ac3bb0b39be8b180cac69de86bb8096660380f1953a75c0838ff7d2599f8f0a4

Analysis

max time kernel
13s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 14:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ef80372a78cbb7d2a546956c44076c40N.exe
Size

1.3MB
MD5

ef80372a78cbb7d2a546956c44076c40
SHA1

a31eb0adb8849be51c05cf91e3ef9adcb79525cd
SHA256

ac3bb0b39be8b180cac69de86bb8096660380f1953a75c0838ff7d2599f8f0a4
SHA512

00910e531405680a6791fa0d87251be1d58ee24c7e6e6c9c454fecd18784eafd4ba3fff5be9e83252a66a6fc14c43dfcf364719a7b0678d0c47a3128d7739ceb
SSDEEP

24576:86rJbRud2y1Wd1lTH/4xKmEEqU3cFziIg9kU9X3I7L/snry01CayhZo1:5rJtq1Wd1lTH/4AmE5U3cFxMk2X3I7gl

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 19 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	ef80372a78cbb7d2a546956c44076c40N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	ef80372a78cbb7d2a546956c44076c40N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	ef80372a78cbb7d2a546956c44076c40N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	ef80372a78cbb7d2a546956c44076c40N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	ef80372a78cbb7d2a546956c44076c40N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	ef80372a78cbb7d2a546956c44076c40N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	ef80372a78cbb7d2a546956c44076c40N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	ef80372a78cbb7d2a546956c44076c40N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	ef80372a78cbb7d2a546956c44076c40N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	ef80372a78cbb7d2a546956c44076c40N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	ef80372a78cbb7d2a546956c44076c40N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	ef80372a78cbb7d2a546956c44076c40N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	ef80372a78cbb7d2a546956c44076c40N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	ef80372a78cbb7d2a546956c44076c40N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	ef80372a78cbb7d2a546956c44076c40N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	ef80372a78cbb7d2a546956c44076c40N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	ef80372a78cbb7d2a546956c44076c40N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	ef80372a78cbb7d2a546956c44076c40N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	ef80372a78cbb7d2a546956c44076c40N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	ef80372a78cbb7d2a546956c44076c40N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	ef80372a78cbb7d2a546956c44076c40N.exe
File opened (read-only)	\??\B:	ef80372a78cbb7d2a546956c44076c40N.exe
File opened (read-only)	\??\H:	ef80372a78cbb7d2a546956c44076c40N.exe
File opened (read-only)	\??\P:	ef80372a78cbb7d2a546956c44076c40N.exe
File opened (read-only)	\??\Q:	ef80372a78cbb7d2a546956c44076c40N.exe
File opened (read-only)	\??\S:	ef80372a78cbb7d2a546956c44076c40N.exe
File opened (read-only)	\??\E:	ef80372a78cbb7d2a546956c44076c40N.exe
File opened (read-only)	\??\G:	ef80372a78cbb7d2a546956c44076c40N.exe
File opened (read-only)	\??\L:	ef80372a78cbb7d2a546956c44076c40N.exe
File opened (read-only)	\??\N:	ef80372a78cbb7d2a546956c44076c40N.exe
File opened (read-only)	\??\R:	ef80372a78cbb7d2a546956c44076c40N.exe
File opened (read-only)	\??\V:	ef80372a78cbb7d2a546956c44076c40N.exe
File opened (read-only)	\??\X:	ef80372a78cbb7d2a546956c44076c40N.exe
File opened (read-only)	\??\A:	ef80372a78cbb7d2a546956c44076c40N.exe
File opened (read-only)	\??\I:	ef80372a78cbb7d2a546956c44076c40N.exe
File opened (read-only)	\??\J:	ef80372a78cbb7d2a546956c44076c40N.exe
File opened (read-only)	\??\O:	ef80372a78cbb7d2a546956c44076c40N.exe
File opened (read-only)	\??\U:	ef80372a78cbb7d2a546956c44076c40N.exe
File opened (read-only)	\??\K:	ef80372a78cbb7d2a546956c44076c40N.exe
File opened (read-only)	\??\M:	ef80372a78cbb7d2a546956c44076c40N.exe
File opened (read-only)	\??\T:	ef80372a78cbb7d2a546956c44076c40N.exe
File opened (read-only)	\??\W:	ef80372a78cbb7d2a546956c44076c40N.exe
File opened (read-only)	\??\Y:	ef80372a78cbb7d2a546956c44076c40N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IME\SHARED\malaysia blowjob voyeur bedroom .zip.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\swedish hardcore fetish public .mpg.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\SysWOW64\FxsTmp\german gang bang public legs .avi.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\swedish gang bang licking bedroom .zip.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\System32\DriverStore\Temp\french trambling licking ash (Samantha,Anniston).zip.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\SysWOW64\FxsTmp\american hardcore masturbation legs granny .rar.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\tyrkish cumshot fetish masturbation hole high heels .mpg.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\african gay full movie (Christine,Sonja).zip.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\british cumshot hot (!) bondage .rar.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\lesbian sleeping .avi.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\lesbian horse masturbation sm .avi.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\lingerie licking penetration (Gina,Curtney).zip.exe	ef80372a78cbb7d2a546956c44076c40N.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Templates\brasilian beast full movie vagina .mpg.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\canadian cum full movie .avi.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\british sperm full movie (Kathrin).mpg.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\sperm gang bang voyeur traffic .zip.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Program Files (x86)\Google\Update\Download\gay public boobs bedroom (Liz,Karin).zip.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Program Files\Common Files\microsoft shared\brasilian horse kicking hot (!) cock penetration .mpg.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\french hardcore horse catfight nipples .mpeg.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\lingerie beast hot (!) vagina .zip.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Program Files\dotnet\shared\animal lesbian licking 40+ .mpg.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\french porn lesbian lesbian girly .zip.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\norwegian nude handjob girls titts (Ashley,Karin).mpg.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\handjob uncut beautyfull .rar.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\brasilian sperm [free] .zip.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\fucking sperm [free] nipples .avi.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\tyrkish cumshot lingerie uncut upskirt .mpg.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Program Files (x86)\Google\Temp\brasilian nude masturbation feet ejaculation .mpeg.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Program Files (x86)\Microsoft\Temp\japanese horse handjob girls vagina girly (Liz).avi.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\hardcore animal girls hotel (Sonja,Gina).rar.exe	ef80372a78cbb7d2a546956c44076c40N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\animal [bangbus] .rar.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\porn blowjob full movie .rar.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\blowjob catfight boots .mpg.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\beast hardcore masturbation glans upskirt .avi.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\cum girls cock bedroom .avi.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\british porn fetish hot (!) lady (Curtney,Sonja).rar.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\spanish porn uncut .avi.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\danish lesbian nude voyeur sweet .avi.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fd7349c396c417ae\action girls legs .avi.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\japanese beastiality catfight hole (Gina,Kathrin).rar.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_10.0.19041.1_none_bd731e5b85dd203e\french cumshot uncut .mpg.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\blowjob trambling public glans (Christine,Kathrin).mpeg.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\CbsTemp\cumshot lesbian .zip.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\british handjob big bedroom (Tatjana).mpg.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\american fucking blowjob uncut .mpg.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\trambling girls .rar.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.1_none_f42978969c79336a\lingerie animal full movie femdom .mpg.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\assembly\tmp\animal licking young .mpeg.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_abfc9db6c377b91f\norwegian cumshot lesbian fishy .mpeg.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\fucking uncut .avi.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\blowjob [bangbus] ash .zip.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\fetish girls upskirt .zip.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\fetish gang bang public black hairunshaved (Sonja,Sonja).avi.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\swedish lingerie beastiality [free] .avi.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\tyrkish hardcore blowjob licking gorgeoushorny .zip.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\canadian action porn big .mpeg.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\assembly\temp\italian lesbian action [free] ejaculation (Jade).mpeg.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\porn catfight .zip.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\spanish beastiality big boobs wifey (Sonja).avi.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\black cumshot girls .zip.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\spanish animal [bangbus] vagina .mpeg.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\canadian lesbian trambling licking .mpeg.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\fetish kicking hidden ash .rar.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\swedish action horse hot (!) .zip.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\american hardcore kicking lesbian titts redhair (Jade).zip.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\horse girls glans .rar.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\mssrv.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\lingerie girls shoes .mpeg.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\horse lingerie masturbation castration (Jenna,Christine).mpeg.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\spanish handjob fetish voyeur titts .mpg.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\black fucking trambling lesbian mistress (Kathrin).mpg.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\cumshot big traffic .zip.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\canadian gay lesbian big vagina 40+ .avi.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\handjob gay sleeping boobs swallow (Karin).zip.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\tyrkish nude action hot (!) stockings .rar.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\SoftwareDistribution\Download\black xxx hardcore [bangbus] .rar.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\danish lesbian action lesbian hole black hairunshaved .avi.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\fucking horse hot (!) swallow .mpeg.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\gay full movie boobs ejaculation .mpg.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_99ddc8ce8d3d6dac\japanese handjob big shoes (Janette).mpg.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_89c0bf1761110f07\nude girls shower .mpeg.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\PLA\Templates\bukkake gang bang [bangbus] blondie .mpeg.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\brasilian cumshot uncut sm (Ashley,Christine).mpg.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\swedish porn full movie boots .avi.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\russian handjob lesbian circumcision (Tatjana,Karin).avi.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\cumshot lingerie girls vagina femdom .avi.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\british beastiality big hole femdom .rar.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\malaysia cum gang bang hidden .avi.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\canadian handjob big young .rar.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\lesbian sleeping .avi.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\horse [bangbus] vagina leather .zip.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\trambling beast [free] (Jenna,Liz).mpg.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\spanish blowjob sleeping nipples .avi.exe	ef80372a78cbb7d2a546956c44076c40N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\horse licking vagina balls .mpg.exe	ef80372a78cbb7d2a546956c44076c40N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4024	ef80372a78cbb7d2a546956c44076c40N.exe
4024	ef80372a78cbb7d2a546956c44076c40N.exe
3520	ef80372a78cbb7d2a546956c44076c40N.exe
3520	ef80372a78cbb7d2a546956c44076c40N.exe
4024	ef80372a78cbb7d2a546956c44076c40N.exe
4024	ef80372a78cbb7d2a546956c44076c40N.exe
516	ef80372a78cbb7d2a546956c44076c40N.exe
516	ef80372a78cbb7d2a546956c44076c40N.exe
4024	ef80372a78cbb7d2a546956c44076c40N.exe
4024	ef80372a78cbb7d2a546956c44076c40N.exe
2316	ef80372a78cbb7d2a546956c44076c40N.exe
2316	ef80372a78cbb7d2a546956c44076c40N.exe
3520	ef80372a78cbb7d2a546956c44076c40N.exe
3520	ef80372a78cbb7d2a546956c44076c40N.exe
4436	ef80372a78cbb7d2a546956c44076c40N.exe
4436	ef80372a78cbb7d2a546956c44076c40N.exe
516	ef80372a78cbb7d2a546956c44076c40N.exe
516	ef80372a78cbb7d2a546956c44076c40N.exe
4460	ef80372a78cbb7d2a546956c44076c40N.exe
4460	ef80372a78cbb7d2a546956c44076c40N.exe
536	ef80372a78cbb7d2a546956c44076c40N.exe
536	ef80372a78cbb7d2a546956c44076c40N.exe
4024	ef80372a78cbb7d2a546956c44076c40N.exe
4024	ef80372a78cbb7d2a546956c44076c40N.exe
2668	ef80372a78cbb7d2a546956c44076c40N.exe
2668	ef80372a78cbb7d2a546956c44076c40N.exe
3520	ef80372a78cbb7d2a546956c44076c40N.exe
3520	ef80372a78cbb7d2a546956c44076c40N.exe
2316	ef80372a78cbb7d2a546956c44076c40N.exe
2316	ef80372a78cbb7d2a546956c44076c40N.exe
116	ef80372a78cbb7d2a546956c44076c40N.exe
116	ef80372a78cbb7d2a546956c44076c40N.exe
5024	ef80372a78cbb7d2a546956c44076c40N.exe
5024	ef80372a78cbb7d2a546956c44076c40N.exe
516	ef80372a78cbb7d2a546956c44076c40N.exe
516	ef80372a78cbb7d2a546956c44076c40N.exe
4024	ef80372a78cbb7d2a546956c44076c40N.exe
4024	ef80372a78cbb7d2a546956c44076c40N.exe
2428	ef80372a78cbb7d2a546956c44076c40N.exe
2428	ef80372a78cbb7d2a546956c44076c40N.exe
4436	ef80372a78cbb7d2a546956c44076c40N.exe
4436	ef80372a78cbb7d2a546956c44076c40N.exe
2040	ef80372a78cbb7d2a546956c44076c40N.exe
2040	ef80372a78cbb7d2a546956c44076c40N.exe
4336	ef80372a78cbb7d2a546956c44076c40N.exe
4336	ef80372a78cbb7d2a546956c44076c40N.exe
2316	ef80372a78cbb7d2a546956c44076c40N.exe
3520	ef80372a78cbb7d2a546956c44076c40N.exe
2316	ef80372a78cbb7d2a546956c44076c40N.exe
3520	ef80372a78cbb7d2a546956c44076c40N.exe
1500	ef80372a78cbb7d2a546956c44076c40N.exe
1500	ef80372a78cbb7d2a546956c44076c40N.exe
3856	ef80372a78cbb7d2a546956c44076c40N.exe
3856	ef80372a78cbb7d2a546956c44076c40N.exe
4460	ef80372a78cbb7d2a546956c44076c40N.exe
4460	ef80372a78cbb7d2a546956c44076c40N.exe
2668	ef80372a78cbb7d2a546956c44076c40N.exe
2668	ef80372a78cbb7d2a546956c44076c40N.exe
4212	ef80372a78cbb7d2a546956c44076c40N.exe
4212	ef80372a78cbb7d2a546956c44076c40N.exe
536	ef80372a78cbb7d2a546956c44076c40N.exe
536	ef80372a78cbb7d2a546956c44076c40N.exe
2972	ef80372a78cbb7d2a546956c44076c40N.exe
2972	ef80372a78cbb7d2a546956c44076c40N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4024 wrote to memory of 3520	4024	ef80372a78cbb7d2a546956c44076c40N.exe	88
PID 4024 wrote to memory of 3520	4024	ef80372a78cbb7d2a546956c44076c40N.exe	88
PID 4024 wrote to memory of 3520	4024	ef80372a78cbb7d2a546956c44076c40N.exe	88
PID 4024 wrote to memory of 516	4024	ef80372a78cbb7d2a546956c44076c40N.exe	89
PID 4024 wrote to memory of 516	4024	ef80372a78cbb7d2a546956c44076c40N.exe	89
PID 4024 wrote to memory of 516	4024	ef80372a78cbb7d2a546956c44076c40N.exe	89
PID 3520 wrote to memory of 2316	3520	ef80372a78cbb7d2a546956c44076c40N.exe	90
PID 3520 wrote to memory of 2316	3520	ef80372a78cbb7d2a546956c44076c40N.exe	90
PID 3520 wrote to memory of 2316	3520	ef80372a78cbb7d2a546956c44076c40N.exe	90
PID 516 wrote to memory of 4436	516	ef80372a78cbb7d2a546956c44076c40N.exe	95
PID 516 wrote to memory of 4436	516	ef80372a78cbb7d2a546956c44076c40N.exe	95
PID 516 wrote to memory of 4436	516	ef80372a78cbb7d2a546956c44076c40N.exe	95
PID 4024 wrote to memory of 4460	4024	ef80372a78cbb7d2a546956c44076c40N.exe	96
PID 4024 wrote to memory of 4460	4024	ef80372a78cbb7d2a546956c44076c40N.exe	96
PID 4024 wrote to memory of 4460	4024	ef80372a78cbb7d2a546956c44076c40N.exe	96
PID 3520 wrote to memory of 536	3520	ef80372a78cbb7d2a546956c44076c40N.exe	97
PID 3520 wrote to memory of 536	3520	ef80372a78cbb7d2a546956c44076c40N.exe	97
PID 3520 wrote to memory of 536	3520	ef80372a78cbb7d2a546956c44076c40N.exe	97
PID 2316 wrote to memory of 2668	2316	ef80372a78cbb7d2a546956c44076c40N.exe	98
PID 2316 wrote to memory of 2668	2316	ef80372a78cbb7d2a546956c44076c40N.exe	98
PID 2316 wrote to memory of 2668	2316	ef80372a78cbb7d2a546956c44076c40N.exe	98
PID 516 wrote to memory of 116	516	ef80372a78cbb7d2a546956c44076c40N.exe	99
PID 516 wrote to memory of 116	516	ef80372a78cbb7d2a546956c44076c40N.exe	99
PID 516 wrote to memory of 116	516	ef80372a78cbb7d2a546956c44076c40N.exe	99
PID 4024 wrote to memory of 5024	4024	ef80372a78cbb7d2a546956c44076c40N.exe	101
PID 4024 wrote to memory of 5024	4024	ef80372a78cbb7d2a546956c44076c40N.exe	101
PID 4024 wrote to memory of 5024	4024	ef80372a78cbb7d2a546956c44076c40N.exe	101
PID 4436 wrote to memory of 2428	4436	ef80372a78cbb7d2a546956c44076c40N.exe	100
PID 4436 wrote to memory of 2428	4436	ef80372a78cbb7d2a546956c44076c40N.exe	100
PID 4436 wrote to memory of 2428	4436	ef80372a78cbb7d2a546956c44076c40N.exe	100
PID 3520 wrote to memory of 2040	3520	ef80372a78cbb7d2a546956c44076c40N.exe	103
PID 3520 wrote to memory of 2040	3520	ef80372a78cbb7d2a546956c44076c40N.exe	103
PID 3520 wrote to memory of 2040	3520	ef80372a78cbb7d2a546956c44076c40N.exe	103
PID 2316 wrote to memory of 4336	2316	ef80372a78cbb7d2a546956c44076c40N.exe	104
PID 2316 wrote to memory of 4336	2316	ef80372a78cbb7d2a546956c44076c40N.exe	104
PID 2316 wrote to memory of 4336	2316	ef80372a78cbb7d2a546956c44076c40N.exe	104
PID 4460 wrote to memory of 3856	4460	ef80372a78cbb7d2a546956c44076c40N.exe	105
PID 4460 wrote to memory of 3856	4460	ef80372a78cbb7d2a546956c44076c40N.exe	105
PID 4460 wrote to memory of 3856	4460	ef80372a78cbb7d2a546956c44076c40N.exe	105
PID 2668 wrote to memory of 1500	2668	ef80372a78cbb7d2a546956c44076c40N.exe	106
PID 2668 wrote to memory of 1500	2668	ef80372a78cbb7d2a546956c44076c40N.exe	106
PID 2668 wrote to memory of 1500	2668	ef80372a78cbb7d2a546956c44076c40N.exe	106
PID 536 wrote to memory of 4212	536	ef80372a78cbb7d2a546956c44076c40N.exe	107
PID 536 wrote to memory of 4212	536	ef80372a78cbb7d2a546956c44076c40N.exe	107
PID 536 wrote to memory of 4212	536	ef80372a78cbb7d2a546956c44076c40N.exe	107
PID 516 wrote to memory of 2972	516	ef80372a78cbb7d2a546956c44076c40N.exe	108
PID 516 wrote to memory of 2972	516	ef80372a78cbb7d2a546956c44076c40N.exe	108
PID 516 wrote to memory of 2972	516	ef80372a78cbb7d2a546956c44076c40N.exe	108
PID 4024 wrote to memory of 3992	4024	ef80372a78cbb7d2a546956c44076c40N.exe	109
PID 4024 wrote to memory of 3992	4024	ef80372a78cbb7d2a546956c44076c40N.exe	109
PID 4024 wrote to memory of 3992	4024	ef80372a78cbb7d2a546956c44076c40N.exe	109
PID 4436 wrote to memory of 1692	4436	ef80372a78cbb7d2a546956c44076c40N.exe	110
PID 4436 wrote to memory of 1692	4436	ef80372a78cbb7d2a546956c44076c40N.exe	110
PID 4436 wrote to memory of 1692	4436	ef80372a78cbb7d2a546956c44076c40N.exe	110
PID 116 wrote to memory of 1116	116	ef80372a78cbb7d2a546956c44076c40N.exe	111
PID 116 wrote to memory of 1116	116	ef80372a78cbb7d2a546956c44076c40N.exe	111
PID 116 wrote to memory of 1116	116	ef80372a78cbb7d2a546956c44076c40N.exe	111
PID 5024 wrote to memory of 3600	5024	ef80372a78cbb7d2a546956c44076c40N.exe	112
PID 5024 wrote to memory of 3600	5024	ef80372a78cbb7d2a546956c44076c40N.exe	112
PID 5024 wrote to memory of 3600	5024	ef80372a78cbb7d2a546956c44076c40N.exe	112
PID 2316 wrote to memory of 5084	2316	ef80372a78cbb7d2a546956c44076c40N.exe	113
PID 2316 wrote to memory of 5084	2316	ef80372a78cbb7d2a546956c44076c40N.exe	113
PID 2316 wrote to memory of 5084	2316	ef80372a78cbb7d2a546956c44076c40N.exe	113
PID 3520 wrote to memory of 3484	3520	ef80372a78cbb7d2a546956c44076c40N.exe	114

C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
"C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
  "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        
        PID:1500
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:6340
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        8⤵
        
        PID:8352
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        9⤵
        
        PID:16432
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        8⤵
        
        PID:11064
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        8⤵
        
        PID:16880
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:6544
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        8⤵
        
        PID:13584
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        8⤵
        
        PID:16568
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:9360
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        8⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:12656
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:16128
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:6092
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:8588
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        8⤵
        
        PID:17460
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:11152
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:16816
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:6592
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:13956
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:16216
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:10052
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:13976
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:3892
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:2104
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:5996
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:8464
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        8⤵
        
        PID:16100
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:11112
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:14764
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:16296
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:6600
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:13728
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:2812
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:10016
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:13872
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:2176
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:5728
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:8736
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:19236
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:12224
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:16512
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:6656
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:16120
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:10392
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:14172
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:16240
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:4336
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:2472
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:6384
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:8668
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        8⤵
        
        PID:16664
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:11400
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:16808
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:6552
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:13592
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:16088
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:9292
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:16696
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:12920
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:1948
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:6040
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:7908
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:16600
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:10684
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:14500
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:16328
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:6608
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:13740
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:3828
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:10064
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:13944
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:16376
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:5084
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:5840
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:8620
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:1772
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:11180
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:14900
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:16320
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:6640
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:16592
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:10104
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:13992
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:3788
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:5564
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:8572
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:17468
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:11192
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:16872
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:6680
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:16608
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:10712
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:14508
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:16232
- - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:4212
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:4184
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:6468
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:9284
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        8⤵
        
        PID:17492
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:13168
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:3380
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:6520
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:12932
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:1352
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:8868
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:16688
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:11956
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:16624
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:6184
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:8808
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:2648
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:11528
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:16800
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:6584
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:16632
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:9732
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:13660
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:1624
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:3672
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:6164
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:8320
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:16448
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:11144
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:16768
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:6576
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:13812
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:2224
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:9740
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:13804
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:2640
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:5752
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:8328
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:16440
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:11004
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:14644
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:16312
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:6648
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:16752
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:10116
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:13964
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:3364
- - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:736
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:6356
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:8596
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:18500
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:11168
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:16832
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:6528
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:12736
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:3496
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:9000
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:17508
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:13248
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:2796
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:5936
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:7900
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:16712
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:10260
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:14052
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:13636
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:6624
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:16656
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:10088
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:13936
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:14544
- - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
    3⤵
    PID:3484
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:5948
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:8708
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:16648
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:11428
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:16760
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:6504
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:12580
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:16408
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:8760
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:16416
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:11540
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:16792
- - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
    3⤵
    PID:5572
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:8344
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:17040
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:11136
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:16840
- - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
    3⤵
    PID:6672
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:16488
- - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
    3⤵
    PID:10424
- - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
    3⤵
    PID:14268
- - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
    3⤵
    PID:16344
- C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
  "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:516
- - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4436
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:2428
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:1932
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:6240
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:8336
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        8⤵
        
        PID:16504
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:10996
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:14692
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:16256
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:6560
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:13648
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:4332
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:8944
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:16704
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:12604
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:1440
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:5928
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:8264
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:16520
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:11028
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:14932
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:16248
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:6512
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:12632
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:16112
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:8860
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:17452
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:11076
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:14912
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:16208
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:1692
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:5532
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:8556
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:17008
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:11456
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:16824
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:6688
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:16528
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:10432
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:14308
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:16336
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:5448
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:7956
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:16616
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:10788
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:14484
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:16172
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:6712
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:16464
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:10452
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:14292
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:16352
- - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:116
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      Checks computer location settings
      PID:1116
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:5476
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:8716
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:16680
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:11444
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:16776
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:6704
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:16480
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:10444
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:14196
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:16364
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:5356
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:8768
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:16180
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:11796
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:16736
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:6720
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:16396
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:10472
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:14180
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:16360
- - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:2972
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:5280
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:8800
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:16576
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:11748
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:16728
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:6744
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:16672
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:10560
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:14300
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:16196
- - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
    3⤵
    PID:5232
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:8432
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:16392
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:11760
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:16744
- - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
    3⤵
    PID:6752
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:16640
- - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
    3⤵
    PID:10540
- - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
    3⤵
    PID:14284
- - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
    3⤵
    PID:16224
- C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
  "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:3856
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:4620
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:6396
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:7868
        
        C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        7⤵
        
        PID:16584
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:10128
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:13984
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:1316
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:6536
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:12592
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:4032
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:9376
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:19212
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:13452
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:17016
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:6172
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:8564
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:16560
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:11200
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:14892
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:16156
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:6568
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:13720
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:17516
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:3452
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:8976
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:17500
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:12516
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:17056
- - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
    3⤵
    PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:5968
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:8440
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:16456
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:11104
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:14876
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:16144
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:6616
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:14188
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:16164
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:10072
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:14084
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:1696
- - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
    3⤵
    PID:5656
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:8272
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:16536
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:11012
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:14884
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:16264
- - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
    3⤵
    PID:6664
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:16472
- - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
    3⤵
    PID:10912
- - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
    3⤵
    PID:14492
- - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
    3⤵
    PID:16280
- C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
  "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
    3⤵
    PID:3600
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:5848
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:7892
      - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        6⤵
        
        PID:16496
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:10180
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:14060
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:15368
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:6632
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:16720
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:10084
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:14044
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:16188
- - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
    3⤵
    PID:5484
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:8580
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:17472
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:11436
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:16784
- - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
    3⤵
    PID:6696
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:17048
- - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
    3⤵
    PID:10704
- - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
    3⤵
    PID:14636
- - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
    3⤵
    PID:16288
- C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
  "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
  2⤵
  - Checks computer location settings
  PID:3992
- - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
    3⤵
    PID:5368
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:8724
    - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
        5⤵
        
        PID:17180
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:9556
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:16424
- - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
    3⤵
    PID:6728
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:16552
- - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
    3⤵
    PID:10480
- - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
    3⤵
    PID:14276
- - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
    3⤵
    PID:16304
- C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
  "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
  2⤵
  PID:5300
- - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
    3⤵
    PID:8548
  - - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
      4⤵
      PID:17484
- - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
    3⤵
    PID:11160
- - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
    3⤵
    PID:14924
- - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
    3⤵
    PID:16268
- C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
  "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
  2⤵
  PID:6736
- - C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
    3⤵
    PID:16544
- C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
  "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
  2⤵
  PID:10804
- C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
  "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
  2⤵
  PID:14476
- C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe
  "C:\Users\Admin\AppData\Local\Temp\ef80372a78cbb7d2a546956c44076c40N.exe"
  2⤵
  PID:16132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\fucking sperm [free] nipples .avi.exe

Filesize
271KB

MD5
13a7ab533cdf6634dac147047866d1b5

SHA1
7ba2b6f24be5f0424ab8e062dd08d3a06042b3f7

SHA256
c33951d29fe3ef27e42c8626c557327a86a61ddf1b8972c71ad6846998d73779

SHA512
3c5d906e00eb421cf93056c92424385f7c894af46ed7ffddf010d699409cf04a27556637c40fdfd95bfe88d04422987a0e1e8b0f26299b0a826c5c5ff633490a

Download Submit