44a199edb96e9439c388d2e6c3f52ec99d133c4b11ee3784c429740658e5e78f

Analysis

max time kernel
16s
max time network
66s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 21:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10c4bb72ab3b2862987122e1e310c990N.exe
Size

2.0MB
MD5

10c4bb72ab3b2862987122e1e310c990
SHA1

f331fc91b8d79e17158d100d801a11ee79058555
SHA256

44a199edb96e9439c388d2e6c3f52ec99d133c4b11ee3784c429740658e5e78f
SHA512

833632b2e6a3664378973ae9a0708c66a8fe0a622ce0d8cb7344a0a5af1eee8760f1037b7fd2db8309bc087f6abb9bccc37a8da4c47987f4b49c0a06926c8c92
SSDEEP

49152:VLNH+iB6U34KiRyNfDlkcNz6p94hycHR3MnB7NWe101sm8:3eiBT4pRyYcN8wRQB7NWS6sl

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	10c4bb72ab3b2862987122e1e310c990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	10c4bb72ab3b2862987122e1e310c990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	10c4bb72ab3b2862987122e1e310c990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	10c4bb72ab3b2862987122e1e310c990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	10c4bb72ab3b2862987122e1e310c990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	10c4bb72ab3b2862987122e1e310c990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	10c4bb72ab3b2862987122e1e310c990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	10c4bb72ab3b2862987122e1e310c990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	10c4bb72ab3b2862987122e1e310c990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	10c4bb72ab3b2862987122e1e310c990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	10c4bb72ab3b2862987122e1e310c990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	10c4bb72ab3b2862987122e1e310c990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	10c4bb72ab3b2862987122e1e310c990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	10c4bb72ab3b2862987122e1e310c990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	10c4bb72ab3b2862987122e1e310c990N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	10c4bb72ab3b2862987122e1e310c990N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	10c4bb72ab3b2862987122e1e310c990N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	10c4bb72ab3b2862987122e1e310c990N.exe
File opened (read-only)	\??\G:	10c4bb72ab3b2862987122e1e310c990N.exe
File opened (read-only)	\??\I:	10c4bb72ab3b2862987122e1e310c990N.exe
File opened (read-only)	\??\Q:	10c4bb72ab3b2862987122e1e310c990N.exe
File opened (read-only)	\??\R:	10c4bb72ab3b2862987122e1e310c990N.exe
File opened (read-only)	\??\U:	10c4bb72ab3b2862987122e1e310c990N.exe
File opened (read-only)	\??\B:	10c4bb72ab3b2862987122e1e310c990N.exe
File opened (read-only)	\??\J:	10c4bb72ab3b2862987122e1e310c990N.exe
File opened (read-only)	\??\O:	10c4bb72ab3b2862987122e1e310c990N.exe
File opened (read-only)	\??\P:	10c4bb72ab3b2862987122e1e310c990N.exe
File opened (read-only)	\??\M:	10c4bb72ab3b2862987122e1e310c990N.exe
File opened (read-only)	\??\T:	10c4bb72ab3b2862987122e1e310c990N.exe
File opened (read-only)	\??\X:	10c4bb72ab3b2862987122e1e310c990N.exe
File opened (read-only)	\??\Z:	10c4bb72ab3b2862987122e1e310c990N.exe
File opened (read-only)	\??\W:	10c4bb72ab3b2862987122e1e310c990N.exe
File opened (read-only)	\??\A:	10c4bb72ab3b2862987122e1e310c990N.exe
File opened (read-only)	\??\H:	10c4bb72ab3b2862987122e1e310c990N.exe
File opened (read-only)	\??\K:	10c4bb72ab3b2862987122e1e310c990N.exe
File opened (read-only)	\??\L:	10c4bb72ab3b2862987122e1e310c990N.exe
File opened (read-only)	\??\N:	10c4bb72ab3b2862987122e1e310c990N.exe
File opened (read-only)	\??\S:	10c4bb72ab3b2862987122e1e310c990N.exe
File opened (read-only)	\??\V:	10c4bb72ab3b2862987122e1e310c990N.exe
File opened (read-only)	\??\Y:	10c4bb72ab3b2862987122e1e310c990N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\spanish fetish cumshot [bangbus] circumcision .zip.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\SysWOW64\FxsTmp\spanish beast hidden .rar.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\indian gay action masturbation (Melissa,Anniston).zip.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\american kicking masturbation swallow (Tatjana).avi.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\american animal kicking lesbian (Sonja,Liz).mpeg.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\SysWOW64\FxsTmp\porn [free] circumcision .zip.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\tyrkish hardcore [bangbus] swallow (Gina).zip.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\porn action lesbian mature .zip.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\System32\DriverStore\Temp\beastiality voyeur cock .mpg.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\african horse horse girls femdom .mpg.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\bukkake public young .rar.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\bukkake beast masturbation sweet .mpeg.exe	10c4bb72ab3b2862987122e1e310c990N.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Updates\Download\malaysia cumshot sleeping bondage .avi.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Program Files (x86)\Google\Temp\malaysia sperm beastiality licking high heels .avi.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Program Files (x86)\Google\Update\Download\swedish cumshot voyeur vagina bondage .zip.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\horse horse big legs young .zip.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\xxx handjob masturbation (Jade,Ashley).rar.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\horse hardcore [milf] .mpg.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\african fetish big castration .avi.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Program Files\dotnet\shared\russian fetish horse big .mpeg.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\black hardcore beast uncut legs shoes .avi.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\russian cum catfight .avi.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\fucking uncut fishy (Tatjana,Kathrin).rar.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\japanese animal sleeping .zip.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\british animal porn licking titts swallow .zip.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\xxx horse hidden boobs .mpeg.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Program Files\Common Files\microsoft shared\african lesbian public hole 50+ .rar.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Program Files\Microsoft Office\root\Templates\british fetish sleeping nipples .zip.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\canadian lesbian public (Ashley,Tatjana).avi.exe	10c4bb72ab3b2862987122e1e310c990N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\danish trambling blowjob voyeur shower (Karin).rar.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\danish kicking animal hot (!) boots .mpg.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_b1ffa0e7b4ed03e2\beastiality [milf] glans hotel .mpg.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\chinese handjob blowjob voyeur nipples upskirt (Karin,Karin).avi.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\chinese beast sperm licking upskirt (Janette).mpeg.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\asian horse handjob sleeping ash redhair (Anniston).zip.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\horse voyeur vagina redhair .rar.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\canadian fucking cum sleeping ejaculation .mpg.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\german fetish beast hot (!) boobs .rar.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\black trambling [bangbus] redhair .mpg.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\chinese nude big traffic (Kathrin,Sandy).rar.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\indian blowjob uncut young .mpeg.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.1_none_f42978969c79336a\spanish trambling blowjob [free] boots .mpg.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_8c0b126c198fcf70\animal hidden penetration .zip.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\british kicking fucking full movie (Jenna).zip.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\kicking full movie stockings (Kathrin).zip.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\chinese kicking handjob several models circumcision .zip.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\lingerie several models mature (Sandy).zip.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\japanese gang bang action hot (!) YEâPSè& .mpg.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\gay [bangbus] .avi.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\handjob sperm hot (!) boobs mature .mpg.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_89c0bf1761110f07\gay horse big boots .rar.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_10.0.19041.1_none_a3d9a07cf2290837\xxx fetish public swallow .avi.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_abfc9db6c377b91f\kicking animal [milf] fishy .rar.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\beast full movie hole .mpeg.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\german beast masturbation granny .mpeg.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\indian gay lesbian uncut mature (Jade,Tatjana).rar.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\tyrkish nude action catfight vagina circumcision (Jade,Janette).rar.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\asian trambling gay hot (!) cock upskirt .rar.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\cum beast several models redhair .mpeg.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_10.0.19041.1_none_bd731e5b85dd203e\cumshot hot (!) circumcision (Britney,Tatjana).mpeg.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\CbsTemp\italian beastiality horse [milf] nipples .avi.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\security\templates\brasilian animal uncut .mpg.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\german beastiality blowjob [free] balls (Samantha).zip.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\swedish fetish xxx hot (!) .zip.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\Downloaded Program Files\italian gay animal full movie swallow .avi.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\InputMethod\SHARED\american bukkake nude voyeur bondage .mpg.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\danish animal horse catfight .rar.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\assembly\tmp\malaysia nude girls granny .zip.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\spanish gang bang gang bang [milf] cock granny (Melissa,Sylvia).avi.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_9aa486d790131d4e\blowjob horse licking leather (Jenna,Liz).avi.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\indian kicking [bangbus] .mpg.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\danish gang bang cumshot masturbation cock 50+ .zip.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\japanese gang bang animal girls blondie (Liz,Anniston).rar.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\nude big (Melissa,Sonja).mpg.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_99ddc8ce8d3d6dac\bukkake voyeur balls .mpg.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fd7349c396c417ae\african gay porn hidden cock leather (Britney).mpg.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\spanish horse lesbian .rar.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\tyrkish horse lesbian feet (Sonja,Jenna).avi.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\gang bang hot (!) .rar.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\black gay voyeur hole (Tatjana).zip.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\lesbian [free] wifey .mpg.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\beastiality blowjob public YEâPSè& .mpeg.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\chinese fetish [bangbus] titts .mpeg.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\norwegian gay gay public (Sylvia,Karin).mpeg.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\action girls Ôï .mpeg.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\sperm girls .zip.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\japanese cum blowjob [bangbus] titts gorgeoushorny (Samantha,Sylvia).mpg.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\canadian horse [bangbus] glans mature .mpeg.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\indian kicking kicking uncut glans .mpg.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\black gay lesbian pregnant .rar.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\swedish bukkake [milf] nipples .rar.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\mssrv.exe	10c4bb72ab3b2862987122e1e310c990N.exe
File created	C:\Windows\PLA\Templates\gang bang masturbation balls .avi.exe	10c4bb72ab3b2862987122e1e310c990N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3596	10c4bb72ab3b2862987122e1e310c990N.exe
3596	10c4bb72ab3b2862987122e1e310c990N.exe
4308	10c4bb72ab3b2862987122e1e310c990N.exe
4308	10c4bb72ab3b2862987122e1e310c990N.exe
3596	10c4bb72ab3b2862987122e1e310c990N.exe
3596	10c4bb72ab3b2862987122e1e310c990N.exe
5072	10c4bb72ab3b2862987122e1e310c990N.exe
5072	10c4bb72ab3b2862987122e1e310c990N.exe
2408	10c4bb72ab3b2862987122e1e310c990N.exe
2408	10c4bb72ab3b2862987122e1e310c990N.exe
3596	10c4bb72ab3b2862987122e1e310c990N.exe
3596	10c4bb72ab3b2862987122e1e310c990N.exe
4308	10c4bb72ab3b2862987122e1e310c990N.exe
4308	10c4bb72ab3b2862987122e1e310c990N.exe
1792	10c4bb72ab3b2862987122e1e310c990N.exe
1792	10c4bb72ab3b2862987122e1e310c990N.exe
408	10c4bb72ab3b2862987122e1e310c990N.exe
408	10c4bb72ab3b2862987122e1e310c990N.exe
3596	10c4bb72ab3b2862987122e1e310c990N.exe
4308	10c4bb72ab3b2862987122e1e310c990N.exe
3596	10c4bb72ab3b2862987122e1e310c990N.exe
4308	10c4bb72ab3b2862987122e1e310c990N.exe
224	10c4bb72ab3b2862987122e1e310c990N.exe
224	10c4bb72ab3b2862987122e1e310c990N.exe
1256	10c4bb72ab3b2862987122e1e310c990N.exe
1256	10c4bb72ab3b2862987122e1e310c990N.exe
2408	10c4bb72ab3b2862987122e1e310c990N.exe
2408	10c4bb72ab3b2862987122e1e310c990N.exe
5072	10c4bb72ab3b2862987122e1e310c990N.exe
5072	10c4bb72ab3b2862987122e1e310c990N.exe
1828	10c4bb72ab3b2862987122e1e310c990N.exe
1828	10c4bb72ab3b2862987122e1e310c990N.exe
5024	10c4bb72ab3b2862987122e1e310c990N.exe
5024	10c4bb72ab3b2862987122e1e310c990N.exe
3596	10c4bb72ab3b2862987122e1e310c990N.exe
3596	10c4bb72ab3b2862987122e1e310c990N.exe
4308	10c4bb72ab3b2862987122e1e310c990N.exe
4308	10c4bb72ab3b2862987122e1e310c990N.exe
1724	10c4bb72ab3b2862987122e1e310c990N.exe
1724	10c4bb72ab3b2862987122e1e310c990N.exe
2128	10c4bb72ab3b2862987122e1e310c990N.exe
2128	10c4bb72ab3b2862987122e1e310c990N.exe
2184	10c4bb72ab3b2862987122e1e310c990N.exe
2184	10c4bb72ab3b2862987122e1e310c990N.exe
1792	10c4bb72ab3b2862987122e1e310c990N.exe
1792	10c4bb72ab3b2862987122e1e310c990N.exe
2408	10c4bb72ab3b2862987122e1e310c990N.exe
2408	10c4bb72ab3b2862987122e1e310c990N.exe
5072	10c4bb72ab3b2862987122e1e310c990N.exe
5072	10c4bb72ab3b2862987122e1e310c990N.exe
1100	10c4bb72ab3b2862987122e1e310c990N.exe
1100	10c4bb72ab3b2862987122e1e310c990N.exe
408	10c4bb72ab3b2862987122e1e310c990N.exe
408	10c4bb72ab3b2862987122e1e310c990N.exe
3308	10c4bb72ab3b2862987122e1e310c990N.exe
3308	10c4bb72ab3b2862987122e1e310c990N.exe
4036	10c4bb72ab3b2862987122e1e310c990N.exe
4036	10c4bb72ab3b2862987122e1e310c990N.exe
224	10c4bb72ab3b2862987122e1e310c990N.exe
224	10c4bb72ab3b2862987122e1e310c990N.exe
1256	10c4bb72ab3b2862987122e1e310c990N.exe
1256	10c4bb72ab3b2862987122e1e310c990N.exe
4744	10c4bb72ab3b2862987122e1e310c990N.exe
4744	10c4bb72ab3b2862987122e1e310c990N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 4308	3596	10c4bb72ab3b2862987122e1e310c990N.exe	87
PID 3596 wrote to memory of 4308	3596	10c4bb72ab3b2862987122e1e310c990N.exe	87
PID 3596 wrote to memory of 4308	3596	10c4bb72ab3b2862987122e1e310c990N.exe	87
PID 3596 wrote to memory of 5072	3596	10c4bb72ab3b2862987122e1e310c990N.exe	91
PID 3596 wrote to memory of 5072	3596	10c4bb72ab3b2862987122e1e310c990N.exe	91
PID 3596 wrote to memory of 5072	3596	10c4bb72ab3b2862987122e1e310c990N.exe	91
PID 4308 wrote to memory of 2408	4308	10c4bb72ab3b2862987122e1e310c990N.exe	92
PID 4308 wrote to memory of 2408	4308	10c4bb72ab3b2862987122e1e310c990N.exe	92
PID 4308 wrote to memory of 2408	4308	10c4bb72ab3b2862987122e1e310c990N.exe	92
PID 4308 wrote to memory of 408	4308	10c4bb72ab3b2862987122e1e310c990N.exe	94
PID 4308 wrote to memory of 408	4308	10c4bb72ab3b2862987122e1e310c990N.exe	94
PID 4308 wrote to memory of 408	4308	10c4bb72ab3b2862987122e1e310c990N.exe	94
PID 3596 wrote to memory of 1792	3596	10c4bb72ab3b2862987122e1e310c990N.exe	95
PID 3596 wrote to memory of 1792	3596	10c4bb72ab3b2862987122e1e310c990N.exe	95
PID 3596 wrote to memory of 1792	3596	10c4bb72ab3b2862987122e1e310c990N.exe	95
PID 5072 wrote to memory of 1256	5072	10c4bb72ab3b2862987122e1e310c990N.exe	96
PID 5072 wrote to memory of 1256	5072	10c4bb72ab3b2862987122e1e310c990N.exe	96
PID 5072 wrote to memory of 1256	5072	10c4bb72ab3b2862987122e1e310c990N.exe	96
PID 2408 wrote to memory of 224	2408	10c4bb72ab3b2862987122e1e310c990N.exe	97
PID 2408 wrote to memory of 224	2408	10c4bb72ab3b2862987122e1e310c990N.exe	97
PID 2408 wrote to memory of 224	2408	10c4bb72ab3b2862987122e1e310c990N.exe	97
PID 3596 wrote to memory of 1828	3596	10c4bb72ab3b2862987122e1e310c990N.exe	99
PID 3596 wrote to memory of 1828	3596	10c4bb72ab3b2862987122e1e310c990N.exe	99
PID 3596 wrote to memory of 1828	3596	10c4bb72ab3b2862987122e1e310c990N.exe	99
PID 4308 wrote to memory of 5024	4308	10c4bb72ab3b2862987122e1e310c990N.exe	100
PID 4308 wrote to memory of 5024	4308	10c4bb72ab3b2862987122e1e310c990N.exe	100
PID 4308 wrote to memory of 5024	4308	10c4bb72ab3b2862987122e1e310c990N.exe	100
PID 5072 wrote to memory of 1724	5072	10c4bb72ab3b2862987122e1e310c990N.exe	101
PID 5072 wrote to memory of 1724	5072	10c4bb72ab3b2862987122e1e310c990N.exe	101
PID 5072 wrote to memory of 1724	5072	10c4bb72ab3b2862987122e1e310c990N.exe	101
PID 1792 wrote to memory of 2128	1792	10c4bb72ab3b2862987122e1e310c990N.exe	102
PID 1792 wrote to memory of 2128	1792	10c4bb72ab3b2862987122e1e310c990N.exe	102
PID 1792 wrote to memory of 2128	1792	10c4bb72ab3b2862987122e1e310c990N.exe	102
PID 2408 wrote to memory of 2184	2408	10c4bb72ab3b2862987122e1e310c990N.exe	103
PID 2408 wrote to memory of 2184	2408	10c4bb72ab3b2862987122e1e310c990N.exe	103
PID 2408 wrote to memory of 2184	2408	10c4bb72ab3b2862987122e1e310c990N.exe	103
PID 408 wrote to memory of 1100	408	10c4bb72ab3b2862987122e1e310c990N.exe	104
PID 408 wrote to memory of 1100	408	10c4bb72ab3b2862987122e1e310c990N.exe	104
PID 408 wrote to memory of 1100	408	10c4bb72ab3b2862987122e1e310c990N.exe	104
PID 224 wrote to memory of 3308	224	10c4bb72ab3b2862987122e1e310c990N.exe	105
PID 224 wrote to memory of 3308	224	10c4bb72ab3b2862987122e1e310c990N.exe	105
PID 224 wrote to memory of 3308	224	10c4bb72ab3b2862987122e1e310c990N.exe	105
PID 1256 wrote to memory of 4036	1256	10c4bb72ab3b2862987122e1e310c990N.exe	106
PID 1256 wrote to memory of 4036	1256	10c4bb72ab3b2862987122e1e310c990N.exe	106
PID 1256 wrote to memory of 4036	1256	10c4bb72ab3b2862987122e1e310c990N.exe	106
PID 3596 wrote to memory of 2376	3596	10c4bb72ab3b2862987122e1e310c990N.exe	108
PID 3596 wrote to memory of 2376	3596	10c4bb72ab3b2862987122e1e310c990N.exe	108
PID 3596 wrote to memory of 2376	3596	10c4bb72ab3b2862987122e1e310c990N.exe	108
PID 4308 wrote to memory of 4744	4308	10c4bb72ab3b2862987122e1e310c990N.exe	109
PID 4308 wrote to memory of 4744	4308	10c4bb72ab3b2862987122e1e310c990N.exe	109
PID 4308 wrote to memory of 4744	4308	10c4bb72ab3b2862987122e1e310c990N.exe	109
PID 1828 wrote to memory of 1004	1828	10c4bb72ab3b2862987122e1e310c990N.exe	110
PID 1828 wrote to memory of 1004	1828	10c4bb72ab3b2862987122e1e310c990N.exe	110
PID 1828 wrote to memory of 1004	1828	10c4bb72ab3b2862987122e1e310c990N.exe	110
PID 1792 wrote to memory of 1788	1792	10c4bb72ab3b2862987122e1e310c990N.exe	111
PID 1792 wrote to memory of 1788	1792	10c4bb72ab3b2862987122e1e310c990N.exe	111
PID 1792 wrote to memory of 1788	1792	10c4bb72ab3b2862987122e1e310c990N.exe	111
PID 5072 wrote to memory of 2636	5072	10c4bb72ab3b2862987122e1e310c990N.exe	112
PID 5072 wrote to memory of 2636	5072	10c4bb72ab3b2862987122e1e310c990N.exe	112
PID 5072 wrote to memory of 2636	5072	10c4bb72ab3b2862987122e1e310c990N.exe	112
PID 408 wrote to memory of 1288	408	10c4bb72ab3b2862987122e1e310c990N.exe	113
PID 408 wrote to memory of 1288	408	10c4bb72ab3b2862987122e1e310c990N.exe	113
PID 408 wrote to memory of 1288	408	10c4bb72ab3b2862987122e1e310c990N.exe	113
PID 2408 wrote to memory of 2352	2408	10c4bb72ab3b2862987122e1e310c990N.exe	114

C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
"C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
  "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4308
- - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
    "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:224
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        
        PID:3308
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        7⤵
        
        PID:6000
        
        C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        8⤵
        
        PID:9884
        
        C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        8⤵
        
        PID:12596
        
        C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        7⤵
        
        PID:7104
        
        C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        7⤵
        
        PID:9420
        
        C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        7⤵
        
        PID:12772
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        7⤵
        
        PID:9852
        
        C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        7⤵
        
        PID:12676
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:6396
        
        C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        7⤵
        
        PID:13940
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:8224
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:12476
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:2448
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:5984
        
        C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        7⤵
        
        PID:10476
        
        C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        8⤵
        
        PID:13736
        
        C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        7⤵
        
        PID:12560
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:6708
        
        C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        7⤵
        
        PID:13348
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:8888
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:12868
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:5128
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:8900
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:12860
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:6412
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:13912
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:8108
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:11192
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:12524
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:2184
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:664
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:5960
        
        C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        7⤵
        
        PID:9876
        
        C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        7⤵
        
        PID:12668
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:7112
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:9436
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:12780
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:1960
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:8660
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:13828
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:6436
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:13700
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:8156
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:1152
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:12508
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:2352
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:5976
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:10372
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:12572
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:7152
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:9484
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:12732
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:5152
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:9700
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:12692
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:6500
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:13260
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:8540
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:13872
- - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
    "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:408
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:1100
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:4892
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:5940
        
        C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        7⤵
        
        PID:9868
        
        C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        7⤵
        
        PID:12652
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:7084
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:9492
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:12804
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:4380
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:7792
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:10596
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:12460
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:6420
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:13904
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:8188
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:11068
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:12532
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:1288
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:6304
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:9828
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:12628
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:3672
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:9540
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:12724
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:5160
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:10112
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:12604
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:6516
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:13888
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:8172
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:11352
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:12500
- - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
    "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:5024
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:2820
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:6312
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:10484
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:12556
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:7236
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:9664
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:12452
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:5144
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:6392
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:12836
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:6508
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:13728
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:8448
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:13956
- - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
    "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4744
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:6024
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:9224
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:12820
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:7144
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:9412
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:12756
- - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
    "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
    3⤵
    PID:5200
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:8760
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:12844
- - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
    "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
    3⤵
    PID:6428
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:13268
- - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
    "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
    3⤵
    PID:8196
- - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
    "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
    3⤵
    PID:8692
- - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
    "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
    3⤵
    PID:12444
- C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
  "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
    "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1256
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:4036
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:4152
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:5912
        
        C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        7⤵
        
        PID:9292
        
        C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        7⤵
        
        PID:12468
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:6684
        
        C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        7⤵
        
        PID:13356
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:8880
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:13992
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:4412
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:9692
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:12700
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:6452
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:8548
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:13932
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:4932
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:5992
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:10724
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:12548
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:7092
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:9428
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:12748
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:5136
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:10104
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:12588
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:6444
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:8204
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:11008
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:12540
- - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
    "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:1724
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:4168
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:6296
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:9812
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:12636
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:5032
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:9572
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:12716
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:2292
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:9240
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:12828
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:6468
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:12852
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:8180
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:11336
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:12484
- - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
    "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
    3⤵
    PID:2636
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:5968
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:9860
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:12660
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:7128
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:9444
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:12788
- - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
    "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
    3⤵
    PID:5168
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:9820
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:12644
- - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
    "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
    3⤵
    PID:6492
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:13896
- - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
    "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
    3⤵
    PID:8532
- - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
    "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
    3⤵
    PID:13920
- C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
  "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
    "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:2128
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:2500
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:6120
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:9836
      - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        6⤵
        
        PID:12620
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:1948
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:9532
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:12740
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:3952
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:9192
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:12812
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:6460
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:13880
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:8212
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:13984
- - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
    "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
    3⤵
    PID:1788
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:6136
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:10408
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:12580
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:7160
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:9404
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:12764
- - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
    "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
    3⤵
    PID:5176
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:8684
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:12876
- - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
    "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
    3⤵
    PID:6484
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:13744
- - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
    "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
    3⤵
    PID:8428
- - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
    "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
    3⤵
    PID:13948
- C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
  "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
    "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
    3⤵
    PID:1004
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:5952
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:10228
    - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
        5⤵
        
        PID:12612
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:7120
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:9452
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:12796
- - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
    "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
    3⤵
    PID:5184
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:9892
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:13100
- - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
    "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
    3⤵
    PID:6404
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:13768
- - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
    "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
    3⤵
    PID:8164
- - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
    "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
    3⤵
    PID:11344
- - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
    "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
    3⤵
    PID:12492
- C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
  "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
  2⤵
  PID:2376
- - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
    "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
    3⤵
    PID:5932
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:9844
  - - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
      "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
      4⤵
      PID:12684
- - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
    "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
    3⤵
    PID:7136
- - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
    "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
    3⤵
    PID:9580
- - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
    "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
    3⤵
    PID:12708
- C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
  "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
  2⤵
  PID:5192
- - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
    "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
    3⤵
    PID:8868
- - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
    "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
    3⤵
    PID:13976
- C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
  "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
  2⤵
  PID:6476
- - C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
    "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
    3⤵
    PID:12884
- C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
  "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
  2⤵
  PID:8100
- C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
  "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
  2⤵
  PID:11132
- C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe
  "C:\Users\Admin\AppData\Local\Temp\10c4bb72ab3b2862987122e1e310c990N.exe"
  2⤵
  PID:12516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\black hardcore beast uncut legs shoes .avi.exe

Filesize
1.2MB

MD5
5f3614993f4cf2b3224616ee594673f8

SHA1
45936ad5427534913dc13f975d81512bfdf11c4e

SHA256
a1401b32a101836302dae59dfc4769e93147f2c8481a9b08149bd0a4410fb357

SHA512
0271b175726d571b485c4c14c89f12fe1611d180496c47bafc1d7deb91163309d611466fc73d0816888dc4fb7f8896db583181cc74a5bf110082ee8137baed98

Download Submit