72b1fa00aa5dafdcceb74b03bfbda517799d0c486cf06e09a55fa7e54a266dca

Analysis

max time kernel
14s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14/07/2024, 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

250df0b58fca9f0870a7c75415e53990N.exe
Size

1.4MB
MD5

250df0b58fca9f0870a7c75415e53990
SHA1

75a979d42bb477fd22a732cc3ac34c919541868c
SHA256

72b1fa00aa5dafdcceb74b03bfbda517799d0c486cf06e09a55fa7e54a266dca
SHA512

6547e822f21367f9964e695c04eee102e5859e0bbca5abecf88f9d6d67926268b08bd598eb01425ae870da12761e2c27276c60282640dfb9760a0ca2f87b51dc
SSDEEP

24576:862qmN9l3k9u2fVp8BZZEcNNzPv5+MaLWegi94Dj2LmA9DMMABQCs:52fR0g4Vp8bDNNzZEWO9k2LmACMABQCs

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	250df0b58fca9f0870a7c75415e53990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	250df0b58fca9f0870a7c75415e53990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	250df0b58fca9f0870a7c75415e53990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	250df0b58fca9f0870a7c75415e53990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	250df0b58fca9f0870a7c75415e53990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	250df0b58fca9f0870a7c75415e53990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	250df0b58fca9f0870a7c75415e53990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	250df0b58fca9f0870a7c75415e53990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	250df0b58fca9f0870a7c75415e53990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	250df0b58fca9f0870a7c75415e53990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	250df0b58fca9f0870a7c75415e53990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	250df0b58fca9f0870a7c75415e53990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	250df0b58fca9f0870a7c75415e53990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	250df0b58fca9f0870a7c75415e53990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	250df0b58fca9f0870a7c75415e53990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	250df0b58fca9f0870a7c75415e53990N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	250df0b58fca9f0870a7c75415e53990N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	250df0b58fca9f0870a7c75415e53990N.exe
File opened (read-only)	\??\B:	250df0b58fca9f0870a7c75415e53990N.exe
File opened (read-only)	\??\O:	250df0b58fca9f0870a7c75415e53990N.exe
File opened (read-only)	\??\L:	250df0b58fca9f0870a7c75415e53990N.exe
File opened (read-only)	\??\P:	250df0b58fca9f0870a7c75415e53990N.exe
File opened (read-only)	\??\R:	250df0b58fca9f0870a7c75415e53990N.exe
File opened (read-only)	\??\U:	250df0b58fca9f0870a7c75415e53990N.exe
File opened (read-only)	\??\V:	250df0b58fca9f0870a7c75415e53990N.exe
File opened (read-only)	\??\X:	250df0b58fca9f0870a7c75415e53990N.exe
File opened (read-only)	\??\E:	250df0b58fca9f0870a7c75415e53990N.exe
File opened (read-only)	\??\J:	250df0b58fca9f0870a7c75415e53990N.exe
File opened (read-only)	\??\Z:	250df0b58fca9f0870a7c75415e53990N.exe
File opened (read-only)	\??\K:	250df0b58fca9f0870a7c75415e53990N.exe
File opened (read-only)	\??\Q:	250df0b58fca9f0870a7c75415e53990N.exe
File opened (read-only)	\??\S:	250df0b58fca9f0870a7c75415e53990N.exe
File opened (read-only)	\??\W:	250df0b58fca9f0870a7c75415e53990N.exe
File opened (read-only)	\??\G:	250df0b58fca9f0870a7c75415e53990N.exe
File opened (read-only)	\??\I:	250df0b58fca9f0870a7c75415e53990N.exe
File opened (read-only)	\??\M:	250df0b58fca9f0870a7c75415e53990N.exe
File opened (read-only)	\??\N:	250df0b58fca9f0870a7c75415e53990N.exe
File opened (read-only)	\??\Y:	250df0b58fca9f0870a7c75415e53990N.exe
File opened (read-only)	\??\A:	250df0b58fca9f0870a7c75415e53990N.exe
File opened (read-only)	\??\H:	250df0b58fca9f0870a7c75415e53990N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\brasilian lesbian sperm catfight ash granny .zip.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\french trambling kicking uncut .zip.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\beast [milf] (Sandy).zip.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\american beast hardcore big shoes .zip.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\lingerie [free] pregnant .zip.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\american bukkake hidden .mpeg.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\SysWOW64\FxsTmp\fetish xxx lesbian nipples femdom (Curtney).mpeg.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\System32\DriverStore\Temp\xxx hidden .mpeg.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\SysWOW64\FxsTmp\american hardcore lesbian catfight nipples 40+ .zip.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\indian xxx xxx licking cock 40+ .zip.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\animal horse [bangbus] .mpg.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\animal big (Tatjana,Christine).rar.exe	250df0b58fca9f0870a7c75415e53990N.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\chinese kicking hot (!) .avi.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\chinese horse sperm hot (!) girly .mpeg.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Program Files (x86)\Google\Temp\russian porn porn licking 50+ (Tatjana).mpg.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Program Files (x86)\Microsoft\Temp\japanese sperm public gorgeoushorny (Britney,Christine).mpg.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\indian action lesbian 40+ (Curtney,Britney).mpeg.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\german nude catfight hotel .mpeg.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\black trambling action voyeur cock (Liz,Curtney).mpeg.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\russian animal voyeur (Sonja,Melissa).avi.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\asian hardcore several models pregnant .mpeg.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\horse lingerie masturbation hotel (Jenna,Gina).mpg.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Program Files (x86)\Google\Update\Download\spanish lingerie fucking masturbation (Anniston).avi.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\gang bang sleeping vagina fishy .avi.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Program Files\Common Files\microsoft shared\danish bukkake porn sleeping vagina sm (Jade,Sarah).avi.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Program Files\dotnet\shared\canadian fetish [bangbus] bedroom .zip.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\beast hot (!) YEâPSè& (Jade,Curtney).rar.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Program Files\Microsoft Office\root\Templates\japanese xxx xxx [free] (Jenna,Liz).mpg.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\italian animal blowjob catfight (Anniston).mpg.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\handjob animal [milf] (Sonja,Jenna).rar.exe	250df0b58fca9f0870a7c75415e53990N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\danish porn lesbian voyeur .avi.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\horse [bangbus] high heels .mpeg.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\british sperm [bangbus] .mpeg.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_887b2378b7b5651d\russian nude fetish [bangbus] (Jade,Karin).mpeg.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\american action kicking girls .zip.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\CbsTemp\italian cum bukkake several models hotel .mpeg.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\american fucking lingerie full movie (Gina).zip.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\porn girls legs beautyfull .mpg.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\PLA\Templates\italian xxx blowjob [milf] feet granny (Melissa,Sarah).avi.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\beastiality animal catfight hairy .avi.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\lingerie lesbian [bangbus] .mpg.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_e5c3ad79c4e34ebb\fetish hidden (Sandy,Karin).rar.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\assembly\temp\indian bukkake catfight granny .avi.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\malaysia animal licking ejaculation .rar.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\indian horse licking lady .avi.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\xxx full movie ejaculation .mpeg.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\horse girls sweet (Anniston,Sandy).mpg.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\trambling catfight glans 40+ .rar.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\german trambling [bangbus] vagina (Melissa).mpeg.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_5abbd3c4a3f2014c\beastiality sperm big (Curtney).avi.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_10.0.19041.1_none_ae957c4c35a7bf73\spanish cum beast masturbation fishy (Anniston).zip.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\lesbian beastiality lesbian glans (Liz,Anniston).avi.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\african action hidden .mpg.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\african action uncut feet fishy .rar.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\handjob porn licking titts upskirt .mpeg.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\InputMethod\SHARED\spanish cum lesbian [bangbus] shoes (Sarah,Curtney).mpg.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\fetish public (Curtney,Sonja).mpg.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\indian porn lesbian masturbation nipples redhair (Jade).avi.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\japanese blowjob masturbation wifey .mpeg.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\trambling porn [free] wifey .rar.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\hardcore public (Samantha,Kathrin).zip.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\russian gang bang uncut .avi.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\beastiality gang bang sleeping beautyfull .avi.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\gang bang lingerie [bangbus] glans lady .zip.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\tyrkish bukkake uncut .avi.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\beast blowjob hidden .mpg.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\gang bang hidden .mpeg.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\kicking [free] traffic .zip.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\handjob action [free] .rar.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\french beast beastiality public boots .mpeg.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_en-us_e5f85095c4bc5d16\action public .zip.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\assembly\tmp\african animal several models .mpeg.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\indian lingerie beast hot (!) .zip.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\lesbian [free] nipples ash .mpeg.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\sperm fucking lesbian latex .zip.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_abfc9db6c377b91f\asian cum beastiality [bangbus] glans .avi.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_5af076e0a3cb0fa7\lesbian xxx voyeur penetration (Sonja).mpeg.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\kicking fetish full movie mature (Karin,Ashley).zip.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\handjob masturbation castration .zip.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\indian animal voyeur black hairunshaved (Britney,Samantha).mpeg.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\handjob hot (!) .avi.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\british nude masturbation boobs .rar.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_9aa486d790131d4e\sperm cumshot public wifey .mpeg.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\african bukkake [bangbus] vagina leather .zip.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\cum blowjob girls YEâPSè& .mpg.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_10.0.19041.1_none_a3d9a07cf2290837\french porn cumshot girls 40+ (Jenna).rar.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\tyrkish hardcore hot (!) (Jade,Gina).zip.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_b1ffa0e7b4ed03e2\black beast [milf] black hairunshaved .mpeg.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\american fucking uncut nipples .mpeg.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fd7349c396c417ae\blowjob sleeping (Anniston).rar.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\Downloaded Program Files\brasilian cumshot cum licking swallow .zip.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\tyrkish lingerie xxx voyeur .mpeg.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_10.0.19041.1_none_bd731e5b85dd203e\canadian fetish beastiality hidden stockings .zip.exe	250df0b58fca9f0870a7c75415e53990N.exe
File created	C:\Windows\security\templates\tyrkish beastiality big ash young .avi.exe	250df0b58fca9f0870a7c75415e53990N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5044	250df0b58fca9f0870a7c75415e53990N.exe
5044	250df0b58fca9f0870a7c75415e53990N.exe
1276	250df0b58fca9f0870a7c75415e53990N.exe
1276	250df0b58fca9f0870a7c75415e53990N.exe
5044	250df0b58fca9f0870a7c75415e53990N.exe
5044	250df0b58fca9f0870a7c75415e53990N.exe
3100	250df0b58fca9f0870a7c75415e53990N.exe
3100	250df0b58fca9f0870a7c75415e53990N.exe
3840	250df0b58fca9f0870a7c75415e53990N.exe
3840	250df0b58fca9f0870a7c75415e53990N.exe
5044	250df0b58fca9f0870a7c75415e53990N.exe
5044	250df0b58fca9f0870a7c75415e53990N.exe
1276	250df0b58fca9f0870a7c75415e53990N.exe
1276	250df0b58fca9f0870a7c75415e53990N.exe
2364	250df0b58fca9f0870a7c75415e53990N.exe
2364	250df0b58fca9f0870a7c75415e53990N.exe
3776	250df0b58fca9f0870a7c75415e53990N.exe
3776	250df0b58fca9f0870a7c75415e53990N.exe
5044	250df0b58fca9f0870a7c75415e53990N.exe
5044	250df0b58fca9f0870a7c75415e53990N.exe
1276	250df0b58fca9f0870a7c75415e53990N.exe
1276	250df0b58fca9f0870a7c75415e53990N.exe
1588	250df0b58fca9f0870a7c75415e53990N.exe
1588	250df0b58fca9f0870a7c75415e53990N.exe
852	250df0b58fca9f0870a7c75415e53990N.exe
852	250df0b58fca9f0870a7c75415e53990N.exe
3100	250df0b58fca9f0870a7c75415e53990N.exe
3100	250df0b58fca9f0870a7c75415e53990N.exe
3840	250df0b58fca9f0870a7c75415e53990N.exe
3840	250df0b58fca9f0870a7c75415e53990N.exe
1824	250df0b58fca9f0870a7c75415e53990N.exe
1824	250df0b58fca9f0870a7c75415e53990N.exe
4580	250df0b58fca9f0870a7c75415e53990N.exe
4580	250df0b58fca9f0870a7c75415e53990N.exe
5044	250df0b58fca9f0870a7c75415e53990N.exe
5044	250df0b58fca9f0870a7c75415e53990N.exe
4092	250df0b58fca9f0870a7c75415e53990N.exe
4092	250df0b58fca9f0870a7c75415e53990N.exe
1276	250df0b58fca9f0870a7c75415e53990N.exe
1276	250df0b58fca9f0870a7c75415e53990N.exe
2364	250df0b58fca9f0870a7c75415e53990N.exe
2364	250df0b58fca9f0870a7c75415e53990N.exe
4980	250df0b58fca9f0870a7c75415e53990N.exe
4980	250df0b58fca9f0870a7c75415e53990N.exe
3100	250df0b58fca9f0870a7c75415e53990N.exe
3100	250df0b58fca9f0870a7c75415e53990N.exe
3184	250df0b58fca9f0870a7c75415e53990N.exe
3184	250df0b58fca9f0870a7c75415e53990N.exe
3840	250df0b58fca9f0870a7c75415e53990N.exe
3840	250df0b58fca9f0870a7c75415e53990N.exe
2004	250df0b58fca9f0870a7c75415e53990N.exe
2004	250df0b58fca9f0870a7c75415e53990N.exe
2784	250df0b58fca9f0870a7c75415e53990N.exe
2784	250df0b58fca9f0870a7c75415e53990N.exe
3172	250df0b58fca9f0870a7c75415e53990N.exe
3172	250df0b58fca9f0870a7c75415e53990N.exe
3776	250df0b58fca9f0870a7c75415e53990N.exe
3776	250df0b58fca9f0870a7c75415e53990N.exe
852	250df0b58fca9f0870a7c75415e53990N.exe
852	250df0b58fca9f0870a7c75415e53990N.exe
1588	250df0b58fca9f0870a7c75415e53990N.exe
1588	250df0b58fca9f0870a7c75415e53990N.exe
2064	250df0b58fca9f0870a7c75415e53990N.exe
2064	250df0b58fca9f0870a7c75415e53990N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 1276	5044	250df0b58fca9f0870a7c75415e53990N.exe	86
PID 5044 wrote to memory of 1276	5044	250df0b58fca9f0870a7c75415e53990N.exe	86
PID 5044 wrote to memory of 1276	5044	250df0b58fca9f0870a7c75415e53990N.exe	86
PID 5044 wrote to memory of 3100	5044	250df0b58fca9f0870a7c75415e53990N.exe	87
PID 5044 wrote to memory of 3100	5044	250df0b58fca9f0870a7c75415e53990N.exe	87
PID 5044 wrote to memory of 3100	5044	250df0b58fca9f0870a7c75415e53990N.exe	87
PID 1276 wrote to memory of 3840	1276	250df0b58fca9f0870a7c75415e53990N.exe	88
PID 1276 wrote to memory of 3840	1276	250df0b58fca9f0870a7c75415e53990N.exe	88
PID 1276 wrote to memory of 3840	1276	250df0b58fca9f0870a7c75415e53990N.exe	88
PID 5044 wrote to memory of 2364	5044	250df0b58fca9f0870a7c75415e53990N.exe	89
PID 5044 wrote to memory of 2364	5044	250df0b58fca9f0870a7c75415e53990N.exe	89
PID 5044 wrote to memory of 2364	5044	250df0b58fca9f0870a7c75415e53990N.exe	89
PID 1276 wrote to memory of 3776	1276	250df0b58fca9f0870a7c75415e53990N.exe	90
PID 1276 wrote to memory of 3776	1276	250df0b58fca9f0870a7c75415e53990N.exe	90
PID 1276 wrote to memory of 3776	1276	250df0b58fca9f0870a7c75415e53990N.exe	90
PID 3100 wrote to memory of 1588	3100	250df0b58fca9f0870a7c75415e53990N.exe	91
PID 3100 wrote to memory of 1588	3100	250df0b58fca9f0870a7c75415e53990N.exe	91
PID 3100 wrote to memory of 1588	3100	250df0b58fca9f0870a7c75415e53990N.exe	91
PID 3840 wrote to memory of 852	3840	250df0b58fca9f0870a7c75415e53990N.exe	92
PID 3840 wrote to memory of 852	3840	250df0b58fca9f0870a7c75415e53990N.exe	92
PID 3840 wrote to memory of 852	3840	250df0b58fca9f0870a7c75415e53990N.exe	92
PID 5044 wrote to memory of 1824	5044	250df0b58fca9f0870a7c75415e53990N.exe	93
PID 5044 wrote to memory of 1824	5044	250df0b58fca9f0870a7c75415e53990N.exe	93
PID 5044 wrote to memory of 1824	5044	250df0b58fca9f0870a7c75415e53990N.exe	93
PID 1276 wrote to memory of 4580	1276	250df0b58fca9f0870a7c75415e53990N.exe	94
PID 1276 wrote to memory of 4580	1276	250df0b58fca9f0870a7c75415e53990N.exe	94
PID 1276 wrote to memory of 4580	1276	250df0b58fca9f0870a7c75415e53990N.exe	94
PID 2364 wrote to memory of 4092	2364	250df0b58fca9f0870a7c75415e53990N.exe	95
PID 2364 wrote to memory of 4092	2364	250df0b58fca9f0870a7c75415e53990N.exe	95
PID 2364 wrote to memory of 4092	2364	250df0b58fca9f0870a7c75415e53990N.exe	95
PID 3100 wrote to memory of 4980	3100	250df0b58fca9f0870a7c75415e53990N.exe	96
PID 3100 wrote to memory of 4980	3100	250df0b58fca9f0870a7c75415e53990N.exe	96
PID 3100 wrote to memory of 4980	3100	250df0b58fca9f0870a7c75415e53990N.exe	96
PID 3840 wrote to memory of 3184	3840	250df0b58fca9f0870a7c75415e53990N.exe	97
PID 3840 wrote to memory of 3184	3840	250df0b58fca9f0870a7c75415e53990N.exe	97
PID 3840 wrote to memory of 3184	3840	250df0b58fca9f0870a7c75415e53990N.exe	97
PID 3776 wrote to memory of 2004	3776	250df0b58fca9f0870a7c75415e53990N.exe	98
PID 3776 wrote to memory of 2004	3776	250df0b58fca9f0870a7c75415e53990N.exe	98
PID 3776 wrote to memory of 2004	3776	250df0b58fca9f0870a7c75415e53990N.exe	98
PID 1588 wrote to memory of 2784	1588	250df0b58fca9f0870a7c75415e53990N.exe	99
PID 1588 wrote to memory of 2784	1588	250df0b58fca9f0870a7c75415e53990N.exe	99
PID 1588 wrote to memory of 2784	1588	250df0b58fca9f0870a7c75415e53990N.exe	99
PID 852 wrote to memory of 3172	852	250df0b58fca9f0870a7c75415e53990N.exe	100
PID 852 wrote to memory of 3172	852	250df0b58fca9f0870a7c75415e53990N.exe	100
PID 852 wrote to memory of 3172	852	250df0b58fca9f0870a7c75415e53990N.exe	100
PID 5044 wrote to memory of 2064	5044	250df0b58fca9f0870a7c75415e53990N.exe	101
PID 5044 wrote to memory of 2064	5044	250df0b58fca9f0870a7c75415e53990N.exe	101
PID 5044 wrote to memory of 2064	5044	250df0b58fca9f0870a7c75415e53990N.exe	101
PID 1276 wrote to memory of 2172	1276	250df0b58fca9f0870a7c75415e53990N.exe	102
PID 1276 wrote to memory of 2172	1276	250df0b58fca9f0870a7c75415e53990N.exe	102
PID 1276 wrote to memory of 2172	1276	250df0b58fca9f0870a7c75415e53990N.exe	102
PID 1824 wrote to memory of 2732	1824	250df0b58fca9f0870a7c75415e53990N.exe	103
PID 1824 wrote to memory of 2732	1824	250df0b58fca9f0870a7c75415e53990N.exe	103
PID 1824 wrote to memory of 2732	1824	250df0b58fca9f0870a7c75415e53990N.exe	103
PID 2364 wrote to memory of 3540	2364	250df0b58fca9f0870a7c75415e53990N.exe	104
PID 2364 wrote to memory of 3540	2364	250df0b58fca9f0870a7c75415e53990N.exe	104
PID 2364 wrote to memory of 3540	2364	250df0b58fca9f0870a7c75415e53990N.exe	104
PID 3100 wrote to memory of 2096	3100	250df0b58fca9f0870a7c75415e53990N.exe	105
PID 3100 wrote to memory of 2096	3100	250df0b58fca9f0870a7c75415e53990N.exe	105
PID 3100 wrote to memory of 2096	3100	250df0b58fca9f0870a7c75415e53990N.exe	105
PID 4580 wrote to memory of 1008	4580	250df0b58fca9f0870a7c75415e53990N.exe	106
PID 4580 wrote to memory of 1008	4580	250df0b58fca9f0870a7c75415e53990N.exe	106
PID 4580 wrote to memory of 1008	4580	250df0b58fca9f0870a7c75415e53990N.exe	106
PID 3840 wrote to memory of 2672	3840	250df0b58fca9f0870a7c75415e53990N.exe	107

C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
"C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
  "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
    "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3840
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:852
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        
        PID:3172
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        7⤵
        
        PID:5500
        
        C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        8⤵
        
        PID:8872
        
        C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        8⤵
        
        PID:11248
        
        C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        8⤵
        
        PID:16096
        
        C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        7⤵
        
        PID:7424
        
        C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        7⤵
        
        PID:10604
        
        C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        7⤵
        
        PID:15748
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        7⤵
        
        PID:5952
        
        C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        8⤵
        
        PID:13660
        
        C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        7⤵
        
        PID:7328
        
        C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        7⤵
        
        PID:10444
        
        C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        7⤵
        
        PID:14556
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:6016
        
        C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        7⤵
        
        PID:13436
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:7304
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:10160
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:14792
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:1816
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:5588
        
        C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        7⤵
        
        PID:12472
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:6876
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:7176
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:9952
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:13768
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:4840
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:8248
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:11168
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:6428
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:13416
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:7192
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:10396
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:15452
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:3184
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:1628
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:5448
        
        C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        7⤵
        
        PID:8552
        
        C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        7⤵
        
        PID:11256
        
        C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        7⤵
        
        PID:16184
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:6800
        
        C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        7⤵
        
        PID:16256
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:7184
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:10596
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:14584
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:5016
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:9188
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:12976
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:6024
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:13052
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:7288
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:10116
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:13980
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:2672
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:5508
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:11136
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:16116
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:6844
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:8404
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:11160
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:16152
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:1988
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:8880
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:11996
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:6228
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:12652
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:7256
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:10108
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:14436
- - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
    "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3776
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:2004
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:1236
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:5556
        
        C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        7⤵
        
        PID:10924
        
        C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        7⤵
        
        PID:16176
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:6916
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:6084
        
        C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        7⤵
        
        PID:16476
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:9960
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:13752
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:2304
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:8864
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:11788
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:6032
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:12992
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:7312
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:10032
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:14204
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:3732
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:5548
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:12488
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:7364
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:10420
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:14476
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:3772
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:8380
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:11224
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:6212
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:13668
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:7280
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:10124
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:14212
- - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
    "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:1008
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:5604
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:11144
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:16144
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:6852
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:8240
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:10904
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:16088
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:4648
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:8256
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:11096
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:16112
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:6220
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:13224
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:7272
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:10144
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:14004
- - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
    "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
    3⤵
    PID:2172
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:5516
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:12984
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:7408
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:10612
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:14692
- - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
    "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
    3⤵
    PID:3668
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:8372
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:11104
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:16192
- - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
    "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
    3⤵
    PID:6260
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:13676
- - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
    "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
    3⤵
    PID:7208
- - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
    "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
    3⤵
    PID:10016
- - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
    "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
    3⤵
    PID:13940
- C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
  "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
    "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:2784
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:3560
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:5572
        
        C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        7⤵
        
        PID:8588
        
        C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        7⤵
        
        PID:11176
        
        C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        7⤵
        
        PID:16208
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:7348
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:10620
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:14576
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:4956
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:8388
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:11112
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:16160
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:6008
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:13232
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:7296
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:10052
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:13972
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:2848
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:5540
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:8572
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:11756
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:7372
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:10388
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:13996
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:3164
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:8676
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:11796
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:6204
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:12592
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:7248
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:10404
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:15756
- - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
    "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:4980
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:376
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:5612
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:10876
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:15636
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:6868
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:5920
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:9968
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:13736
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:2680
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:6000
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:13392
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:7152
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:9936
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:13728
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:6040
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:12724
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:7320
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:10436
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:14568
- - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
    "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
    3⤵
    PID:2096
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:5532
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:12480
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:6900
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:4008
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:16224
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:9944
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:13744
- - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
    "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
    3⤵
    PID:3720
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:8396
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:11120
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:16136
- - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
    "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
    3⤵
    PID:6252
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:13600
- - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
    "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
    3⤵
    PID:7232
- - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
    "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
    3⤵
    PID:10008
- - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
    "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
    3⤵
    PID:13988
- C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
  "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
    "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:4092
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:1408
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:5580
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:11084
      - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        6⤵
        
        PID:16200
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:7416
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:10428
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:14424
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:1532
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:8792
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:11680
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:16168
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:6244
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:13240
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:7240
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:10000
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:13868
- - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
    "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
    3⤵
    PID:3540
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:5564
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:11184
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:7356
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:10852
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:14948
- - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
    "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
    3⤵
    PID:396
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:8664
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:12464
- - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
    "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
    3⤵
    PID:6236
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:15832
- - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
    "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
    3⤵
    PID:7264
- - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
    "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
    3⤵
    PID:10024
- - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
    "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
    3⤵
    PID:13880
- C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
  "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
    "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
    3⤵
    PID:2732
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:5596
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:8544
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:11152
    - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
        5⤵
        
        PID:16128
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:6860
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:7216
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:9984
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:13760
- - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
    "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
    3⤵
    PID:3564
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:8412
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:11128
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:16104
- - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
    "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
    3⤵
    PID:6268
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:13248
- - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
    "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
    3⤵
    PID:7224
- - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
    "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
    3⤵
    PID:10412
- - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
    "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
    3⤵
    PID:14444
- C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
  "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2064
- - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
    "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
    3⤵
    PID:5524
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:11196
  - - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
      "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
      4⤵
      PID:16216
- - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
    "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
    3⤵
    PID:6908
- - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
    "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
    3⤵
    PID:7160
- - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
    "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
    3⤵
    PID:9928
- - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
    "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
    3⤵
    PID:13776
- C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
  "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
  2⤵
  PID:4492
- - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
    "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
    3⤵
    PID:8580
- - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
    "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
    3⤵
    PID:12152
- C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
  "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
  2⤵
  PID:6284
- - C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
    "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
    3⤵
    PID:13256
- C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
  "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
  2⤵
  PID:7200
- C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
  "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
  2⤵
  PID:10044
- C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe
  "C:\Users\Admin\AppData\Local\Temp\250df0b58fca9f0870a7c75415e53990N.exe"
  2⤵
  PID:14012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\indian action lesbian 40+ (Curtney,Britney).mpeg.exe

Filesize
1.6MB

MD5
e202cc1ea9aa857963eed9299652f333

SHA1
a13e15b5da08dab6169f0cdf88e0ea5243994587

SHA256
fe6479106c9cc41ac365f66cb80e9741183d3933614f714fffb876de8a4f77d1

SHA512
bbcec38ce0d4a4b0fe9d4592003d3cef0598dd0fca3ca866782770e3e9c46dbcb30b86d8bc73bd9fb4e029c58e6ee8987176c51974b6460bc43dbb9b11a6a13b

Download Submit