d0c6c48dcf1a97609486774c2d13114ae7dabbe054449c8eeec580aa45814b73

Analysis

max time kernel
15s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

001f5e6962b0bbe66aa27b2b76c3a260N.exe
Size

1.8MB
MD5

001f5e6962b0bbe66aa27b2b76c3a260
SHA1

6a0f901fb1df198bc79aae47ab97af8c28a2e0b2
SHA256

d0c6c48dcf1a97609486774c2d13114ae7dabbe054449c8eeec580aa45814b73
SHA512

8f30db9ad037a34c98da1e632c98560382d37040974cc6a6c637c8dbeccfc160ebb5d9d9c25f9f0f1342dea9e18045005dae1df7845baf20c8416778c5783031
SSDEEP

49152:Vl7IcvX58qBZNF8u3JeCPFDh6+PCypi1gMbC:/7vJHmuMCpLoeM+

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	001f5e6962b0bbe66aa27b2b76c3a260N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	001f5e6962b0bbe66aa27b2b76c3a260N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	001f5e6962b0bbe66aa27b2b76c3a260N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	001f5e6962b0bbe66aa27b2b76c3a260N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	001f5e6962b0bbe66aa27b2b76c3a260N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	001f5e6962b0bbe66aa27b2b76c3a260N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	001f5e6962b0bbe66aa27b2b76c3a260N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	001f5e6962b0bbe66aa27b2b76c3a260N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	001f5e6962b0bbe66aa27b2b76c3a260N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	001f5e6962b0bbe66aa27b2b76c3a260N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	001f5e6962b0bbe66aa27b2b76c3a260N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	001f5e6962b0bbe66aa27b2b76c3a260N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	001f5e6962b0bbe66aa27b2b76c3a260N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	001f5e6962b0bbe66aa27b2b76c3a260N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	001f5e6962b0bbe66aa27b2b76c3a260N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	001f5e6962b0bbe66aa27b2b76c3a260N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	001f5e6962b0bbe66aa27b2b76c3a260N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File opened (read-only)	\??\P:	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File opened (read-only)	\??\Z:	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File opened (read-only)	\??\A:	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File opened (read-only)	\??\B:	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File opened (read-only)	\??\G:	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File opened (read-only)	\??\R:	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File opened (read-only)	\??\W:	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File opened (read-only)	\??\Y:	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File opened (read-only)	\??\H:	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File opened (read-only)	\??\I:	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File opened (read-only)	\??\L:	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File opened (read-only)	\??\E:	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File opened (read-only)	\??\N:	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File opened (read-only)	\??\V:	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File opened (read-only)	\??\Q:	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File opened (read-only)	\??\S:	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File opened (read-only)	\??\T:	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File opened (read-only)	\??\U:	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File opened (read-only)	\??\X:	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File opened (read-only)	\??\J:	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File opened (read-only)	\??\M:	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File opened (read-only)	\??\O:	001f5e6962b0bbe66aa27b2b76c3a260N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\FxsTmp\beast catfight titts 50+ .mpg.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\danish gang bang sperm uncut cock (Sonja,Sarah).avi.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\fucking [bangbus] 50+ .avi.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\System32\DriverStore\Temp\hardcore girls hole traffic .mpg.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\SysWOW64\FxsTmp\french sperm hidden feet 40+ .mpg.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\blowjob full movie shower .rar.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\brasilian porn beast girls .mpeg.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\japanese animal xxx hot (!) granny .mpg.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\brasilian handjob sperm hot (!) titts .mpeg.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\bukkake [free] cock 50+ .rar.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\lesbian public .mpg.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\american nude blowjob hidden latex .mpeg.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\danish handjob sperm girls .rar.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\beast big feet hairy .mpg.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\trambling sleeping titts .avi.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Program Files\Microsoft Office\root\Templates\japanese horse gay lesbian hole .mpeg.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\gay catfight bedroom .rar.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\bukkake girls (Sylvia).mpg.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\horse voyeur cock ejaculation .mpeg.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\cumshot gay [bangbus] (Jade).mpeg.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Program Files (x86)\Google\Temp\italian cumshot trambling uncut titts .zip.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Program Files\dotnet\shared\lingerie lesbian penetration .mpg.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\gay big (Janette).avi.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\trambling uncut .avi.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\gay masturbation feet .mpeg.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Program Files (x86)\Google\Update\Download\russian gang bang fucking masturbation upskirt .avi.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Program Files (x86)\Microsoft\Temp\tyrkish handjob lesbian catfight wifey .rar.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\hardcore [bangbus] ash .avi.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\beast big .mpg.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\swedish handjob lingerie masturbation glans bondage .rar.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe

Drops file in Windows directory 50 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\xxx lesbian .avi.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\swedish cum bukkake hot (!) 40+ .avi.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\canadian fucking several models .rar.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\tyrkish cum beast girls swallow .rar.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\american action sperm public glans sweet .zip.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\xxx girls (Curtney).rar.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\french lingerie [free] traffic .zip.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\security\templates\bukkake several models hole bondage (Tatjana).rar.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\malaysia bukkake masturbation glans girly (Melissa).rar.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\african lesbian licking titts balls .avi.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\russian nude trambling [free] hole 40+ .avi.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\sperm [bangbus] circumcision (Jenna,Curtney).mpeg.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\PLA\Templates\tyrkish kicking lesbian licking circumcision .zip.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\italian animal lesbian licking glans .mpg.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\russian kicking beast big .avi.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\asian trambling several models .mpeg.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\assembly\temp\horse girls ejaculation .avi.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\fucking uncut glans girly .rar.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\russian kicking trambling hot (!) blondie (Britney,Melissa).mpeg.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\horse beast girls cock latex .rar.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\norwegian lesbian public 40+ (Christine,Sylvia).avi.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\danish cumshot blowjob lesbian stockings .zip.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\american porn bukkake big gorgeoushorny (Sonja,Samantha).zip.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\indian porn fucking several models mature .mpg.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\danish fetish beast several models cock traffic .rar.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\chinese lesbian several models titts granny (Samantha).zip.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\SoftwareDistribution\Download\japanese kicking lesbian licking pregnant .zip.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\brasilian kicking blowjob masturbation feet .mpg.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\black handjob blowjob several models .zip.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\handjob horse [bangbus] feet .zip.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\Downloaded Program Files\danish cum blowjob full movie glans high heels (Sylvia).avi.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\hardcore hot (!) gorgeoushorny .mpeg.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\horse hardcore voyeur (Liz).mpg.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\CbsTemp\danish fetish xxx full movie titts fishy .avi.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\american beastiality fucking several models 50+ .zip.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\african hardcore hot (!) traffic .mpg.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\german xxx voyeur .zip.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\russian fetish lesbian hidden hole .mpeg.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\indian animal sperm catfight cock lady .zip.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\black cum beast hot (!) hotel .zip.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\french lingerie lesbian (Janette).zip.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\mssrv.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\bukkake big glans ¤ç .zip.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\danish gang bang bukkake voyeur swallow .mpeg.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\canadian fucking voyeur leather .avi.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\assembly\tmp\danish action sperm [bangbus] .mpg.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\InputMethod\SHARED\brasilian fetish horse public cock bedroom (Jade).zip.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\handjob beast several models traffic .mpg.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\blowjob full movie .mpg.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\indian gang bang horse [bangbus] bedroom .avi.exe	001f5e6962b0bbe66aa27b2b76c3a260N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2800	001f5e6962b0bbe66aa27b2b76c3a260N.exe
2800	001f5e6962b0bbe66aa27b2b76c3a260N.exe
4728	001f5e6962b0bbe66aa27b2b76c3a260N.exe
4728	001f5e6962b0bbe66aa27b2b76c3a260N.exe
2800	001f5e6962b0bbe66aa27b2b76c3a260N.exe
2800	001f5e6962b0bbe66aa27b2b76c3a260N.exe
3120	001f5e6962b0bbe66aa27b2b76c3a260N.exe
3120	001f5e6962b0bbe66aa27b2b76c3a260N.exe
2800	001f5e6962b0bbe66aa27b2b76c3a260N.exe
2800	001f5e6962b0bbe66aa27b2b76c3a260N.exe
4404	001f5e6962b0bbe66aa27b2b76c3a260N.exe
4404	001f5e6962b0bbe66aa27b2b76c3a260N.exe
4728	001f5e6962b0bbe66aa27b2b76c3a260N.exe
4728	001f5e6962b0bbe66aa27b2b76c3a260N.exe
3896	001f5e6962b0bbe66aa27b2b76c3a260N.exe
3896	001f5e6962b0bbe66aa27b2b76c3a260N.exe
3164	001f5e6962b0bbe66aa27b2b76c3a260N.exe
3164	001f5e6962b0bbe66aa27b2b76c3a260N.exe
2800	001f5e6962b0bbe66aa27b2b76c3a260N.exe
2800	001f5e6962b0bbe66aa27b2b76c3a260N.exe
3120	001f5e6962b0bbe66aa27b2b76c3a260N.exe
3120	001f5e6962b0bbe66aa27b2b76c3a260N.exe
2756	001f5e6962b0bbe66aa27b2b76c3a260N.exe
2756	001f5e6962b0bbe66aa27b2b76c3a260N.exe
4728	001f5e6962b0bbe66aa27b2b76c3a260N.exe
4728	001f5e6962b0bbe66aa27b2b76c3a260N.exe
2900	001f5e6962b0bbe66aa27b2b76c3a260N.exe
2900	001f5e6962b0bbe66aa27b2b76c3a260N.exe
4404	001f5e6962b0bbe66aa27b2b76c3a260N.exe
4404	001f5e6962b0bbe66aa27b2b76c3a260N.exe
916	001f5e6962b0bbe66aa27b2b76c3a260N.exe
916	001f5e6962b0bbe66aa27b2b76c3a260N.exe
4028	001f5e6962b0bbe66aa27b2b76c3a260N.exe
4028	001f5e6962b0bbe66aa27b2b76c3a260N.exe
1468	001f5e6962b0bbe66aa27b2b76c3a260N.exe
1468	001f5e6962b0bbe66aa27b2b76c3a260N.exe
3896	001f5e6962b0bbe66aa27b2b76c3a260N.exe
3896	001f5e6962b0bbe66aa27b2b76c3a260N.exe
2800	001f5e6962b0bbe66aa27b2b76c3a260N.exe
2800	001f5e6962b0bbe66aa27b2b76c3a260N.exe
3120	001f5e6962b0bbe66aa27b2b76c3a260N.exe
3120	001f5e6962b0bbe66aa27b2b76c3a260N.exe
1264	001f5e6962b0bbe66aa27b2b76c3a260N.exe
1264	001f5e6962b0bbe66aa27b2b76c3a260N.exe
2992	001f5e6962b0bbe66aa27b2b76c3a260N.exe
2992	001f5e6962b0bbe66aa27b2b76c3a260N.exe
4728	001f5e6962b0bbe66aa27b2b76c3a260N.exe
4728	001f5e6962b0bbe66aa27b2b76c3a260N.exe
3164	001f5e6962b0bbe66aa27b2b76c3a260N.exe
1852	001f5e6962b0bbe66aa27b2b76c3a260N.exe
3164	001f5e6962b0bbe66aa27b2b76c3a260N.exe
1852	001f5e6962b0bbe66aa27b2b76c3a260N.exe
3232	001f5e6962b0bbe66aa27b2b76c3a260N.exe
3232	001f5e6962b0bbe66aa27b2b76c3a260N.exe
4404	001f5e6962b0bbe66aa27b2b76c3a260N.exe
4404	001f5e6962b0bbe66aa27b2b76c3a260N.exe
4940	001f5e6962b0bbe66aa27b2b76c3a260N.exe
4940	001f5e6962b0bbe66aa27b2b76c3a260N.exe
2756	001f5e6962b0bbe66aa27b2b76c3a260N.exe
2756	001f5e6962b0bbe66aa27b2b76c3a260N.exe
2900	001f5e6962b0bbe66aa27b2b76c3a260N.exe
2900	001f5e6962b0bbe66aa27b2b76c3a260N.exe
916	001f5e6962b0bbe66aa27b2b76c3a260N.exe
916	001f5e6962b0bbe66aa27b2b76c3a260N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 4728	2800	001f5e6962b0bbe66aa27b2b76c3a260N.exe	87
PID 2800 wrote to memory of 4728	2800	001f5e6962b0bbe66aa27b2b76c3a260N.exe	87
PID 2800 wrote to memory of 4728	2800	001f5e6962b0bbe66aa27b2b76c3a260N.exe	87
PID 2800 wrote to memory of 3120	2800	001f5e6962b0bbe66aa27b2b76c3a260N.exe	89
PID 2800 wrote to memory of 3120	2800	001f5e6962b0bbe66aa27b2b76c3a260N.exe	89
PID 2800 wrote to memory of 3120	2800	001f5e6962b0bbe66aa27b2b76c3a260N.exe	89
PID 4728 wrote to memory of 4404	4728	001f5e6962b0bbe66aa27b2b76c3a260N.exe	90
PID 4728 wrote to memory of 4404	4728	001f5e6962b0bbe66aa27b2b76c3a260N.exe	90
PID 4728 wrote to memory of 4404	4728	001f5e6962b0bbe66aa27b2b76c3a260N.exe	90
PID 2800 wrote to memory of 3896	2800	001f5e6962b0bbe66aa27b2b76c3a260N.exe	93
PID 2800 wrote to memory of 3896	2800	001f5e6962b0bbe66aa27b2b76c3a260N.exe	93
PID 2800 wrote to memory of 3896	2800	001f5e6962b0bbe66aa27b2b76c3a260N.exe	93
PID 3120 wrote to memory of 3164	3120	001f5e6962b0bbe66aa27b2b76c3a260N.exe	94
PID 3120 wrote to memory of 3164	3120	001f5e6962b0bbe66aa27b2b76c3a260N.exe	94
PID 3120 wrote to memory of 3164	3120	001f5e6962b0bbe66aa27b2b76c3a260N.exe	94
PID 4728 wrote to memory of 2756	4728	001f5e6962b0bbe66aa27b2b76c3a260N.exe	95
PID 4728 wrote to memory of 2756	4728	001f5e6962b0bbe66aa27b2b76c3a260N.exe	95
PID 4728 wrote to memory of 2756	4728	001f5e6962b0bbe66aa27b2b76c3a260N.exe	95
PID 4404 wrote to memory of 2900	4404	001f5e6962b0bbe66aa27b2b76c3a260N.exe	96
PID 4404 wrote to memory of 2900	4404	001f5e6962b0bbe66aa27b2b76c3a260N.exe	96
PID 4404 wrote to memory of 2900	4404	001f5e6962b0bbe66aa27b2b76c3a260N.exe	96
PID 3896 wrote to memory of 4028	3896	001f5e6962b0bbe66aa27b2b76c3a260N.exe	99
PID 3896 wrote to memory of 4028	3896	001f5e6962b0bbe66aa27b2b76c3a260N.exe	99
PID 3896 wrote to memory of 4028	3896	001f5e6962b0bbe66aa27b2b76c3a260N.exe	99
PID 2800 wrote to memory of 916	2800	001f5e6962b0bbe66aa27b2b76c3a260N.exe	100
PID 2800 wrote to memory of 916	2800	001f5e6962b0bbe66aa27b2b76c3a260N.exe	100
PID 2800 wrote to memory of 916	2800	001f5e6962b0bbe66aa27b2b76c3a260N.exe	100
PID 3120 wrote to memory of 1468	3120	001f5e6962b0bbe66aa27b2b76c3a260N.exe	101
PID 3120 wrote to memory of 1468	3120	001f5e6962b0bbe66aa27b2b76c3a260N.exe	101
PID 3120 wrote to memory of 1468	3120	001f5e6962b0bbe66aa27b2b76c3a260N.exe	101
PID 4728 wrote to memory of 1264	4728	001f5e6962b0bbe66aa27b2b76c3a260N.exe	102
PID 4728 wrote to memory of 1264	4728	001f5e6962b0bbe66aa27b2b76c3a260N.exe	102
PID 4728 wrote to memory of 1264	4728	001f5e6962b0bbe66aa27b2b76c3a260N.exe	102
PID 3164 wrote to memory of 2992	3164	001f5e6962b0bbe66aa27b2b76c3a260N.exe	103
PID 3164 wrote to memory of 2992	3164	001f5e6962b0bbe66aa27b2b76c3a260N.exe	103
PID 3164 wrote to memory of 2992	3164	001f5e6962b0bbe66aa27b2b76c3a260N.exe	103
PID 4404 wrote to memory of 1852	4404	001f5e6962b0bbe66aa27b2b76c3a260N.exe	104
PID 4404 wrote to memory of 1852	4404	001f5e6962b0bbe66aa27b2b76c3a260N.exe	104
PID 4404 wrote to memory of 1852	4404	001f5e6962b0bbe66aa27b2b76c3a260N.exe	104
PID 2756 wrote to memory of 3232	2756	001f5e6962b0bbe66aa27b2b76c3a260N.exe	105
PID 2756 wrote to memory of 3232	2756	001f5e6962b0bbe66aa27b2b76c3a260N.exe	105
PID 2756 wrote to memory of 3232	2756	001f5e6962b0bbe66aa27b2b76c3a260N.exe	105
PID 2900 wrote to memory of 4940	2900	001f5e6962b0bbe66aa27b2b76c3a260N.exe	106
PID 2900 wrote to memory of 4940	2900	001f5e6962b0bbe66aa27b2b76c3a260N.exe	106
PID 2900 wrote to memory of 4940	2900	001f5e6962b0bbe66aa27b2b76c3a260N.exe	106
PID 916 wrote to memory of 1324	916	001f5e6962b0bbe66aa27b2b76c3a260N.exe	108
PID 916 wrote to memory of 1324	916	001f5e6962b0bbe66aa27b2b76c3a260N.exe	108
PID 916 wrote to memory of 1324	916	001f5e6962b0bbe66aa27b2b76c3a260N.exe	108
PID 2800 wrote to memory of 3656	2800	001f5e6962b0bbe66aa27b2b76c3a260N.exe	109
PID 2800 wrote to memory of 3656	2800	001f5e6962b0bbe66aa27b2b76c3a260N.exe	109
PID 2800 wrote to memory of 3656	2800	001f5e6962b0bbe66aa27b2b76c3a260N.exe	109
PID 3896 wrote to memory of 3676	3896	001f5e6962b0bbe66aa27b2b76c3a260N.exe	110
PID 3896 wrote to memory of 3676	3896	001f5e6962b0bbe66aa27b2b76c3a260N.exe	110
PID 3896 wrote to memory of 3676	3896	001f5e6962b0bbe66aa27b2b76c3a260N.exe	110
PID 3120 wrote to memory of 744	3120	001f5e6962b0bbe66aa27b2b76c3a260N.exe	111
PID 3120 wrote to memory of 744	3120	001f5e6962b0bbe66aa27b2b76c3a260N.exe	111
PID 3120 wrote to memory of 744	3120	001f5e6962b0bbe66aa27b2b76c3a260N.exe	111
PID 4028 wrote to memory of 4560	4028	001f5e6962b0bbe66aa27b2b76c3a260N.exe	112
PID 4028 wrote to memory of 4560	4028	001f5e6962b0bbe66aa27b2b76c3a260N.exe	112
PID 4028 wrote to memory of 4560	4028	001f5e6962b0bbe66aa27b2b76c3a260N.exe	112
PID 1468 wrote to memory of 1768	1468	001f5e6962b0bbe66aa27b2b76c3a260N.exe	113
PID 1468 wrote to memory of 1768	1468	001f5e6962b0bbe66aa27b2b76c3a260N.exe	113
PID 1468 wrote to memory of 1768	1468	001f5e6962b0bbe66aa27b2b76c3a260N.exe	113
PID 1264 wrote to memory of 5056	1264	001f5e6962b0bbe66aa27b2b76c3a260N.exe	114

C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
"C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
  "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
    "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4404
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2900
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        
        PID:4940
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        7⤵
        
        PID:6096
        
        C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        8⤵
        
        PID:10452
        
        C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        8⤵
        
        PID:14000
        
        C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        7⤵
        
        PID:7996
        
        C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        7⤵
        
        PID:10768
        
        C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        7⤵
        
        PID:14580
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:5532
        
        C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        7⤵
        
        PID:8844
        
        C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        7⤵
        
        PID:11728
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:6984
        
        C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        7⤵
        
        PID:13388
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:9192
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:12308
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:3436
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:6308
        
        C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        7⤵
        
        PID:11356
        
        C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        7⤵
        
        PID:15464
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:8048
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:11096
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:15036
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:5472
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:8900
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:2260
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:6832
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:13028
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:9184
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:12628
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:1852
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:4984
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:6132
        
        C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        7⤵
        
        PID:10592
        
        C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        7⤵
        
        PID:14620
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:7912
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:10736
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:14544
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:5332
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:7864
        
        C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        7⤵
        
        PID:15728
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:10296
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:13900
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:6776
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:13468
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:9044
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:12340
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:692
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:5996
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:9724
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:13676
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:7508
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:13760
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:9992
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:13744
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:5324
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:7560
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:13992
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:10184
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:13828
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:6796
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:13204
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:9140
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:12316
- - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
    "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:3232
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:3648
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:6040
        
        C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        7⤵
        
        PID:10444
        
        C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        7⤵
        
        PID:13968
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:7644
        
        C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        7⤵
        
        PID:13928
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:10280
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:13860
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:5456
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:8536
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:11440
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:15736
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:6840
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:13452
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:8940
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:12152
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:4720
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:5972
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:10040
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:13736
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:7528
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:15280
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:10024
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:13728
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:5384
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:8624
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:11524
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:6816
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:13380
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:9148
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:12296
- - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
    "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1264
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:5056
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:6124
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:10268
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:13872
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:8028
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:10908
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:15392
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:5248
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:7552
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:13880
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:10168
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:13820
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:6552
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:12280
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:8596
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:11516
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:16084
- - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
    "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
    3⤵
    PID:3096
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:6076
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:10332
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:13912
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:7960
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:11120
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:15008
- - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
    "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
    3⤵
    PID:5284
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:5048
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:11128
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:15044
- - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
    "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
    3⤵
    PID:6724
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:11744
- - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
    "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
    3⤵
    PID:9104
- - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
    "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
    3⤵
    PID:9528
- C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
  "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3120
- - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
    "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3164
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:2992
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:2836
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:6068
        
        C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        7⤵
        
        PID:10348
        
        C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        7⤵
        
        PID:13984
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:7940
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:10752
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:14536
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:5356
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:8908
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:11984
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:6764
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:13264
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:9000
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:9840
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:1108
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:6140
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:11560
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:7904
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:10776
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:14612
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:5272
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:7948
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:10744
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:14928
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:6604
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:4268
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:8668
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:11760
- - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
    "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1468
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:1768
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:6220
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:11768
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:7968
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:10784
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:14756
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:5264
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:6316
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:11312
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:15248
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:6572
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:11776
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:8632
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:11636
- - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
    "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
    3⤵
    PID:744
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:6212
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:10584
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:14024
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:7976
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:10708
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:14528
- - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
    "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
    3⤵
    PID:5184
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:7984
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:10728
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:14628
- - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
    "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
    3⤵
    PID:6580
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:12684
- - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
    "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
    3⤵
    PID:8548
- - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
    "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
    3⤵
    PID:11472
- - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
    "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
    3⤵
    PID:15836
- C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
  "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3896
- - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
    "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4028
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:4560
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:5952
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:9924
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:13720
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:7364
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:13460
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:9576
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:13584
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:5164
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:7692
      - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        6⤵
        
        PID:15476
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:10340
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:13976
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:6352
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:11736
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:8460
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:11320
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:15240
- - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
    "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
    3⤵
    PID:3676
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:6116
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:10528
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:14016
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:8012
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:10760
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:14552
- - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
    "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
    3⤵
    PID:5152
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:7576
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:13920
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:10160
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:13812
- - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
    "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
    3⤵
    PID:6324
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:11552
- - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
    "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
    3⤵
    PID:8160
- - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
    "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
    3⤵
    PID:11112
- - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
    "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
    3⤵
    PID:15052
- C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
  "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
    "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
    3⤵
    PID:1324
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:6048
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:10176
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:13888
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:8020
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:10796
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:14740
- - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
    "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
    3⤵
    PID:5088
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:7200
    - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
        5⤵
        
        PID:13560
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:9440
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:13440
- - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
    "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
    3⤵
    PID:6268
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:10892
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:14940
- - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
    "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
    3⤵
    PID:8004
- - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
    "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
    3⤵
    PID:10824
- - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
    "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
    3⤵
    PID:14920
- C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
  "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
  2⤵
  PID:3656
- - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
    "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
    3⤵
    PID:6188
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:10832
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:14748
- - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
    "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
    3⤵
    PID:8184
- - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
    "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
    3⤵
    PID:11104
- - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
    "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
    3⤵
    PID:15400
- C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
  "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
  2⤵
  PID:5144
- - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
    "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
    3⤵
    PID:7520
  - - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
      "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
      4⤵
      PID:15456
- - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
    "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
    3⤵
    PID:10052
- - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
    "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
    3⤵
    PID:13752
- C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
  "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
  2⤵
  PID:6296
- - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
    "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
    3⤵
    PID:10616
- - C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
    "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
    3⤵
    PID:14500
- C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
  "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
  2⤵
  PID:8040
- C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
  "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
  2⤵
  PID:10916
- C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe
  "C:\Users\Admin\AppData\Local\Temp\001f5e6962b0bbe66aa27b2b76c3a260N.exe"
  2⤵
  PID:15000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\beast big feet hairy .mpg.exe

Filesize
354KB

MD5
32b79fb4e73a3e6e63fe76926d205761

SHA1
1c907d6282efb00eea9139061bfca035c2d19910

SHA256
449721d27de4fe674234b69bd4123ffeac3fac7b1c5aec5d79fde4beddbac8d3

SHA512
e2877bd875d0238eff7e272b084b9ab71868f8845cb13a57674b9594642bf03ba74e2eb4c18cc6c47206aeea8201897e3626f8e8b1c62113352382892b19a234

Download Submit