f1ac60N.exe	104
PID 2004 wrote to memory of 2280	2004	0982943ec76e3bad6c9c2715f1f1ac60N.exe	105
PID 2004 wrote to memory of 2280	2004	0982943ec76e3bad6c9c2715f1f1ac60N.exe	105
PID 2004 wrote to memory of 2280	2004	0982943ec76e3bad6c9c2715f1f1ac60N.exe	105
PID 3088 wrote to memory of 1972	3088	0982943ec76e3bad6c9c2715f1f1ac60N.exe	106
PID 3088 wrote to memory of 1972	3088	0982943ec76e3bad6c9c2715f1f1ac60N.exe	106
PID 3088 wrote to memory of 1972	3088	0982943ec76e3bad6c9c2715f1f1ac60N.exe	106
PID 4104 wrote to memory of 3116	4104	0982943ec76e3bad6c9c2715f1f1ac60N.exe	107
PID 4104 wrote to memory of 3116	4104	0982943ec76e3bad6c9c2715f1f1ac60N.exe	107
PID 4104 wrote to memory of 3116	4104	0982943ec76e3bad6c9c2715f1f1ac60N.exe	107
PID 1496 wrote to memory of 2204	1496	0982943ec76e3bad6c9c2715f1f1ac60N.exe	108
PID 1496 wrote to memory of 2204	1496	0982943ec76e3bad6c9c2715f1f1ac60N.exe	108
PID 1496 wrote to memory of 2204	1496	0982943ec76e3bad6c9c2715f1f1ac60N.exe	108
PID 3092 wrote to memory of 3704	3092	0982943ec76e3bad6c9c2715f1f1ac60N.exe	109
PID 3092 wrote to memory of 3704	3092	0982943ec76e3bad6c9c2715f1f1ac60N.exe	109
PID 3092 wrote to memory of 3704	3092	0982943ec76e3bad6c9c2715f1f1ac60N.exe	109
PID 4648 wrote to memory of 1408	4648	0982943ec76e3bad6c9c2715f1f1ac60N.exe	110
PID 4648 wrote to memory of 1408	4648	0982943ec76e3bad6c9c2715f1f1ac60N.exe	110
PID 4648 wrote to memory of 1408	4648	0982943ec76e3bad6c9c2715f1f1ac60N.exe	110
PID 4432 wrote to memory of 2364	4432	0982943ec76e3bad6c9c2715f1f1ac60N.exe	112

C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
"C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
  "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
    "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4432
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:392
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        
        PID:4992
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        7⤵
        
        PID:6024
        
        C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        8⤵
        
        PID:11132
        
        C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        8⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        7⤵
        
        PID:6648
        
        C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        8⤵
        
        PID:14788
        
        C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        7⤵
        
        PID:8840
        
        C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        7⤵
        
        PID:12080
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        7⤵
        
        PID:11156
        
        C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        7⤵
        
        PID:4512
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:6768
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:8864
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:13088
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:1416
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:5732
        
        C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        7⤵
        
        PID:10348
        
        C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        7⤵
        
        PID:14908
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:6736
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:8696
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:13152
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:4200
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:7064
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:8848
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:12056
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:6216
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:11188
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:15656
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:6640
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:16136
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:8624
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:13080
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:4624
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:4520
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:5776
        
        C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        7⤵
        
        PID:11440
        
        C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        7⤵
        
        PID:15752
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:6712
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:8648
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:11868
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:4904
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:6428
        
        C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        7⤵
        
        PID:9072
        
        C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        7⤵
        
        PID:12112
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:6592
        
        C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        7⤵
        
        PID:8948
        
        C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        7⤵
        
        PID:11892
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:8896
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:12096
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:6340
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:11092
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:15264
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:6616
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:11588
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:15776
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:8608
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:11900
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:16656
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:2364
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:5688
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:10780
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:15036
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:6760
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:8728
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:12408
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:2492
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:6992
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:16144
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:8768
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:13320
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:6368
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:11148
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:15648
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:6600
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:11108
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:15640
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:8880
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:12072
- - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
    "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:2448
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:1704
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:5812
        
        C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        7⤵
        
        PID:11004
        
        C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        7⤵
        
        PID:15184
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:6696
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:8656
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:13072
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:3476
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:6504
        
        C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        7⤵
        
        PID:10788
        
        C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        7⤵
        
        PID:14932
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:7092
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:8672
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:11844
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:16596
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:6268
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:9048
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:11956
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:6608
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:11180
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:15444
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:8872
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:12088
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:2204
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:5696
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:11140
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:15340
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:6752
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:8720
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:11852
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:16572
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:4576
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:10284
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:14916
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:6824
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:13608
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:8832
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:12048
- - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
    "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:1244
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:4428
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:5724
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:10772
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:14984
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:6576
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:11164
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:15436
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:8904
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:12104
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:3532
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:6832
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:14240
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:8664
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:11992
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:16624
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:6224
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:11084
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:15256
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:6632
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:8760
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:12344
- - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
    "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
    3⤵
    PID:3116
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:5768
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:9376
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:12064
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:6720
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:8816
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:12040
- - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
    "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
    3⤵
    PID:2776
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:8940
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:12144
- - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
    "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
    3⤵
    PID:6800
- - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
    "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
    3⤵
    PID:8744
- - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
    "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
    3⤵
    PID:12136
- C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
  "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
    "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4372
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:2320
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:712
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:5860
        
        C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        7⤵
        
        PID:10820
        
        C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        7⤵
        
        PID:15160
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:6664
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:8808
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:13128
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:4256
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:10476
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:15108
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:6784
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:8680
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:12196
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:532
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:5796
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:10996
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:15512
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:6680
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:8824
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:13144
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:3252
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:10844
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:14968
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:6776
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:14780
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:8688
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:11876
- - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
    "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:5060
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:348
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:5804
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:10804
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:14940
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:6672
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:8776
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:13120
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:2052
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:10828
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:15280
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:6744
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:8800
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:12032
- - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
    "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
    3⤵
    PID:3704
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:5940
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:10764
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:14924
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:6584
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:11100
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:15248
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:8888
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:12128
- - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
    "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
    3⤵
    PID:4060
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:8912
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:12120
- - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
    "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
    3⤵
    PID:6816
- - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
    "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
    3⤵
    PID:8616
- - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
    "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
    3⤵
    PID:11980
- C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
  "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
    "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4648
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:1408
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:5788
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:11428
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:15744
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:6728
      - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        6⤵
        
        PID:16604
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:8784
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:13112
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:1560
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:6136
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:8640
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:12152
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:6280
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:11124
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:15684
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:6624
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:8856
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:3832
- - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
    "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
    3⤵
    PID:2280
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:5888
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:10796
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:14948
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:6656
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:8736
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:13136
- - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
    "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
    3⤵
    PID:536
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:11172
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:15352
- - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
    "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
    3⤵
    PID:6808
- - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
    "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
    3⤵
    PID:8752
- - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
    "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
    3⤵
    PID:12016
- C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
  "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  PID:5020
- - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
    "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
    3⤵
    PID:4364
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:5820
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:10836
    - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
        5⤵
        
        PID:15152
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:6704
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:8632
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:11656
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:15868
- - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
    "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
    3⤵
    PID:4996
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:8956
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:11928
- - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
    "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
    3⤵
    PID:6512
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:11116
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:15272
- - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
    "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
    3⤵
    PID:7084
- - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
    "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
    3⤵
    PID:8712
- - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
    "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
    3⤵
    PID:11884
- - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
    "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
    3⤵
    PID:16580
- C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
  "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1972
- - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
    "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
    3⤵
    PID:5760
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:10812
  - - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
      "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
      4⤵
      PID:14960
- - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
    "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
    3⤵
    PID:6688
- - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
    "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
    3⤵
    PID:8792
- - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
    "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
    3⤵
    PID:12024
- C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
  "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
  2⤵
  PID:4848
- - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
    "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
    3⤵
    PID:8964
- - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
    "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
    3⤵
    PID:11948
- - C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
    "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
    3⤵
    PID:16612
- C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
  "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
  2⤵
  PID:6792
- C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
  "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
  2⤵
  PID:8700
- C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe
  "C:\Users\Admin\AppData\Local\Temp\0982943ec76e3bad6c9c2715f1f1ac60N.exe"
  2⤵
  PID:11860

Network

DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.27.10

ax-0001.ax-msedge.net

IN A

150.171.28.10
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301463_1E0AQKX8AO4FC6HSZ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239317301463_1E0AQKX8AO4FC6HSZ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 495209
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 2A7B900B31A64238B97E8E5508CE85A6 Ref B: LON04EDGE0720 Ref C: 2024-07-12T22:45:20Z
date: Fri, 12 Jul 2024 22:45:19 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418577_1YCPJO6YBYEE06VWA&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239340418577_1YCPJO6YBYEE06VWA&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 944920
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B1F96C1174474314A1EFFBE96A1DA41D Ref B: LON04EDGE0720 Ref C: 2024-07-12T22:45:20Z
date: Fri, 12 Jul 2024 22:45:19 GMT
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=104b27b62b894d34add1625074d115ee&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=104b27b62b894d34add1625074d115ee&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=149CD80384EB65E71CE3CCB985CC6423; domain=.bing.com; expires=Wed, 06-Aug-2025 22:45:20 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 4BB4322AB3D74EDF85CCFB6370796A71 Ref B: LON04EDGE0714 Ref C: 2024-07-12T22:45:20Z
date: Fri, 12 Jul 2024 22:45:20 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=104b27b62b894d34add1625074d115ee&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=104b27b62b894d34add1625074d115ee&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=149CD80384EB65E71CE3CCB985CC6423

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=YZ4YzIZwkonbqeGjoMFYQlQ86IFoNOLGMTDyIqQgmZM; domain=.bing.com; expires=Wed, 06-Aug-2025 22:45:20 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 240240670C6C411CA5615B2A9C5BCCCB Ref B: LON04EDGE0714 Ref C: 2024-07-12T22:45:20Z
date: Fri, 12 Jul 2024 22:45:20 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=104b27b62b894d34add1625074d115ee&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=104b27b62b894d34add1625074d115ee&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=149CD80384EB65E71CE3CCB985CC6423; MSPTC=YZ4YzIZwkonbqeGjoMFYQlQ86IFoNOLGMTDyIqQgmZM

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 32F74A6758BD4ED5924D28122B30D0DC Ref B: LON04EDGE0714 Ref C: 2024-07-12T22:45:20Z
date: Fri, 12 Jul 2024 22:45:20 GMT
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR
DNS

71.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

71.159.190.20.in-addr.arpa

IN PTR

Response
DNS

71.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

71.159.190.20.in-addr.arpa

IN PTR
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response

150.171.27.10:443

https://tse1.mm.bing.net/th?id=OADD2.10239340418577_1YCPJO6YBYEE06VWA&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

55.7kB
1.5MB
1106
1102

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301463_1E0AQKX8AO4FC6HSZ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418577_1YCPJO6YBYEE06VWA&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.8kB
15
12
204.79.197.237:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=104b27b62b894d34add1625074d115ee&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid=

tls, http2

2.8kB
10.6kB
24
17

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=104b27b62b894d34add1625074d115ee&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=104b27b62b894d34add1625074d115ee&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=104b27b62b894d34add1625074d115ee&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid=

HTTP Response

204

8.8.8.8:53

tse1.mm.bing.net

dns

62 B
170 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

150.171.27.10

150.171.28.10
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

132 B
90 B
2
1

DNS Request

8.8.8.8.in-addr.arpa

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

71.159.190.20.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

71.159.190.20.in-addr.arpa

DNS Request

71.159.190.20.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

148 B
128 B
2
1

DNS Request

172.214.232.199.in-addr.arpa

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\japanese porn lingerie hidden redhair .zip.exe

Filesize
435KB

MD5
6d4806db7a2be25dee0048495e348d60

SHA1
d415a345c9f8e003df73a5d4cb5bdae15945aa44

SHA256
8f7bb67b80c313ff9fc59d967fe4d1805a7dc5a6dd1aa609fb63179ffde1fd72

SHA512
54a25690d879e3d2c03e1fc50f65390a1ff2db2a48b87c2405a3721b4203325241dbb4b99b08cdd6112fdd41d46b8c59fdecf7119d1c3df4f22d7ac18102ef30

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.