a812d2a8c7a4b5940a9b2c1b12548fd21e49db5dd3cb583196f11a80bb15f961

Analysis

max time kernel
15s
max time network
68s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18aa855ba79c9d14cc312ffefaa50240N.exe
Size

419KB
MD5

18aa855ba79c9d14cc312ffefaa50240
SHA1

318556d332997b81a43ea379f4f9f9eb167e86e5
SHA256

a812d2a8c7a4b5940a9b2c1b12548fd21e49db5dd3cb583196f11a80bb15f961
SHA512

d2a51ecf520bd568e0f6939af0116dbdb667d3b3d389cd16b612eae55cace4d362ad7cabc4fb2d58b6fddb3e7f98be57ebd84cfe8482b2319d32e5ed8dba71ef
SSDEEP

12288:dXCNi9B8eX7sPvmFATHlWP//gjAuy1wMF3VILH04:oW8eXMvmoWP//j1nuj

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	18aa855ba79c9d14cc312ffefaa50240N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	18aa855ba79c9d14cc312ffefaa50240N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	18aa855ba79c9d14cc312ffefaa50240N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	18aa855ba79c9d14cc312ffefaa50240N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	18aa855ba79c9d14cc312ffefaa50240N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	18aa855ba79c9d14cc312ffefaa50240N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	18aa855ba79c9d14cc312ffefaa50240N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	18aa855ba79c9d14cc312ffefaa50240N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	18aa855ba79c9d14cc312ffefaa50240N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	18aa855ba79c9d14cc312ffefaa50240N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	18aa855ba79c9d14cc312ffefaa50240N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	18aa855ba79c9d14cc312ffefaa50240N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	18aa855ba79c9d14cc312ffefaa50240N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	18aa855ba79c9d14cc312ffefaa50240N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	18aa855ba79c9d14cc312ffefaa50240N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	18aa855ba79c9d14cc312ffefaa50240N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	18aa855ba79c9d14cc312ffefaa50240N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	18aa855ba79c9d14cc312ffefaa50240N.exe
File opened (read-only)	\??\W:	18aa855ba79c9d14cc312ffefaa50240N.exe
File opened (read-only)	\??\V:	18aa855ba79c9d14cc312ffefaa50240N.exe
File opened (read-only)	\??\L:	18aa855ba79c9d14cc312ffefaa50240N.exe
File opened (read-only)	\??\O:	18aa855ba79c9d14cc312ffefaa50240N.exe
File opened (read-only)	\??\Q:	18aa855ba79c9d14cc312ffefaa50240N.exe
File opened (read-only)	\??\S:	18aa855ba79c9d14cc312ffefaa50240N.exe
File opened (read-only)	\??\R:	18aa855ba79c9d14cc312ffefaa50240N.exe
File opened (read-only)	\??\Y:	18aa855ba79c9d14cc312ffefaa50240N.exe
File opened (read-only)	\??\Z:	18aa855ba79c9d14cc312ffefaa50240N.exe
File opened (read-only)	\??\E:	18aa855ba79c9d14cc312ffefaa50240N.exe
File opened (read-only)	\??\J:	18aa855ba79c9d14cc312ffefaa50240N.exe
File opened (read-only)	\??\M:	18aa855ba79c9d14cc312ffefaa50240N.exe
File opened (read-only)	\??\N:	18aa855ba79c9d14cc312ffefaa50240N.exe
File opened (read-only)	\??\K:	18aa855ba79c9d14cc312ffefaa50240N.exe
File opened (read-only)	\??\P:	18aa855ba79c9d14cc312ffefaa50240N.exe
File opened (read-only)	\??\T:	18aa855ba79c9d14cc312ffefaa50240N.exe
File opened (read-only)	\??\U:	18aa855ba79c9d14cc312ffefaa50240N.exe
File opened (read-only)	\??\B:	18aa855ba79c9d14cc312ffefaa50240N.exe
File opened (read-only)	\??\G:	18aa855ba79c9d14cc312ffefaa50240N.exe
File opened (read-only)	\??\H:	18aa855ba79c9d14cc312ffefaa50240N.exe
File opened (read-only)	\??\I:	18aa855ba79c9d14cc312ffefaa50240N.exe
File opened (read-only)	\??\X:	18aa855ba79c9d14cc312ffefaa50240N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IME\SHARED\japanese xxx fetish several models balls .mpeg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\russian cumshot voyeur circumcision .mpeg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\indian bukkake nude lesbian hairy .zip.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\japanese handjob hidden legs (Curtney,Britney).mpeg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\black blowjob sleeping high heels .mpg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\System32\DriverStore\Temp\spanish cumshot masturbation swallow .mpeg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\SysWOW64\FxsTmp\action [free] cock .mpg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\beastiality hidden leather (Samantha).mpeg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\canadian animal beastiality sleeping legs bedroom .mpg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\malaysia porn fucking girls .zip.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\SysWOW64\FxsTmp\british fucking full movie nipples mistress .rar.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\spanish horse xxx hidden feet femdom (Britney).rar.exe	18aa855ba79c9d14cc312ffefaa50240N.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\fucking hot (!) redhair .zip.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\danish lingerie licking (Melissa,Sonja).avi.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\chinese cum catfight girly .rar.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\porn fetish masturbation titts mature .mpeg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\fetish hot (!) fishy .mpeg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Program Files\Microsoft Office\root\Templates\beast lingerie masturbation .zip.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\horse public feet swallow .zip.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\african horse nude big ash .avi.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\tyrkish sperm blowjob sleeping .zip.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\swedish trambling public stockings .rar.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\spanish sperm big circumcision .mpeg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\hardcore [milf] nipples ejaculation (Curtney,Gina).mpg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Program Files (x86)\Google\Temp\african bukkake horse public stockings .mpg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Program Files (x86)\Google\Update\Download\handjob beastiality [bangbus] blondie .rar.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\indian cum voyeur leather .mpeg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Program Files\Common Files\microsoft shared\lingerie cumshot masturbation hotel .avi.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\brasilian cum girls vagina (Kathrin,Ashley).rar.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Program Files (x86)\Microsoft\Temp\action gang bang [free] swallow .zip.exe	18aa855ba79c9d14cc312ffefaa50240N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\horse voyeur hole .mpeg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\chinese kicking fucking licking .mpg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\british handjob big .zip.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\cumshot gang bang [milf] .rar.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_99ddc8ce8d3d6dac\gay fucking sleeping hole penetration (Sandy).avi.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\gang bang beastiality full movie (Kathrin,Curtney).avi.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\american bukkake licking .mpg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\canadian lesbian handjob several models latex (Sarah).mpeg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\beast lingerie several models .mpeg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\russian kicking trambling several models 40+ .mpg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_8c0b126c198fcf70\fetish cumshot [milf] .mpg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_abfc9db6c377b91f\cumshot lesbian voyeur blondie .mpg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\security\templates\russian trambling lesbian glans .avi.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\french beast lingerie masturbation ash .rar.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\fucking hardcore [bangbus] .mpeg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\british trambling sperm full movie .mpeg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\german nude gay masturbation nipples young .rar.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_887b2378b7b5651d\french horse full movie .mpeg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\french handjob beast public hole .mpeg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\german gang bang fetish hidden .zip.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\gang bang hot (!) femdom .rar.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_de-de_3d077a9cd5de5151\african sperm girls young .mpg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_10.0.19041.1_none_ae957c4c35a7bf73\hardcore horse voyeur (Melissa).mpeg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\brasilian fetish sleeping .zip.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\asian beast horse [free] 40+ (Karin,Britney).avi.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_9aa486d790131d4e\british beastiality sleeping ash circumcision .rar.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\chinese blowjob handjob girls (Sonja,Tatjana).avi.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\assembly\tmp\beastiality sperm full movie glans .rar.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\cum kicking uncut traffic .zip.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\sperm licking ash redhair (Britney,Sonja).mpeg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\cumshot xxx hidden legs high heels .zip.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\black sperm several models 50+ .avi.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_10.0.19041.1_none_bd731e5b85dd203e\sperm action [bangbus] black hairunshaved .mpeg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\xxx public glans femdom .avi.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\cumshot hidden .mpeg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\sperm beastiality hidden nipples mistress .zip.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_e79b400a6df5fd2c\chinese action kicking full movie .mpg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_en-us_e5f85095c4bc5d16\brasilian handjob cumshot lesbian feet boots .avi.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\PLA\Templates\swedish blowjob bukkake several models .rar.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\lingerie porn masturbation legs (Ashley).rar.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\tyrkish cum horse licking bedroom .mpeg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\gang bang [milf] (Curtney).mpg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\tyrkish beast gang bang [free] ash .zip.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\british xxx catfight hairy (Kathrin).rar.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\cumshot blowjob voyeur latex (Sylvia).avi.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_89c0bf1761110f07\canadian nude catfight boobs .mpg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\indian animal big (Janette,Liz).zip.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\blowjob handjob [bangbus] vagina boots .mpg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_b1ffa0e7b4ed03e2\brasilian fetish public .avi.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\african hardcore cum full movie sweet .mpg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\french xxx public high heels .rar.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\canadian fetish gang bang big .mpeg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\asian horse blowjob full movie glans YEâPSè& (Tatjana).mpeg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\fetish several models fishy .avi.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\horse fucking [free] mistress (Melissa,Janette).mpg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_14c898cc82025c76\brasilian lingerie horse [bangbus] redhair (Sarah,Jenna).avi.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\italian nude voyeur young (Jenna).rar.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\beastiality [free] traffic (Jade).avi.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_5abbd3c4a3f2014c\spanish cum several models Ôï .mpg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\italian gang bang lesbian castration .mpg.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\french horse uncut .avi.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\bukkake public hole pregnant .zip.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\blowjob several models .zip.exe	18aa855ba79c9d14cc312ffefaa50240N.exe
File created	C:\Windows\InputMethod\SHARED\japanese sperm lingerie girls glans .rar.exe	18aa855ba79c9d14cc312ffefaa50240N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4744	18aa855ba79c9d14cc312ffefaa50240N.exe
4744	18aa855ba79c9d14cc312ffefaa50240N.exe
2180	18aa855ba79c9d14cc312ffefaa50240N.exe
2180	18aa855ba79c9d14cc312ffefaa50240N.exe
4744	18aa855ba79c9d14cc312ffefaa50240N.exe
4744	18aa855ba79c9d14cc312ffefaa50240N.exe
1692	18aa855ba79c9d14cc312ffefaa50240N.exe
1692	18aa855ba79c9d14cc312ffefaa50240N.exe
4372	18aa855ba79c9d14cc312ffefaa50240N.exe
4372	18aa855ba79c9d14cc312ffefaa50240N.exe
2180	18aa855ba79c9d14cc312ffefaa50240N.exe
2180	18aa855ba79c9d14cc312ffefaa50240N.exe
4744	18aa855ba79c9d14cc312ffefaa50240N.exe
4744	18aa855ba79c9d14cc312ffefaa50240N.exe
3092	18aa855ba79c9d14cc312ffefaa50240N.exe
3092	18aa855ba79c9d14cc312ffefaa50240N.exe
2180	18aa855ba79c9d14cc312ffefaa50240N.exe
2180	18aa855ba79c9d14cc312ffefaa50240N.exe
1824	18aa855ba79c9d14cc312ffefaa50240N.exe
1824	18aa855ba79c9d14cc312ffefaa50240N.exe
3164	18aa855ba79c9d14cc312ffefaa50240N.exe
3164	18aa855ba79c9d14cc312ffefaa50240N.exe
4372	18aa855ba79c9d14cc312ffefaa50240N.exe
4372	18aa855ba79c9d14cc312ffefaa50240N.exe
4744	18aa855ba79c9d14cc312ffefaa50240N.exe
4744	18aa855ba79c9d14cc312ffefaa50240N.exe
1692	18aa855ba79c9d14cc312ffefaa50240N.exe
1692	18aa855ba79c9d14cc312ffefaa50240N.exe
2576	18aa855ba79c9d14cc312ffefaa50240N.exe
2576	18aa855ba79c9d14cc312ffefaa50240N.exe
4512	18aa855ba79c9d14cc312ffefaa50240N.exe
4512	18aa855ba79c9d14cc312ffefaa50240N.exe
2180	18aa855ba79c9d14cc312ffefaa50240N.exe
2180	18aa855ba79c9d14cc312ffefaa50240N.exe
3620	18aa855ba79c9d14cc312ffefaa50240N.exe
3620	18aa855ba79c9d14cc312ffefaa50240N.exe
3416	18aa855ba79c9d14cc312ffefaa50240N.exe
3416	18aa855ba79c9d14cc312ffefaa50240N.exe
1016	18aa855ba79c9d14cc312ffefaa50240N.exe
1016	18aa855ba79c9d14cc312ffefaa50240N.exe
4372	18aa855ba79c9d14cc312ffefaa50240N.exe
4372	18aa855ba79c9d14cc312ffefaa50240N.exe
1692	18aa855ba79c9d14cc312ffefaa50240N.exe
1692	18aa855ba79c9d14cc312ffefaa50240N.exe
2836	18aa855ba79c9d14cc312ffefaa50240N.exe
2836	18aa855ba79c9d14cc312ffefaa50240N.exe
1252	18aa855ba79c9d14cc312ffefaa50240N.exe
1252	18aa855ba79c9d14cc312ffefaa50240N.exe
4744	18aa855ba79c9d14cc312ffefaa50240N.exe
4744	18aa855ba79c9d14cc312ffefaa50240N.exe
3164	18aa855ba79c9d14cc312ffefaa50240N.exe
3092	18aa855ba79c9d14cc312ffefaa50240N.exe
3164	18aa855ba79c9d14cc312ffefaa50240N.exe
3092	18aa855ba79c9d14cc312ffefaa50240N.exe
1824	18aa855ba79c9d14cc312ffefaa50240N.exe
1824	18aa855ba79c9d14cc312ffefaa50240N.exe
4324	18aa855ba79c9d14cc312ffefaa50240N.exe
4324	18aa855ba79c9d14cc312ffefaa50240N.exe
4752	18aa855ba79c9d14cc312ffefaa50240N.exe
4752	18aa855ba79c9d14cc312ffefaa50240N.exe
2576	18aa855ba79c9d14cc312ffefaa50240N.exe
2576	18aa855ba79c9d14cc312ffefaa50240N.exe
2384	18aa855ba79c9d14cc312ffefaa50240N.exe
2384	18aa855ba79c9d14cc312ffefaa50240N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 2180	4744	18aa855ba79c9d14cc312ffefaa50240N.exe	86
PID 4744 wrote to memory of 2180	4744	18aa855ba79c9d14cc312ffefaa50240N.exe	86
PID 4744 wrote to memory of 2180	4744	18aa855ba79c9d14cc312ffefaa50240N.exe	86
PID 2180 wrote to memory of 1692	2180	18aa855ba79c9d14cc312ffefaa50240N.exe	87
PID 2180 wrote to memory of 1692	2180	18aa855ba79c9d14cc312ffefaa50240N.exe	87
PID 2180 wrote to memory of 1692	2180	18aa855ba79c9d14cc312ffefaa50240N.exe	87
PID 4744 wrote to memory of 4372	4744	18aa855ba79c9d14cc312ffefaa50240N.exe	88
PID 4744 wrote to memory of 4372	4744	18aa855ba79c9d14cc312ffefaa50240N.exe	88
PID 4744 wrote to memory of 4372	4744	18aa855ba79c9d14cc312ffefaa50240N.exe	88
PID 2180 wrote to memory of 3092	2180	18aa855ba79c9d14cc312ffefaa50240N.exe	89
PID 2180 wrote to memory of 3092	2180	18aa855ba79c9d14cc312ffefaa50240N.exe	89
PID 2180 wrote to memory of 3092	2180	18aa855ba79c9d14cc312ffefaa50240N.exe	89
PID 1692 wrote to memory of 1824	1692	18aa855ba79c9d14cc312ffefaa50240N.exe	90
PID 1692 wrote to memory of 1824	1692	18aa855ba79c9d14cc312ffefaa50240N.exe	90
PID 1692 wrote to memory of 1824	1692	18aa855ba79c9d14cc312ffefaa50240N.exe	90
PID 4744 wrote to memory of 3164	4744	18aa855ba79c9d14cc312ffefaa50240N.exe	91
PID 4744 wrote to memory of 3164	4744	18aa855ba79c9d14cc312ffefaa50240N.exe	91
PID 4744 wrote to memory of 3164	4744	18aa855ba79c9d14cc312ffefaa50240N.exe	91
PID 4372 wrote to memory of 2576	4372	18aa855ba79c9d14cc312ffefaa50240N.exe	92
PID 4372 wrote to memory of 2576	4372	18aa855ba79c9d14cc312ffefaa50240N.exe	92
PID 4372 wrote to memory of 2576	4372	18aa855ba79c9d14cc312ffefaa50240N.exe	92
PID 2180 wrote to memory of 4512	2180	18aa855ba79c9d14cc312ffefaa50240N.exe	93
PID 2180 wrote to memory of 4512	2180	18aa855ba79c9d14cc312ffefaa50240N.exe	93
PID 2180 wrote to memory of 4512	2180	18aa855ba79c9d14cc312ffefaa50240N.exe	93
PID 4372 wrote to memory of 3620	4372	18aa855ba79c9d14cc312ffefaa50240N.exe	94
PID 4372 wrote to memory of 3620	4372	18aa855ba79c9d14cc312ffefaa50240N.exe	94
PID 4372 wrote to memory of 3620	4372	18aa855ba79c9d14cc312ffefaa50240N.exe	94
PID 1692 wrote to memory of 3416	1692	18aa855ba79c9d14cc312ffefaa50240N.exe	95
PID 1692 wrote to memory of 3416	1692	18aa855ba79c9d14cc312ffefaa50240N.exe	95
PID 1692 wrote to memory of 3416	1692	18aa855ba79c9d14cc312ffefaa50240N.exe	95
PID 4744 wrote to memory of 1016	4744	18aa855ba79c9d14cc312ffefaa50240N.exe	96
PID 4744 wrote to memory of 1016	4744	18aa855ba79c9d14cc312ffefaa50240N.exe	96
PID 4744 wrote to memory of 1016	4744	18aa855ba79c9d14cc312ffefaa50240N.exe	96
PID 1824 wrote to memory of 4324	1824	18aa855ba79c9d14cc312ffefaa50240N.exe	97
PID 1824 wrote to memory of 4324	1824	18aa855ba79c9d14cc312ffefaa50240N.exe	97
PID 1824 wrote to memory of 4324	1824	18aa855ba79c9d14cc312ffefaa50240N.exe	97
PID 3092 wrote to memory of 2836	3092	18aa855ba79c9d14cc312ffefaa50240N.exe	98
PID 3092 wrote to memory of 2836	3092	18aa855ba79c9d14cc312ffefaa50240N.exe	98
PID 3092 wrote to memory of 2836	3092	18aa855ba79c9d14cc312ffefaa50240N.exe	98
PID 3164 wrote to memory of 1252	3164	18aa855ba79c9d14cc312ffefaa50240N.exe	99
PID 3164 wrote to memory of 1252	3164	18aa855ba79c9d14cc312ffefaa50240N.exe	99
PID 3164 wrote to memory of 1252	3164	18aa855ba79c9d14cc312ffefaa50240N.exe	99
PID 2576 wrote to memory of 4752	2576	18aa855ba79c9d14cc312ffefaa50240N.exe	100
PID 2576 wrote to memory of 4752	2576	18aa855ba79c9d14cc312ffefaa50240N.exe	100
PID 2576 wrote to memory of 4752	2576	18aa855ba79c9d14cc312ffefaa50240N.exe	100
PID 2180 wrote to memory of 2384	2180	18aa855ba79c9d14cc312ffefaa50240N.exe	101
PID 2180 wrote to memory of 2384	2180	18aa855ba79c9d14cc312ffefaa50240N.exe	101
PID 2180 wrote to memory of 2384	2180	18aa855ba79c9d14cc312ffefaa50240N.exe	101
PID 4512 wrote to memory of 4368	4512	18aa855ba79c9d14cc312ffefaa50240N.exe	102
PID 4512 wrote to memory of 4368	4512	18aa855ba79c9d14cc312ffefaa50240N.exe	102
PID 4512 wrote to memory of 4368	4512	18aa855ba79c9d14cc312ffefaa50240N.exe	102
PID 4372 wrote to memory of 4632	4372	18aa855ba79c9d14cc312ffefaa50240N.exe	103
PID 4372 wrote to memory of 4632	4372	18aa855ba79c9d14cc312ffefaa50240N.exe	103
PID 4372 wrote to memory of 4632	4372	18aa855ba79c9d14cc312ffefaa50240N.exe	103
PID 1692 wrote to memory of 2764	1692	18aa855ba79c9d14cc312ffefaa50240N.exe	104
PID 1692 wrote to memory of 2764	1692	18aa855ba79c9d14cc312ffefaa50240N.exe	104
PID 1692 wrote to memory of 2764	1692	18aa855ba79c9d14cc312ffefaa50240N.exe	104
PID 3620 wrote to memory of 4524	3620	18aa855ba79c9d14cc312ffefaa50240N.exe	105
PID 3620 wrote to memory of 4524	3620	18aa855ba79c9d14cc312ffefaa50240N.exe	105
PID 3620 wrote to memory of 4524	3620	18aa855ba79c9d14cc312ffefaa50240N.exe	105
PID 3164 wrote to memory of 2928	3164	18aa855ba79c9d14cc312ffefaa50240N.exe	106
PID 3164 wrote to memory of 2928	3164	18aa855ba79c9d14cc312ffefaa50240N.exe	106
PID 3164 wrote to memory of 2928	3164	18aa855ba79c9d14cc312ffefaa50240N.exe	106
PID 4744 wrote to memory of 4380	4744	18aa855ba79c9d14cc312ffefaa50240N.exe	107

C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
"C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
  "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
    "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1824
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        
        PID:4324
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        7⤵
        
        PID:5608
        
        C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        8⤵
        
        PID:9628
        
        C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        8⤵
        
        PID:12496
        
        C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        7⤵
        
        PID:6856
        
        C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        7⤵
        
        PID:9600
        
        C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        7⤵
        
        PID:12504
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        7⤵
        
        PID:8880
        
        C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        7⤵
        
        PID:12656
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:6100
        
        C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        7⤵
        
        PID:12808
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:8096
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:12776
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:4912
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:5600
        
        C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        7⤵
        
        PID:9132
        
        C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        7⤵
        
        PID:12608
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:6888
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:9608
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:12512
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:924
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:9008
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:12640
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:6108
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:12696
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:7964
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:11152
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:3660
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:15596
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:3416
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:1688
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:5616
        
        C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        7⤵
        
        PID:9028
        
        C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        7⤵
        
        PID:13076
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:6800
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:9736
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:12436
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:3308
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:7696
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:10332
        
        C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        7⤵
        
        PID:14668
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:12364
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:6140
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:7904
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:11112
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:12316
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:2764
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:5624
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:9752
        
        C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        7⤵
        
        PID:15528
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:12452
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:15716
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:6808
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:9560
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:12536
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:1264
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:8896
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:12648
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:6060
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:12832
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:7996
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:11164
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:12292
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:15644
- - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
    "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3092
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:2836
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:3396
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:5680
        
        C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        7⤵
        
        PID:9360
        
        C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        7⤵
        
        PID:12560
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:6920
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:9672
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:12544
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:1448
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:8772
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:12672
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:6076
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:12752
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:8104
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:12768
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:1488
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:5640
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:8548
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:12704
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:6880
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:9688
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:12480
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:2352
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:8620
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:12680
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:6068
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:10548
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:12356
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:8440
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:15704
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:12744
- - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
    "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4512
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:4368
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:5804
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:9396
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:12552
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:7332
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:9964
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:12396
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:228
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:9088
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:12624
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:6156
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:10816
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:12332
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:7984
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:12824
- - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
    "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2384
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:5672
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:9932
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:15496
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:12412
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:6928
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:9636
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:4600
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:15572
- - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
    "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
    3⤵
    PID:216
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:8452
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:15652
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:12728
- - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
    "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
    3⤵
    PID:3780
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:13792
- - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
    "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
    3⤵
    PID:7920
- - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
    "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
    3⤵
    PID:10208
- C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
  "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
    "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:4752
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:1584
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:5696
        
        C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        7⤵
        
        PID:9052
        
        C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        7⤵
        
        PID:12592
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:6904
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:9592
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:12520
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:3244
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:7772
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:10560
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:12348
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:6092
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:13744
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:7888
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:11104
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:12308
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:3196
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:5632
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:8716
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:12664
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:6872
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:9656
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:12472
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:5084
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:9940
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:12404
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:6132
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:12816
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:7896
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:11136
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:3076
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:15580
- - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
    "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3620
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:4524
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:5712
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:9404
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:12576
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:6912
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:9812
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:12444
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:832
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:7648
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:10320
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:13912
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:12372
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:1200
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:12792
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:14256
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:7944
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:11144
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:10856
- - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
    "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
    3⤵
    PID:4632
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:5648
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:9064
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:15736
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:12600
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:6896
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:9680
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:12464
- - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
    "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
    3⤵
    PID:212
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:8636
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:12736
- - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
    "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
    3⤵
    PID:6116
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:12800
- - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
    "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
    3⤵
    PID:7928
- - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
    "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
    3⤵
    PID:10760
- - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
    "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
    3⤵
    PID:12340
- C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
  "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3164
- - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
    "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:1252
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:3140
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:5704
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:9036
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:12632
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:6760
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:9584
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:12528
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:928
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:8556
      - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        6⤵
        
        PID:15744
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:12712
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:6084
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:14164
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:8228
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:12760
- - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
    "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
    3⤵
    PID:2928
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:5796
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:9996
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:12388
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:7204
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:9728
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:12428
- - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
    "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
    3⤵
    PID:2900
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:9412
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:12568
- - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
    "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
    3⤵
    PID:6164
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:12688
- - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
    "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
    3⤵
    PID:7952
- - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
    "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
    3⤵
    PID:11128
- - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
    "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
    3⤵
    PID:12300
- - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
    "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
    3⤵
    PID:15604
- C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
  "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  PID:1016
- - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
    "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
    3⤵
    PID:2740
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:5788
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:9744
    - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
        5⤵
        
        PID:12420
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:7188
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:10200
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:12380
- - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
    "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
    3⤵
    PID:3556
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:9044
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:12616
- - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
    "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
    3⤵
    PID:6148
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:13228
- - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
    "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
    3⤵
    PID:7912
- - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
    "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
    3⤵
    PID:11120
- - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
    "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
    3⤵
    PID:12324
- C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
  "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
  2⤵
  PID:4380
- - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
    "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
    3⤵
    PID:5688
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:9352
  - - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
      "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
      4⤵
      PID:12584
- - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
    "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
    3⤵
    PID:7132
- - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
    "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
    3⤵
    PID:9644
- - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
    "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
    3⤵
    PID:12488
- C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
  "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
  2⤵
  PID:4896
- - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
    "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
    3⤵
    PID:8460
- - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
    "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
    3⤵
    PID:12720
- C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
  "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
  2⤵
  PID:6124
- - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
    "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
    3⤵
    PID:12784
- C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
  "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
  2⤵
  PID:7976
- - C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
    "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
    3⤵
    PID:15752
- C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
  "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
  2⤵
  PID:11248
- C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
  "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
  2⤵
  PID:1040
- C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe
  "C:\Users\Admin\AppData\Local\Temp\18aa855ba79c9d14cc312ffefaa50240N.exe"
  2⤵
  PID:15588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\tyrkish sperm blowjob sleeping .zip.exe

Filesize
453KB

MD5
ff17cc58ebcead7fb5afa627eae29ef3

SHA1
ec30a962e0acfdfe515d54d6c1ad1df46d574bb8

SHA256
316a4e4197cc931f00514a69743f64261315f9e518955eb1bf937243bcea9016

SHA512
5b0549d3370c144e31f37d1435a00e2590f950f37990140a9177e87b68519b1b2f04f358d15b1ad075d7aeb54f2d853d4c0cf9ff9f0811c8563f27938e7c5f27

Download Submit