3ed04bf0a26118569bd11927927fa34aee4506cda05aa60c334ab198a3bb1f23

Analysis

max time kernel
10s
max time network
79s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 10:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ca174ee8ffe138a0ce3bcced12c75990N.exe
Size

1006KB
MD5

ca174ee8ffe138a0ce3bcced12c75990
SHA1

ea8066f6da956f54add6d35529d1df9e41df5957
SHA256

3ed04bf0a26118569bd11927927fa34aee4506cda05aa60c334ab198a3bb1f23
SHA512

15863e446cd2250434602b4c6a0f85e7d6cd18a43d5a9d7d09a0fb20bb88f80c761c58e9f9726118dcfc52bc2ab6b470cccbdc9e5f595b8b789d538de2aa9d53
SSDEEP

24576:86gMfDGnMnFpVwBHj08MgkQj7XtL5CSaCLVl32caR3u:5gKqMhwBHj6gkQHttCSaCVjapu

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	ca174ee8ffe138a0ce3bcced12c75990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	ca174ee8ffe138a0ce3bcced12c75990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	ca174ee8ffe138a0ce3bcced12c75990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	ca174ee8ffe138a0ce3bcced12c75990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	ca174ee8ffe138a0ce3bcced12c75990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	ca174ee8ffe138a0ce3bcced12c75990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	ca174ee8ffe138a0ce3bcced12c75990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	ca174ee8ffe138a0ce3bcced12c75990N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	ca174ee8ffe138a0ce3bcced12c75990N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	ca174ee8ffe138a0ce3bcced12c75990N.exe
File opened (read-only)	\??\G:	ca174ee8ffe138a0ce3bcced12c75990N.exe
File opened (read-only)	\??\I:	ca174ee8ffe138a0ce3bcced12c75990N.exe
File opened (read-only)	\??\M:	ca174ee8ffe138a0ce3bcced12c75990N.exe
File opened (read-only)	\??\N:	ca174ee8ffe138a0ce3bcced12c75990N.exe
File opened (read-only)	\??\T:	ca174ee8ffe138a0ce3bcced12c75990N.exe
File opened (read-only)	\??\X:	ca174ee8ffe138a0ce3bcced12c75990N.exe
File opened (read-only)	\??\A:	ca174ee8ffe138a0ce3bcced12c75990N.exe
File opened (read-only)	\??\P:	ca174ee8ffe138a0ce3bcced12c75990N.exe
File opened (read-only)	\??\U:	ca174ee8ffe138a0ce3bcced12c75990N.exe
File opened (read-only)	\??\Z:	ca174ee8ffe138a0ce3bcced12c75990N.exe
File opened (read-only)	\??\O:	ca174ee8ffe138a0ce3bcced12c75990N.exe
File opened (read-only)	\??\Q:	ca174ee8ffe138a0ce3bcced12c75990N.exe
File opened (read-only)	\??\R:	ca174ee8ffe138a0ce3bcced12c75990N.exe
File opened (read-only)	\??\V:	ca174ee8ffe138a0ce3bcced12c75990N.exe
File opened (read-only)	\??\Y:	ca174ee8ffe138a0ce3bcced12c75990N.exe
File opened (read-only)	\??\L:	ca174ee8ffe138a0ce3bcced12c75990N.exe
File opened (read-only)	\??\H:	ca174ee8ffe138a0ce3bcced12c75990N.exe
File opened (read-only)	\??\J:	ca174ee8ffe138a0ce3bcced12c75990N.exe
File opened (read-only)	\??\K:	ca174ee8ffe138a0ce3bcced12c75990N.exe
File opened (read-only)	\??\S:	ca174ee8ffe138a0ce3bcced12c75990N.exe
File opened (read-only)	\??\W:	ca174ee8ffe138a0ce3bcced12c75990N.exe
File opened (read-only)	\??\E:	ca174ee8ffe138a0ce3bcced12c75990N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\swedish horse trambling catfight castration .rar.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\brasilian porn xxx sleeping titts balls .rar.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\trambling voyeur glans mistress (Samantha).rar.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\tyrkish animal horse several models feet latex .avi.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\danish gang bang trambling [free] sweet .avi.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\swedish action trambling girls glans boots .avi.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\japanese gang bang lingerie sleeping feet bedroom .zip.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\System32\DriverStore\Temp\tyrkish cum blowjob lesbian swallow .mpg.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\SysWOW64\FxsTmp\sperm [milf] glans beautyfull (Karin).zip.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\gay licking (Karin).mpg.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\SysWOW64\FxsTmp\japanese horse gay masturbation penetration .rar.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\trambling catfight hole .rar.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\japanese handjob beast masturbation .mpg.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\american porn hardcore full movie cock .zip.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\brasilian nude hardcore hidden feet .zip.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Program Files (x86)\Google\Update\Download\black cum hardcore sleeping feet .avi.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\sperm girls .zip.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\swedish animal hardcore public hole .rar.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\bukkake sleeping feet lady (Liz).mpg.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\hardcore several models gorgeoushorny (Christine,Karin).zip.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\hardcore big titts hotel .zip.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Program Files (x86)\Google\Temp\russian cumshot horse uncut mature .mpg.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\horse masturbation wifey .mpg.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\italian gang bang sperm public titts wifey (Jade).avi.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Program Files\Microsoft Office\root\Templates\fucking uncut (Liz).mpeg.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\gay [free] pregnant .mpeg.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\danish porn lesbian public gorgeoushorny .rar.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\horse [milf] .mpeg.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Program Files\Common Files\microsoft shared\bukkake licking shoes (Kathrin,Sarah).avi.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\cumshot trambling catfight (Samantha).rar.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\animal fucking [free] upskirt .rar.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\assembly\temp\danish action blowjob voyeur sm .zip.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\bukkake hidden mistress (Kathrin,Curtney).mpeg.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\norwegian blowjob public cock .mpg.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\bukkake voyeur redhair .mpeg.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\danish beastiality sperm voyeur young .mpeg.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\tyrkish cumshot trambling hidden ash .mpg.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\norwegian lesbian girls cock (Gina,Samantha).zip.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\asian trambling several models beautyfull (Christine,Liz).mpeg.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\italian handjob horse lesbian (Janette).mpg.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\british lesbian [free] (Tatjana).mpg.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\CbsTemp\black handjob bukkake uncut feet mistress .zip.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\japanese nude gay masturbation latex .avi.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\SoftwareDistribution\Download\danish horse fucking big feet granny .rar.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\french beast [free] hole .rar.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\asian fucking voyeur cock (Gina,Tatjana).mpg.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\norwegian lingerie [free] .mpg.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\japanese nude lesbian uncut .avi.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\fetish trambling voyeur glans balls .zip.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\norwegian xxx sleeping gorgeoushorny .mpeg.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\beastiality bukkake [milf] .mpg.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\Downloaded Program Files\hardcore [bangbus] stockings .avi.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\swedish gang bang horse big (Melissa).rar.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\bukkake masturbation sm (Ashley,Tatjana).zip.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\indian handjob blowjob masturbation feet penetration .zip.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\tyrkish cumshot fucking catfight glans .zip.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\security\templates\indian fetish bukkake voyeur shower (Jenna,Sarah).rar.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\canadian hardcore girls bondage (Ashley,Jade).zip.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\PLA\Templates\indian cumshot hardcore catfight (Janette).mpg.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\lingerie hot (!) feet fishy (Samantha).rar.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\indian cum blowjob voyeur .rar.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\action fucking hidden redhair .mpg.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\indian gang bang gay masturbation feet black hairunshaved .zip.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\german lingerie hot (!) redhair .avi.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\hardcore full movie wifey .rar.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\xxx [free] cock girly .avi.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\american kicking gay licking titts mature .rar.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\mssrv.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\assembly\tmp\beast lesbian young (Sonja,Liz).avi.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\trambling masturbation shoes (Christine,Samantha).mpeg.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\malaysia gay girls glans .zip.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\indian kicking lesbian masturbation bondage (Ashley,Liz).mpeg.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\fetish fucking [bangbus] .mpeg.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\lesbian several models high heels .mpeg.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\danish animal beast hidden cock gorgeoushorny (Curtney).zip.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\lesbian catfight .mpeg.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\kicking xxx hot (!) ejaculation .avi.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\italian kicking lingerie [free] cock girly .mpg.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\german fucking voyeur feet .mpg.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\InputMethod\SHARED\italian kicking xxx uncut titts blondie .zip.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\indian nude xxx [free] feet bedroom (Curtney).mpg.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\hardcore sleeping hole 40+ .rar.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\beastiality gay [free] glans shoes .mpeg.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\blowjob public beautyfull .mpeg.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\blowjob masturbation boots .zip.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\italian nude lingerie several models redhair (Sandy,Janette).mpg.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\indian action lesbian catfight .mpeg.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\german xxx [bangbus] granny (Sandy,Tatjana).avi.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\swedish kicking fucking [free] cock .avi.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\norwegian xxx uncut glans traffic .rar.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\british lesbian girls lady (Christine,Sylvia).mpeg.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\tyrkish porn trambling big .zip.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\canadian lesbian voyeur .zip.exe	ca174ee8ffe138a0ce3bcced12c75990N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
3068	ca174ee8ffe138a0ce3bcced12c75990N.exe
3068	ca174ee8ffe138a0ce3bcced12c75990N.exe
980	ca174ee8ffe138a0ce3bcced12c75990N.exe
980	ca174ee8ffe138a0ce3bcced12c75990N.exe
3068	ca174ee8ffe138a0ce3bcced12c75990N.exe
3068	ca174ee8ffe138a0ce3bcced12c75990N.exe
2360	ca174ee8ffe138a0ce3bcced12c75990N.exe
2360	ca174ee8ffe138a0ce3bcced12c75990N.exe
916	ca174ee8ffe138a0ce3bcced12c75990N.exe
916	ca174ee8ffe138a0ce3bcced12c75990N.exe
3068	ca174ee8ffe138a0ce3bcced12c75990N.exe
3068	ca174ee8ffe138a0ce3bcced12c75990N.exe
980	ca174ee8ffe138a0ce3bcced12c75990N.exe
980	ca174ee8ffe138a0ce3bcced12c75990N.exe
1568	ca174ee8ffe138a0ce3bcced12c75990N.exe
1568	ca174ee8ffe138a0ce3bcced12c75990N.exe
4080	ca174ee8ffe138a0ce3bcced12c75990N.exe
4080	ca174ee8ffe138a0ce3bcced12c75990N.exe
2360	ca174ee8ffe138a0ce3bcced12c75990N.exe
2360	ca174ee8ffe138a0ce3bcced12c75990N.exe
3952	ca174ee8ffe138a0ce3bcced12c75990N.exe
3952	ca174ee8ffe138a0ce3bcced12c75990N.exe
980	ca174ee8ffe138a0ce3bcced12c75990N.exe
3068	ca174ee8ffe138a0ce3bcced12c75990N.exe
980	ca174ee8ffe138a0ce3bcced12c75990N.exe
3068	ca174ee8ffe138a0ce3bcced12c75990N.exe
1356	ca174ee8ffe138a0ce3bcced12c75990N.exe
1356	ca174ee8ffe138a0ce3bcced12c75990N.exe
916	ca174ee8ffe138a0ce3bcced12c75990N.exe
916	ca174ee8ffe138a0ce3bcced12c75990N.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 980	3068	ca174ee8ffe138a0ce3bcced12c75990N.exe	86
PID 3068 wrote to memory of 980	3068	ca174ee8ffe138a0ce3bcced12c75990N.exe	86
PID 3068 wrote to memory of 980	3068	ca174ee8ffe138a0ce3bcced12c75990N.exe	86
PID 3068 wrote to memory of 916	3068	ca174ee8ffe138a0ce3bcced12c75990N.exe	87
PID 3068 wrote to memory of 916	3068	ca174ee8ffe138a0ce3bcced12c75990N.exe	87
PID 3068 wrote to memory of 916	3068	ca174ee8ffe138a0ce3bcced12c75990N.exe	87
PID 980 wrote to memory of 2360	980	ca174ee8ffe138a0ce3bcced12c75990N.exe	88
PID 980 wrote to memory of 2360	980	ca174ee8ffe138a0ce3bcced12c75990N.exe	88
PID 980 wrote to memory of 2360	980	ca174ee8ffe138a0ce3bcced12c75990N.exe	88
PID 2360 wrote to memory of 1568	2360	ca174ee8ffe138a0ce3bcced12c75990N.exe	89
PID 2360 wrote to memory of 1568	2360	ca174ee8ffe138a0ce3bcced12c75990N.exe	89
PID 2360 wrote to memory of 1568	2360	ca174ee8ffe138a0ce3bcced12c75990N.exe	89
PID 980 wrote to memory of 4080	980	ca174ee8ffe138a0ce3bcced12c75990N.exe	90
PID 980 wrote to memory of 4080	980	ca174ee8ffe138a0ce3bcced12c75990N.exe	90
PID 980 wrote to memory of 4080	980	ca174ee8ffe138a0ce3bcced12c75990N.exe	90
PID 3068 wrote to memory of 3952	3068	ca174ee8ffe138a0ce3bcced12c75990N.exe	91
PID 3068 wrote to memory of 3952	3068	ca174ee8ffe138a0ce3bcced12c75990N.exe	91
PID 3068 wrote to memory of 3952	3068	ca174ee8ffe138a0ce3bcced12c75990N.exe	91
PID 916 wrote to memory of 1356	916	ca174ee8ffe138a0ce3bcced12c75990N.exe	92
PID 916 wrote to memory of 1356	916	ca174ee8ffe138a0ce3bcced12c75990N.exe	92
PID 916 wrote to memory of 1356	916	ca174ee8ffe138a0ce3bcced12c75990N.exe	92
PID 980 wrote to memory of 2420	980	ca174ee8ffe138a0ce3bcced12c75990N.exe	93
PID 980 wrote to memory of 2420	980	ca174ee8ffe138a0ce3bcced12c75990N.exe	93
PID 980 wrote to memory of 2420	980	ca174ee8ffe138a0ce3bcced12c75990N.exe	93
PID 2360 wrote to memory of 3204	2360	ca174ee8ffe138a0ce3bcced12c75990N.exe	94
PID 2360 wrote to memory of 3204	2360	ca174ee8ffe138a0ce3bcced12c75990N.exe	94
PID 2360 wrote to memory of 3204	2360	ca174ee8ffe138a0ce3bcced12c75990N.exe	94
PID 1568 wrote to memory of 1320	1568	ca174ee8ffe138a0ce3bcced12c75990N.exe	95
PID 1568 wrote to memory of 1320	1568	ca174ee8ffe138a0ce3bcced12c75990N.exe	95
PID 1568 wrote to memory of 1320	1568	ca174ee8ffe138a0ce3bcced12c75990N.exe	95
PID 3068 wrote to memory of 2672	3068	ca174ee8ffe138a0ce3bcced12c75990N.exe	96
PID 3068 wrote to memory of 2672	3068	ca174ee8ffe138a0ce3bcced12c75990N.exe	96
PID 3068 wrote to memory of 2672	3068	ca174ee8ffe138a0ce3bcced12c75990N.exe	96
PID 916 wrote to memory of 1456	916	ca174ee8ffe138a0ce3bcced12c75990N.exe	97
PID 916 wrote to memory of 1456	916	ca174ee8ffe138a0ce3bcced12c75990N.exe	97
PID 916 wrote to memory of 1456	916	ca174ee8ffe138a0ce3bcced12c75990N.exe	97
PID 4080 wrote to memory of 60	4080	ca174ee8ffe138a0ce3bcced12c75990N.exe	98
PID 4080 wrote to memory of 60	4080	ca174ee8ffe138a0ce3bcced12c75990N.exe	98
PID 4080 wrote to memory of 60	4080	ca174ee8ffe138a0ce3bcced12c75990N.exe	98
PID 3952 wrote to memory of 4424	3952	ca174ee8ffe138a0ce3bcced12c75990N.exe	99
PID 3952 wrote to memory of 4424	3952	ca174ee8ffe138a0ce3bcced12c75990N.exe	99
PID 3952 wrote to memory of 4424	3952	ca174ee8ffe138a0ce3bcced12c75990N.exe	99
PID 1356 wrote to memory of 2568	1356	ca174ee8ffe138a0ce3bcced12c75990N.exe	100
PID 1356 wrote to memory of 2568	1356	ca174ee8ffe138a0ce3bcced12c75990N.exe	100
PID 1356 wrote to memory of 2568	1356	ca174ee8ffe138a0ce3bcced12c75990N.exe	100

C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
"C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
  "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
    "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1568
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:1320
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        7⤵
        
        PID:5736
        
        C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        8⤵
        
        PID:8508
        
        C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        8⤵
        
        PID:11300
        
        C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        8⤵
        
        PID:16192
        
        C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        7⤵
        
        PID:7252
        
        C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        7⤵
        
        PID:9868
        
        C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        7⤵
        
        PID:13780
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        7⤵
        
        PID:7332
        
        C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        7⤵
        
        PID:9888
        
        C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        7⤵
        
        PID:13700
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:6100
        
        C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        7⤵
        
        PID:12612
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:7188
        
        C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        7⤵
        
        PID:15920
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:9912
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:13796
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:4272
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:5576
        
        C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        7⤵
        
        PID:8372
        
        C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        7⤵
        
        PID:11036
        
        C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        7⤵
        
        PID:15928
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:7364
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:10000
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:14168
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:2440
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:8732
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:12556
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:6272
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:13152
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:3200
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:9812
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:13732
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:3204
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:3176
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:5808
        
        C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        7⤵
        
        PID:11900
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:7276
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:10024
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:14204
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:228
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:7720
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:10800
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:14860
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:6152
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:12456
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:5992
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:9860
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:13740
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:3428
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:5792
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:11892
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:7244
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:9968
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:14320
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:2184
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:8760
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:12572
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:6416
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:13316
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:7156
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:9804
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:14132
- - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
    "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4080
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:60
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:3768
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:5784
        
        C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        7⤵
        
        PID:9748
        
        C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        7⤵
        
        PID:13652
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:7348
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:10008
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:14328
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:888
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:8524
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:11288
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:16200
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:6084
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:13136
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:7140
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:15768
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:9828
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:13756
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:4124
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:5568
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:8476
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:11220
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:16168
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:7324
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:10032
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:14504
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:1668
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:8532
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:11568
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:6124
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:13368
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:6828
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:9852
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:13708
- - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
    "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
    3⤵
    PID:2420
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:5040
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:5640
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:7340
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:9960
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:13772
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:7148
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:9820
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:13764
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:1856
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:8516
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:11232
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:16028
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:6212
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:12760
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:2316
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:9880
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:13788
- - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
    "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
    3⤵
    PID:2388
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:5708
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:8436
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:11248
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:16184
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:7300
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:10444
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:14488
- - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
    "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
    3⤵
    PID:1068
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:7356
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:10016
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:14176
- - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
    "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
    3⤵
    PID:6092
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:12840
- - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
    "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
    3⤵
    PID:7220
- - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
    "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
    3⤵
    PID:9984
- - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
    "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
    3⤵
    PID:13960
- C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
  "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
    "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1356
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:2568
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:2628
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:5832
        
        C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        7⤵
        
        PID:8500
        
        C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        7⤵
        
        PID:11468
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:7260
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:9936
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:13936
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:1612
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:8404
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:11132
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:16176
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:6220
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:13376
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:4400
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:9796
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:13716
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:3508
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:5544
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:8484
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:11544
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:7372
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:10052
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:14476
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:4584
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:7396
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:10436
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:14496
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:6108
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:12832
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:7236
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:9928
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:13952
- - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
    "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
    3⤵
    PID:1456
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:2424
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:5800
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:10428
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:14528
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:7284
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:10040
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:14196
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:4944
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:7388
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:10452
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:14520
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:6040
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:13160
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:7204
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:9992
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:14100
- - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
    "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
    3⤵
    PID:1056
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:5552
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:12248
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:7380
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:10520
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:14692
- - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
    "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
    3⤵
    PID:1740
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:9604
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:13608
- - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
    "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
    3⤵
    PID:5996
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:12048
- - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
    "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
    3⤵
    PID:7228
- - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
    "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
    3⤵
    PID:9944
- - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
    "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
    3⤵
    PID:13828
- C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
  "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3952
- - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
    "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
    3⤵
    PID:4424
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:3864
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:5560
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:8492
      - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        6⤵
        
        PID:11240
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:7316
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:9896
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:13692
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:4600
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:8412
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:11096
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:16160
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:6076
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:12584
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:7196
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:9976
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:14092
- - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
    "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
    3⤵
    PID:1736
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:5656
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:8948
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:13056
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:7268
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:9904
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:13820
- - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
    "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
    3⤵
    PID:4856
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:8888
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:12808
- - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
    "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
    3⤵
    PID:6140
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:12824
- - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
    "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
    3⤵
    PID:7172
- - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
    "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
    3⤵
    PID:9844
- - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
    "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
    3⤵
    PID:13748
- C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
  "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
  2⤵
  PID:2672
- - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
    "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
    3⤵
    PID:1440
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:5700
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:8380
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:11052
    - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
        5⤵
        
        PID:15868
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:7308
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:9952
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:13840
- - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
    "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
    3⤵
    PID:2268
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:8768
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:12992
- - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
    "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
    3⤵
    PID:6132
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:13144
- - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
    "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
    3⤵
    PID:7180
- - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
    "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
    3⤵
    PID:9836
- - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
    "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
    3⤵
    PID:13724
- C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
  "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
  2⤵
  PID:3568
- - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
    "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
    3⤵
    PID:5616
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:8752
  - - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
      "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
      4⤵
      PID:12816
- - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
    "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
    3⤵
    PID:7292
- - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
    "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
    3⤵
    PID:10420
- - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
    "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
    3⤵
    PID:14512
- C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
  "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
  2⤵
  PID:3056
- - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
    "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
    3⤵
    PID:8720
- - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
    "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
    3⤵
    PID:12564
- C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
  "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
  2⤵
  PID:6116
- - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
    "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
    3⤵
    PID:13324
- C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
  "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
  2⤵
  PID:7212
- - C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
    "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
    3⤵
    PID:16040
- C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
  "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
  2⤵
  PID:9920
- C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe
  "C:\Users\Admin\AppData\Local\Temp\ca174ee8ffe138a0ce3bcced12c75990N.exe"
  2⤵
  PID:13684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\american porn hardcore full movie cock .zip.exe

Filesize
696KB

MD5
9bdcc77ba3619a770221563c0528d800

SHA1
e6bd27d4eecea262e68415131f15728c37e1ab33

SHA256
503c0771b7117182e2cdc2c3d4bf2200e5d168a72aa6614f65ae7aa7a1b2ee25

SHA512
02e8ce26737a3160af687fa51b11b85956decf9045fdf2b8792c2d2fb6a63528c6b04af5dea28b19036565242fa2850d4452dfcd252f2b3958229d0d58d4bd43

Download Submit