d15700f8674e070de61de49e64234dd0428205f2573be33465de84d579b09e4d

Analysis

max time kernel
16s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03964d230265d3bfbf39cb5ea5234990N.exe
Size

425KB
MD5

03964d230265d3bfbf39cb5ea5234990
SHA1

796aafe4c25844597e9746e256ab2304e55832b4
SHA256

d15700f8674e070de61de49e64234dd0428205f2573be33465de84d579b09e4d
SHA512

2993e2cf04591fe063cd3dd84da2bc24416ce6c1ce3255c5fc07e1ad7b98bdc54e9ad1df1d360c2b8522ec86c99a053d6d6994cd80bcd84baad8e846a7c2975a
SSDEEP

12288:dXCNi9B2zE47k0fVizBN/6gzw+wiXGZyakTa:oW2Y4I0f8fCgaiXGIakO

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 27 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	03964d230265d3bfbf39cb5ea5234990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	03964d230265d3bfbf39cb5ea5234990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	03964d230265d3bfbf39cb5ea5234990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	03964d230265d3bfbf39cb5ea5234990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	03964d230265d3bfbf39cb5ea5234990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	03964d230265d3bfbf39cb5ea5234990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	03964d230265d3bfbf39cb5ea5234990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	03964d230265d3bfbf39cb5ea5234990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	03964d230265d3bfbf39cb5ea5234990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	03964d230265d3bfbf39cb5ea5234990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	03964d230265d3bfbf39cb5ea5234990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	03964d230265d3bfbf39cb5ea5234990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	03964d230265d3bfbf39cb5ea5234990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	03964d230265d3bfbf39cb5ea5234990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	03964d230265d3bfbf39cb5ea5234990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	03964d230265d3bfbf39cb5ea5234990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	03964d230265d3bfbf39cb5ea5234990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	03964d230265d3bfbf39cb5ea5234990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	03964d230265d3bfbf39cb5ea5234990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	03964d230265d3bfbf39cb5ea5234990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	03964d230265d3bfbf39cb5ea5234990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	03964d230265d3bfbf39cb5ea5234990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	03964d230265d3bfbf39cb5ea5234990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	03964d230265d3bfbf39cb5ea5234990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	03964d230265d3bfbf39cb5ea5234990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	03964d230265d3bfbf39cb5ea5234990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	03964d230265d3bfbf39cb5ea5234990N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	03964d230265d3bfbf39cb5ea5234990N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	03964d230265d3bfbf39cb5ea5234990N.exe
File opened (read-only)	\??\V:	03964d230265d3bfbf39cb5ea5234990N.exe
File opened (read-only)	\??\X:	03964d230265d3bfbf39cb5ea5234990N.exe
File opened (read-only)	\??\E:	03964d230265d3bfbf39cb5ea5234990N.exe
File opened (read-only)	\??\H:	03964d230265d3bfbf39cb5ea5234990N.exe
File opened (read-only)	\??\K:	03964d230265d3bfbf39cb5ea5234990N.exe
File opened (read-only)	\??\U:	03964d230265d3bfbf39cb5ea5234990N.exe
File opened (read-only)	\??\W:	03964d230265d3bfbf39cb5ea5234990N.exe
File opened (read-only)	\??\Y:	03964d230265d3bfbf39cb5ea5234990N.exe
File opened (read-only)	\??\M:	03964d230265d3bfbf39cb5ea5234990N.exe
File opened (read-only)	\??\N:	03964d230265d3bfbf39cb5ea5234990N.exe
File opened (read-only)	\??\Q:	03964d230265d3bfbf39cb5ea5234990N.exe
File opened (read-only)	\??\R:	03964d230265d3bfbf39cb5ea5234990N.exe
File opened (read-only)	\??\T:	03964d230265d3bfbf39cb5ea5234990N.exe
File opened (read-only)	\??\Z:	03964d230265d3bfbf39cb5ea5234990N.exe
File opened (read-only)	\??\A:	03964d230265d3bfbf39cb5ea5234990N.exe
File opened (read-only)	\??\G:	03964d230265d3bfbf39cb5ea5234990N.exe
File opened (read-only)	\??\P:	03964d230265d3bfbf39cb5ea5234990N.exe
File opened (read-only)	\??\L:	03964d230265d3bfbf39cb5ea5234990N.exe
File opened (read-only)	\??\O:	03964d230265d3bfbf39cb5ea5234990N.exe
File opened (read-only)	\??\B:	03964d230265d3bfbf39cb5ea5234990N.exe
File opened (read-only)	\??\I:	03964d230265d3bfbf39cb5ea5234990N.exe
File opened (read-only)	\??\J:	03964d230265d3bfbf39cb5ea5234990N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IME\SHARED\bukkake kicking [free] .zip.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\brasilian sperm porn licking balls (Tatjana).zip.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\swedish lingerie [milf] fishy (Sandy).mpg.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\norwegian cum sleeping feet blondie (Tatjana).avi.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\japanese sperm blowjob sleeping lady .avi.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\black horse [milf] shoes (Liz,Samantha).mpg.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\System32\DriverStore\Temp\danish sperm sperm hidden circumcision .avi.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\SysWOW64\FxsTmp\african sperm animal masturbation Ôï (Karin,Samantha).rar.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\gay voyeur ¼ë .rar.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\beast [bangbus] .zip.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\SysWOW64\FxsTmp\norwegian cum masturbation leather (Anniston,Gina).avi.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\chinese fucking [free] shoes (Kathrin).zip.exe	03964d230265d3bfbf39cb5ea5234990N.exe

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\cum full movie (Kathrin).rar.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\indian nude xxx masturbation traffic .avi.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\action xxx girls (Gina,Jade).avi.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\horse uncut .avi.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Program Files (x86)\Google\Update\Download\japanese nude action masturbation feet redhair (Janette).avi.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Program Files\dotnet\shared\gay action licking mature .mpeg.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\indian beastiality sleeping (Liz).avi.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\kicking hardcore [bangbus] .mpeg.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\animal cum big cock gorgeoushorny (Tatjana).avi.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Program Files (x86)\Google\Temp\russian cumshot fucking voyeur glans castration (Sarah).zip.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Program Files (x86)\Microsoft\Temp\german gang bang animal hidden glans .mpg.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU8898.tmp\brasilian horse handjob hot (!) .mpeg.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\indian lingerie hardcore voyeur lady .avi.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Program Files\Microsoft Office\root\Templates\japanese lingerie hardcore full movie .avi.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\japanese horse porn hot (!) .rar.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\blowjob public feet latex .mpeg.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\blowjob catfight ejaculation (Tatjana).zip.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\african horse hidden black hairunshaved (Anniston,Curtney).zip.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\brasilian cumshot lingerie lesbian 50+ .rar.exe	03964d230265d3bfbf39cb5ea5234990N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\chinese kicking hardcore [free] .mpg.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\lesbian beast public feet .zip.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\CbsTemp\russian lingerie sperm sleeping glans boots (Samantha,Kathrin).rar.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\brasilian cumshot fetish lesbian (Christine).mpeg.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\british lesbian horse public .mpeg.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\norwegian fetish girls (Gina,Tatjana).rar.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\asian horse uncut .avi.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\beastiality sleeping nipples wifey .zip.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_8c0b126c198fcf70\handjob big beautyfull (Sonja).mpeg.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\assembly\tmp\animal big legs beautyfull .zip.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\porn blowjob uncut ash .rar.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\chinese nude hardcore several models bondage (Christine).avi.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\sperm licking (Jade,Anniston).rar.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\hardcore uncut ash mistress (Ashley,Liz).mpg.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\lingerie trambling several models leather .mpg.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\italian handjob horse lesbian castration (Christine).mpeg.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.1_none_f42978969c79336a\gang bang handjob masturbation lady .rar.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\french gang bang beast catfight .mpg.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\kicking masturbation wifey .avi.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\security\templates\japanese lingerie beast girls titts hotel .avi.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\horse [free] (Ashley,Janette).avi.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\russian lingerie porn sleeping hotel (Christine).mpeg.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\spanish cum hot (!) vagina swallow .mpg.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\german nude several models boobs granny .rar.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\russian action fetish full movie feet (Sylvia,Ashley).mpeg.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\black cum [milf] cock sm .rar.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\french fucking action big titts castration (Karin).mpeg.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\sperm blowjob sleeping swallow (Kathrin,Gina).mpg.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\malaysia handjob animal lesbian pregnant .mpeg.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\swedish nude hidden granny .mpg.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\action porn [milf] wifey .zip.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\tyrkish action masturbation castration (Liz).rar.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\assembly\temp\gay bukkake hot (!) cock (Jenna,Anniston).avi.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\brasilian animal bukkake uncut ash Œã .zip.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\spanish action several models balls .mpg.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\bukkake girls feet shower .zip.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\chinese beastiality lesbian nipples .zip.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\blowjob cumshot [free] high heels (Gina,Tatjana).mpeg.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\beast full movie lady .mpeg.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\malaysia handjob action full movie ash girly (Sarah,Sarah).zip.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\russian kicking several models .mpg.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\lingerie horse public glans femdom .mpg.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\asian cumshot porn public feet boots .rar.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\gay cumshot sleeping (Christine).avi.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\trambling masturbation fishy .zip.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\african gang bang xxx lesbian upskirt .mpg.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\InputMethod\SHARED\norwegian animal horse voyeur balls (Christine).rar.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\PLA\Templates\italian cum [free] .mpg.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\porn hidden upskirt .zip.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\cumshot big hole bondage (Jenna).mpg.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\kicking blowjob [milf] granny (Melissa).mpeg.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\porn gang bang sleeping cock .mpg.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\mssrv.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\trambling cum catfight boobs .rar.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\chinese cumshot sleeping (Anniston,Sarah).avi.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\handjob public young .zip.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\beastiality hot (!) feet (Christine).avi.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\hardcore horse several models beautyfull (Christine).avi.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\chinese fucking catfight .zip.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\cum hot (!) upskirt .avi.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\british sperm big sm .rar.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\horse licking swallow .rar.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\bukkake gang bang lesbian hole .zip.exe	03964d230265d3bfbf39cb5ea5234990N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\chinese cum gay catfight traffic .avi.exe	03964d230265d3bfbf39cb5ea5234990N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4716	03964d230265d3bfbf39cb5ea5234990N.exe
4716	03964d230265d3bfbf39cb5ea5234990N.exe
4972	03964d230265d3bfbf39cb5ea5234990N.exe
4972	03964d230265d3bfbf39cb5ea5234990N.exe
4716	03964d230265d3bfbf39cb5ea5234990N.exe
4716	03964d230265d3bfbf39cb5ea5234990N.exe
2212	03964d230265d3bfbf39cb5ea5234990N.exe
2212	03964d230265d3bfbf39cb5ea5234990N.exe
1344	03964d230265d3bfbf39cb5ea5234990N.exe
1344	03964d230265d3bfbf39cb5ea5234990N.exe
4716	03964d230265d3bfbf39cb5ea5234990N.exe
4716	03964d230265d3bfbf39cb5ea5234990N.exe
4972	03964d230265d3bfbf39cb5ea5234990N.exe
4972	03964d230265d3bfbf39cb5ea5234990N.exe
3896	03964d230265d3bfbf39cb5ea5234990N.exe
3896	03964d230265d3bfbf39cb5ea5234990N.exe
760	03964d230265d3bfbf39cb5ea5234990N.exe
760	03964d230265d3bfbf39cb5ea5234990N.exe
4716	03964d230265d3bfbf39cb5ea5234990N.exe
4716	03964d230265d3bfbf39cb5ea5234990N.exe
1516	03964d230265d3bfbf39cb5ea5234990N.exe
1516	03964d230265d3bfbf39cb5ea5234990N.exe
2212	03964d230265d3bfbf39cb5ea5234990N.exe
2212	03964d230265d3bfbf39cb5ea5234990N.exe
4972	03964d230265d3bfbf39cb5ea5234990N.exe
4972	03964d230265d3bfbf39cb5ea5234990N.exe
4456	03964d230265d3bfbf39cb5ea5234990N.exe
4456	03964d230265d3bfbf39cb5ea5234990N.exe
1344	03964d230265d3bfbf39cb5ea5234990N.exe
1344	03964d230265d3bfbf39cb5ea5234990N.exe
4968	03964d230265d3bfbf39cb5ea5234990N.exe
4968	03964d230265d3bfbf39cb5ea5234990N.exe
2856	03964d230265d3bfbf39cb5ea5234990N.exe
2856	03964d230265d3bfbf39cb5ea5234990N.exe
4716	03964d230265d3bfbf39cb5ea5234990N.exe
4716	03964d230265d3bfbf39cb5ea5234990N.exe
2212	03964d230265d3bfbf39cb5ea5234990N.exe
2516	03964d230265d3bfbf39cb5ea5234990N.exe
2516	03964d230265d3bfbf39cb5ea5234990N.exe
2212	03964d230265d3bfbf39cb5ea5234990N.exe
4972	03964d230265d3bfbf39cb5ea5234990N.exe
4972	03964d230265d3bfbf39cb5ea5234990N.exe
3140	03964d230265d3bfbf39cb5ea5234990N.exe
3140	03964d230265d3bfbf39cb5ea5234990N.exe
4216	03964d230265d3bfbf39cb5ea5234990N.exe
3248	03964d230265d3bfbf39cb5ea5234990N.exe
3248	03964d230265d3bfbf39cb5ea5234990N.exe
4216	03964d230265d3bfbf39cb5ea5234990N.exe
1344	03964d230265d3bfbf39cb5ea5234990N.exe
1344	03964d230265d3bfbf39cb5ea5234990N.exe
1516	03964d230265d3bfbf39cb5ea5234990N.exe
1516	03964d230265d3bfbf39cb5ea5234990N.exe
3896	03964d230265d3bfbf39cb5ea5234990N.exe
3896	03964d230265d3bfbf39cb5ea5234990N.exe
1604	03964d230265d3bfbf39cb5ea5234990N.exe
1604	03964d230265d3bfbf39cb5ea5234990N.exe
1644	03964d230265d3bfbf39cb5ea5234990N.exe
1644	03964d230265d3bfbf39cb5ea5234990N.exe
760	03964d230265d3bfbf39cb5ea5234990N.exe
760	03964d230265d3bfbf39cb5ea5234990N.exe
4456	03964d230265d3bfbf39cb5ea5234990N.exe
4456	03964d230265d3bfbf39cb5ea5234990N.exe
2752	03964d230265d3bfbf39cb5ea5234990N.exe
2752	03964d230265d3bfbf39cb5ea5234990N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4716 wrote to memory of 4972	4716	03964d230265d3bfbf39cb5ea5234990N.exe	87
PID 4716 wrote to memory of 4972	4716	03964d230265d3bfbf39cb5ea5234990N.exe	87
PID 4716 wrote to memory of 4972	4716	03964d230265d3bfbf39cb5ea5234990N.exe	87
PID 4716 wrote to memory of 2212	4716	03964d230265d3bfbf39cb5ea5234990N.exe	92
PID 4716 wrote to memory of 2212	4716	03964d230265d3bfbf39cb5ea5234990N.exe	92
PID 4716 wrote to memory of 2212	4716	03964d230265d3bfbf39cb5ea5234990N.exe	92
PID 4972 wrote to memory of 1344	4972	03964d230265d3bfbf39cb5ea5234990N.exe	93
PID 4972 wrote to memory of 1344	4972	03964d230265d3bfbf39cb5ea5234990N.exe	93
PID 4972 wrote to memory of 1344	4972	03964d230265d3bfbf39cb5ea5234990N.exe	93
PID 4716 wrote to memory of 3896	4716	03964d230265d3bfbf39cb5ea5234990N.exe	94
PID 4716 wrote to memory of 3896	4716	03964d230265d3bfbf39cb5ea5234990N.exe	94
PID 4716 wrote to memory of 3896	4716	03964d230265d3bfbf39cb5ea5234990N.exe	94
PID 2212 wrote to memory of 760	2212	03964d230265d3bfbf39cb5ea5234990N.exe	95
PID 2212 wrote to memory of 760	2212	03964d230265d3bfbf39cb5ea5234990N.exe	95
PID 2212 wrote to memory of 760	2212	03964d230265d3bfbf39cb5ea5234990N.exe	95
PID 4972 wrote to memory of 1516	4972	03964d230265d3bfbf39cb5ea5234990N.exe	96
PID 4972 wrote to memory of 1516	4972	03964d230265d3bfbf39cb5ea5234990N.exe	96
PID 4972 wrote to memory of 1516	4972	03964d230265d3bfbf39cb5ea5234990N.exe	96
PID 1344 wrote to memory of 4456	1344	03964d230265d3bfbf39cb5ea5234990N.exe	98
PID 1344 wrote to memory of 4456	1344	03964d230265d3bfbf39cb5ea5234990N.exe	98
PID 1344 wrote to memory of 4456	1344	03964d230265d3bfbf39cb5ea5234990N.exe	98
PID 4716 wrote to memory of 4968	4716	03964d230265d3bfbf39cb5ea5234990N.exe	99
PID 4716 wrote to memory of 4968	4716	03964d230265d3bfbf39cb5ea5234990N.exe	99
PID 4716 wrote to memory of 4968	4716	03964d230265d3bfbf39cb5ea5234990N.exe	99
PID 2212 wrote to memory of 2856	2212	03964d230265d3bfbf39cb5ea5234990N.exe	100
PID 2212 wrote to memory of 2856	2212	03964d230265d3bfbf39cb5ea5234990N.exe	100
PID 2212 wrote to memory of 2856	2212	03964d230265d3bfbf39cb5ea5234990N.exe	100
PID 4972 wrote to memory of 2516	4972	03964d230265d3bfbf39cb5ea5234990N.exe	101
PID 4972 wrote to memory of 2516	4972	03964d230265d3bfbf39cb5ea5234990N.exe	101
PID 4972 wrote to memory of 2516	4972	03964d230265d3bfbf39cb5ea5234990N.exe	101
PID 1344 wrote to memory of 3140	1344	03964d230265d3bfbf39cb5ea5234990N.exe	102
PID 1344 wrote to memory of 3140	1344	03964d230265d3bfbf39cb5ea5234990N.exe	102
PID 1344 wrote to memory of 3140	1344	03964d230265d3bfbf39cb5ea5234990N.exe	102
PID 1516 wrote to memory of 4216	1516	03964d230265d3bfbf39cb5ea5234990N.exe	103
PID 1516 wrote to memory of 4216	1516	03964d230265d3bfbf39cb5ea5234990N.exe	103
PID 1516 wrote to memory of 4216	1516	03964d230265d3bfbf39cb5ea5234990N.exe	103
PID 3896 wrote to memory of 3248	3896	03964d230265d3bfbf39cb5ea5234990N.exe	104
PID 3896 wrote to memory of 3248	3896	03964d230265d3bfbf39cb5ea5234990N.exe	104
PID 3896 wrote to memory of 3248	3896	03964d230265d3bfbf39cb5ea5234990N.exe	104
PID 760 wrote to memory of 1604	760	03964d230265d3bfbf39cb5ea5234990N.exe	105
PID 760 wrote to memory of 1604	760	03964d230265d3bfbf39cb5ea5234990N.exe	105
PID 760 wrote to memory of 1604	760	03964d230265d3bfbf39cb5ea5234990N.exe	105
PID 4456 wrote to memory of 1644	4456	03964d230265d3bfbf39cb5ea5234990N.exe	106
PID 4456 wrote to memory of 1644	4456	03964d230265d3bfbf39cb5ea5234990N.exe	106
PID 4456 wrote to memory of 1644	4456	03964d230265d3bfbf39cb5ea5234990N.exe	106
PID 4716 wrote to memory of 2752	4716	03964d230265d3bfbf39cb5ea5234990N.exe	108
PID 4716 wrote to memory of 2752	4716	03964d230265d3bfbf39cb5ea5234990N.exe	108
PID 4716 wrote to memory of 2752	4716	03964d230265d3bfbf39cb5ea5234990N.exe	108
PID 2212 wrote to memory of 4572	2212	03964d230265d3bfbf39cb5ea5234990N.exe	109
PID 2212 wrote to memory of 4572	2212	03964d230265d3bfbf39cb5ea5234990N.exe	109
PID 2212 wrote to memory of 4572	2212	03964d230265d3bfbf39cb5ea5234990N.exe	109
PID 4972 wrote to memory of 2576	4972	03964d230265d3bfbf39cb5ea5234990N.exe	110
PID 4972 wrote to memory of 2576	4972	03964d230265d3bfbf39cb5ea5234990N.exe	110
PID 4972 wrote to memory of 2576	4972	03964d230265d3bfbf39cb5ea5234990N.exe	110
PID 1516 wrote to memory of 4888	1516	03964d230265d3bfbf39cb5ea5234990N.exe	111
PID 1516 wrote to memory of 4888	1516	03964d230265d3bfbf39cb5ea5234990N.exe	111
PID 1516 wrote to memory of 4888	1516	03964d230265d3bfbf39cb5ea5234990N.exe	111
PID 1344 wrote to memory of 2356	1344	03964d230265d3bfbf39cb5ea5234990N.exe	112
PID 1344 wrote to memory of 2356	1344	03964d230265d3bfbf39cb5ea5234990N.exe	112
PID 1344 wrote to memory of 2356	1344	03964d230265d3bfbf39cb5ea5234990N.exe	112
PID 4968 wrote to memory of 896	4968	03964d230265d3bfbf39cb5ea5234990N.exe	113
PID 4968 wrote to memory of 896	4968	03964d230265d3bfbf39cb5ea5234990N.exe	113
PID 4968 wrote to memory of 896	4968	03964d230265d3bfbf39cb5ea5234990N.exe	113
PID 760 wrote to memory of 4300	760	03964d230265d3bfbf39cb5ea5234990N.exe	114

C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
"C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
  "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
    "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1344
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4456
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        
        PID:1644
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        Checks computer location settings
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        7⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        8⤵
        
        PID:9264
        
        C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        8⤵
        
        PID:12428
        
        C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        8⤵
        
        PID:16264
        
        C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        7⤵
        
        PID:7176
        
        C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        8⤵
        
        PID:14328
        
        C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        7⤵
        
        PID:9904
        
        C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        8⤵
        
        PID:16312
        
        C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        7⤵
        
        PID:12316
        
        C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        7⤵
        
        PID:16144
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:5328
        
        C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        7⤵
        
        PID:9704
        
        C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        8⤵
        
        PID:16096
        
        C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        7⤵
        
        PID:12364
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:6456
        
        C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        7⤵
        
        PID:12676
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:8996
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:12492
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:16296
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        Checks computer location settings
        
        PID:3044
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:5152
        
        C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        7⤵
        
        PID:9440
        
        C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        7⤵
        
        PID:12348
        
        C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        7⤵
        
        PID:16160
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:7192
        
        C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        7⤵
        
        PID:14296
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:9828
        
        C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        7⤵
        
        PID:15968
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:12324
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:16200
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:5216
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:10136
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:4644
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:16112
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:6432
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:12692
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:8512
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:12556
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:3140
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:2104
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:6240
        
        C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        7⤵
        
        PID:9640
        
        C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        7⤵
        
        PID:12380
        
        C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        7⤵
        
        PID:16176
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:7312
        
        C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        7⤵
        
        PID:14348
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:10120
        
        C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        7⤵
        
        PID:14676
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:2512
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:16120
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:5192
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:9236
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:12388
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:16192
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:6536
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:14168
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:8700
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:12524
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:2356
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:6352
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:10128
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:4364
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:7524
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:10252
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:15868
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:2068
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:5256
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:9096
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:12460
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:6480
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:14160
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:8520
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:12580
- - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
    "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:4216
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        Checks computer location settings
        
        PID:2208
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:6012
        
        C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        7⤵
        
        PID:7868
        
        C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        7⤵
        
        PID:10640
        
        C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        7⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        7⤵
        
        PID:16068
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:6576
        
        C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        7⤵
        
        PID:14184
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:8688
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:12564
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:5176
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:9504
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:12404
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:16240
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:6528
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:14176
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:9136
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:15720
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:12476
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:16288
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      Checks computer location settings
      PID:4888
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:5932
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:8400
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:12668
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:6448
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:14224
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:8484
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:12604
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:5264
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:8408
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:12644
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:6464
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:4236
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:8544
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:15672
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:12516
- - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
    "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:2516
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:5044
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:6360
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:10104
        
        C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        7⤵
        
        PID:15480
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:1584
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:16104
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:7532
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:10304
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:464
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:5224
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:9244
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:12444
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:16304
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:6496
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:12700
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:8528
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:3444
- - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
    "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
    3⤵
    - Checks computer location settings
    PID:2576
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:6156
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:10064
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:12300
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:7216
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:10056
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:15488
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:12308
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:16152
- - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
    "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
    3⤵
    PID:5160
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:8420
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:12628
- - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
    "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
    3⤵
    PID:6560
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:14320
- - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
    "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
    3⤵
    PID:8716
- - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
    "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
    3⤵
    PID:12612
- C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
  "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
    "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:760
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:1604
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        Checks computer location settings
        
        PID:3696
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:6168
        
        C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        7⤵
        
        PID:10112
        
        C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        7⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        7⤵
        
        PID:16060
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:7632
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:10412
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:12280
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:16076
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:5184
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:8628
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:12548
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:6520
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:14216
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:8468
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:12652
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      Checks computer location settings
      PID:4300
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:5976
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:9452
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:12396
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:6568
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:14340
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:8476
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:12572
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:5232
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:9460
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:12420
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:16256
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:6440
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:12588
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:8452
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:12596
- - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
    "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:2856
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      Checks computer location settings
      PID:2820
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:6216
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:9540
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:12412
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:16248
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:7684
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:10328
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:14624
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:3996
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:5208
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:9160
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:12452
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:6472
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:12620
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:8732
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:12540
- - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
    "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
    3⤵
    PID:4572
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:6192
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:10020
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:12340
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:16168
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:7200
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:9816
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:12252
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:16232
- - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
    "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
    3⤵
    PID:5272
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:10312
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:15540
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:1332
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:16128
- - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
    "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
    3⤵
    PID:6488
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:14208
- - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
    "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
    3⤵
    PID:8844
- - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
    "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
    3⤵
    PID:12508
- C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
  "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3896
- - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
    "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:3248
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      Checks computer location settings
      PID:3452
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:6004
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:10144
        
        C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        7⤵
        
        PID:15680
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:1220
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:6684
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:14192
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:8388
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:12636
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:5200
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:9688
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:1236
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:12372
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:6544
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:14200
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:8724
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:12500
- - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
    "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
    3⤵
    PID:4524
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:6288
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:10152
      - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        6⤵
        
        PID:15436
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:11080
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:16028
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:7452
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:14232
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:10096
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:15776
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:12292
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:16136
- - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
    "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
    3⤵
    PID:5240
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:9256
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:15840
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:12264
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:16008
- - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
    "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
    3⤵
    PID:6504
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:4828
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:16044
- - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
    "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
    3⤵
    PID:9004
- - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
    "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
    3⤵
    PID:12468
- - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
    "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
    3⤵
    PID:16280
- C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
  "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
    "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
    3⤵
    - Checks computer location settings
    PID:896
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:6148
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:9168
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:2024
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:16036
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:7208
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:9848
    - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
        5⤵
        
        PID:15532
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:12332
- - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
    "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
    3⤵
    PID:5248
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:8836
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:12484
- - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
    "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
    3⤵
    PID:6512
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:4172
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:16052
- - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
    "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
    3⤵
    PID:8536
- - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
    "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
    3⤵
    PID:12532
- C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
  "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  PID:2752
- - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
    "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
    3⤵
    PID:6100
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:9272
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:12436
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:16272
- - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
    "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
    3⤵
    PID:7184
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:14356
- - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
    "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
    3⤵
    PID:9876
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:15372
- - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
    "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
    3⤵
    PID:12356
- - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
    "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
    3⤵
    PID:16184
- C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
  "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
  2⤵
  PID:5168
- - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
    "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
    3⤵
    PID:9676
  - - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
      "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
      4⤵
      PID:15828
- - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
    "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
    3⤵
    PID:11468
- - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
    "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
    3⤵
    PID:16016
- C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
  "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
  2⤵
  PID:6552
- - C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
    "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
    3⤵
    PID:12684
- C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
  "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
  2⤵
  PID:8460
- C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe
  "C:\Users\Admin\AppData\Local\Temp\03964d230265d3bfbf39cb5ea5234990N.exe"
  2⤵
  PID:12660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\action xxx girls (Gina,Jade).avi.exe

Filesize
168KB

MD5
8f5ccec2949bf1beb7d720e71c826627

SHA1
fc53dfadc3e09468171f65d763f5a6eb31feac8c

SHA256
c6e68b03617650b351c876ee1415656f74a148e8096e8e8a205869258b10d9fa

SHA512
af58237125b51ea79afa6e830e62cb14f4438646e54259d49d45d53ace8d8a0b42c49bb0e8d5dc7b19e8dc1e447a98dcb42201f73c12917127d1dfc0e15c77c6

Download Submit