33ff656fc2eaf4bbc288a5c1539f613c4dbdc7b8b02955655209cd43b2032e6b

Analysis

max time kernel
10s
max time network
63s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65d6fc979da0b19d9f422f71575df9a0N.exe
Size

1.7MB
MD5

65d6fc979da0b19d9f422f71575df9a0
SHA1

5dfd5e28081f424a4c068be34cac75e8d166c9cb
SHA256

33ff656fc2eaf4bbc288a5c1539f613c4dbdc7b8b02955655209cd43b2032e6b
SHA512

d07dde6a6d5e367093496b242df5bf63105cc83011a9b2261a1dfa22e6525f9a2c4be1644556fb614c8a077d118db60a94663556a98fcdf82cf1b25004e03d18
SSDEEP

24576:86elKmG1tJAeCyyjHBp9queSMpr5U5JUbBKyVYiDqVFpeaU5HaynMC:5W3GHJAeOHoBtUz2VYSqZvcHaynMC

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	65d6fc979da0b19d9f422f71575df9a0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	65d6fc979da0b19d9f422f71575df9a0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	65d6fc979da0b19d9f422f71575df9a0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	65d6fc979da0b19d9f422f71575df9a0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	65d6fc979da0b19d9f422f71575df9a0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	65d6fc979da0b19d9f422f71575df9a0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	65d6fc979da0b19d9f422f71575df9a0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	65d6fc979da0b19d9f422f71575df9a0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	65d6fc979da0b19d9f422f71575df9a0N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	65d6fc979da0b19d9f422f71575df9a0N.exe
File opened (read-only)	\??\W:	65d6fc979da0b19d9f422f71575df9a0N.exe
File opened (read-only)	\??\I:	65d6fc979da0b19d9f422f71575df9a0N.exe
File opened (read-only)	\??\J:	65d6fc979da0b19d9f422f71575df9a0N.exe
File opened (read-only)	\??\Q:	65d6fc979da0b19d9f422f71575df9a0N.exe
File opened (read-only)	\??\S:	65d6fc979da0b19d9f422f71575df9a0N.exe
File opened (read-only)	\??\Y:	65d6fc979da0b19d9f422f71575df9a0N.exe
File opened (read-only)	\??\Z:	65d6fc979da0b19d9f422f71575df9a0N.exe
File opened (read-only)	\??\A:	65d6fc979da0b19d9f422f71575df9a0N.exe
File opened (read-only)	\??\H:	65d6fc979da0b19d9f422f71575df9a0N.exe
File opened (read-only)	\??\L:	65d6fc979da0b19d9f422f71575df9a0N.exe
File opened (read-only)	\??\T:	65d6fc979da0b19d9f422f71575df9a0N.exe
File opened (read-only)	\??\M:	65d6fc979da0b19d9f422f71575df9a0N.exe
File opened (read-only)	\??\N:	65d6fc979da0b19d9f422f71575df9a0N.exe
File opened (read-only)	\??\V:	65d6fc979da0b19d9f422f71575df9a0N.exe
File opened (read-only)	\??\B:	65d6fc979da0b19d9f422f71575df9a0N.exe
File opened (read-only)	\??\E:	65d6fc979da0b19d9f422f71575df9a0N.exe
File opened (read-only)	\??\G:	65d6fc979da0b19d9f422f71575df9a0N.exe
File opened (read-only)	\??\K:	65d6fc979da0b19d9f422f71575df9a0N.exe
File opened (read-only)	\??\O:	65d6fc979da0b19d9f422f71575df9a0N.exe
File opened (read-only)	\??\P:	65d6fc979da0b19d9f422f71575df9a0N.exe
File opened (read-only)	\??\R:	65d6fc979da0b19d9f422f71575df9a0N.exe
File opened (read-only)	\??\X:	65d6fc979da0b19d9f422f71575df9a0N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\russian porn lesbian masturbation hairy .zip.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\SysWOW64\FxsTmp\danish horse hardcore girls sm .avi.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\indian gang bang xxx hot (!) .mpg.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\hardcore girls leather .mpeg.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\japanese action lesbian sleeping balls .mpeg.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\russian fetish xxx girls glans upskirt .zip.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\SysWOW64\FxsTmp\sperm catfight cock (Kathrin,Karin).mpeg.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\lingerie [free] .avi.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\horse sleeping cock bedroom (Jade).mpg.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\horse [bangbus] 50+ .mpeg.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\japanese kicking lingerie licking cock .rar.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\sperm girls traffic .rar.exe	65d6fc979da0b19d9f422f71575df9a0N.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Update\Download\beast public 50+ .avi.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\italian cum sperm [bangbus] hole hotel (Melissa).avi.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\japanese nude xxx several models young .mpg.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\swedish action hardcore voyeur 40+ (Ashley,Karin).rar.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\sperm full movie glans .mpg.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\black action hardcore public (Tatjana).mpg.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\lesbian voyeur titts (Jenna,Sylvia).mpeg.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Program Files (x86)\Google\Temp\lingerie masturbation (Liz).zip.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\lesbian uncut .zip.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Program Files\dotnet\shared\brasilian porn blowjob masturbation .zip.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Program Files\Microsoft Office\root\Templates\hardcore sleeping titts .rar.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\lingerie voyeur cock beautyfull (Janette).mpeg.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\blowjob big .rar.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\horse beast public .mpg.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\swedish gang bang lingerie voyeur hairy .rar.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\lesbian full movie blondie .zip.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\american cumshot blowjob public .avi.exe	65d6fc979da0b19d9f422f71575df9a0N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\mssrv.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\british lesbian uncut shower .zip.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\bukkake several models feet (Sonja,Samantha).mpg.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\fucking uncut cock beautyfull .zip.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\nude xxx girls .mpeg.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\assembly\temp\tyrkish action gay catfight ash .avi.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\gay sleeping titts young (Melissa).mpeg.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\sperm masturbation feet pregnant .avi.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\german bukkake [free] .zip.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\french blowjob [milf] feet .avi.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\danish horse blowjob lesbian .rar.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_9aa486d790131d4e\tyrkish beastiality gay full movie (Sarah).rar.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\black kicking xxx hidden mistress .mpg.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\bukkake uncut ejaculation .zip.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\russian nude xxx lesbian hole .zip.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\SoftwareDistribution\Download\russian action lesbian public glans .avi.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\black cum lingerie public cock (Jenna,Janette).mpg.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\cum lingerie [free] cock upskirt .rar.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\french fucking voyeur titts shower .mpeg.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\trambling catfight .avi.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\british hardcore catfight feet .mpg.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\asian sperm uncut latex .zip.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\porn fucking public ash .avi.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\gay hot (!) sweet .zip.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\japanese beastiality beast full movie redhair .rar.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\lingerie uncut upskirt .mpg.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\PLA\Templates\hardcore uncut gorgeoushorny .zip.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\bukkake [free] bondage .rar.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\french hardcore licking beautyfull .mpeg.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\danish cumshot lingerie hidden femdom .mpeg.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\danish animal blowjob several models .zip.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\american beastiality trambling full movie redhair .zip.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\lingerie [milf] titts sweet .avi.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\bukkake hot (!) titts fishy (Samantha).mpg.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\security\templates\russian handjob sperm big (Sarah).mpeg.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\hardcore voyeur (Jade).rar.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\beastiality trambling several models .mpg.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\swedish handjob bukkake uncut (Karin).mpg.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\malaysia beast [bangbus] shoes .mpg.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\spanish gay [free] cock gorgeoushorny .zip.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\bukkake voyeur sweet .zip.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\danish porn blowjob masturbation mature .mpg.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\spanish lingerie several models glans leather (Sylvia).mpeg.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\cumshot trambling catfight high heels .zip.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\horse masturbation sm .mpg.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\bukkake public hotel (Sonja,Sylvia).mpeg.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\bukkake public cock .avi.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\animal lingerie girls wifey (Sandy,Curtney).mpg.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\lingerie licking (Janette).rar.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\beast hot (!) hole .mpeg.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\american handjob fucking several models 40+ .mpg.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\sperm [milf] titts .avi.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\african horse voyeur circumcision (Gina,Curtney).zip.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\assembly\tmp\sperm hot (!) leather .zip.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\horse [bangbus] titts .rar.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\tyrkish porn trambling masturbation swallow .zip.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\beastiality bukkake big hole stockings (Karin).avi.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\trambling [free] glans leather (Samantha).avi.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\canadian gay public glans beautyfull (Samantha).rar.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\animal xxx full movie lady .avi.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\spanish blowjob voyeur stockings .rar.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\CbsTemp\danish handjob lesbian hidden upskirt .mpeg.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\InputMethod\SHARED\indian handjob lesbian girls sm .avi.exe	65d6fc979da0b19d9f422f71575df9a0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\french lesbian licking cock (Anniston,Liz).avi.exe	65d6fc979da0b19d9f422f71575df9a0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
4984	65d6fc979da0b19d9f422f71575df9a0N.exe
4984	65d6fc979da0b19d9f422f71575df9a0N.exe
4836	65d6fc979da0b19d9f422f71575df9a0N.exe
4836	65d6fc979da0b19d9f422f71575df9a0N.exe
4984	65d6fc979da0b19d9f422f71575df9a0N.exe
4984	65d6fc979da0b19d9f422f71575df9a0N.exe
4064	65d6fc979da0b19d9f422f71575df9a0N.exe
4064	65d6fc979da0b19d9f422f71575df9a0N.exe
732	65d6fc979da0b19d9f422f71575df9a0N.exe
732	65d6fc979da0b19d9f422f71575df9a0N.exe
4984	65d6fc979da0b19d9f422f71575df9a0N.exe
4984	65d6fc979da0b19d9f422f71575df9a0N.exe
4836	65d6fc979da0b19d9f422f71575df9a0N.exe
4836	65d6fc979da0b19d9f422f71575df9a0N.exe
2940	65d6fc979da0b19d9f422f71575df9a0N.exe
2940	65d6fc979da0b19d9f422f71575df9a0N.exe
3884	65d6fc979da0b19d9f422f71575df9a0N.exe
3884	65d6fc979da0b19d9f422f71575df9a0N.exe
1420	65d6fc979da0b19d9f422f71575df9a0N.exe
1420	65d6fc979da0b19d9f422f71575df9a0N.exe
1244	65d6fc979da0b19d9f422f71575df9a0N.exe
4064	65d6fc979da0b19d9f422f71575df9a0N.exe
1244	65d6fc979da0b19d9f422f71575df9a0N.exe
4064	65d6fc979da0b19d9f422f71575df9a0N.exe
4984	65d6fc979da0b19d9f422f71575df9a0N.exe
4984	65d6fc979da0b19d9f422f71575df9a0N.exe
732	65d6fc979da0b19d9f422f71575df9a0N.exe
732	65d6fc979da0b19d9f422f71575df9a0N.exe
4836	65d6fc979da0b19d9f422f71575df9a0N.exe
4836	65d6fc979da0b19d9f422f71575df9a0N.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 4836	4984	65d6fc979da0b19d9f422f71575df9a0N.exe	89
PID 4984 wrote to memory of 4836	4984	65d6fc979da0b19d9f422f71575df9a0N.exe	89
PID 4984 wrote to memory of 4836	4984	65d6fc979da0b19d9f422f71575df9a0N.exe	89
PID 4984 wrote to memory of 4064	4984	65d6fc979da0b19d9f422f71575df9a0N.exe	92
PID 4984 wrote to memory of 4064	4984	65d6fc979da0b19d9f422f71575df9a0N.exe	92
PID 4984 wrote to memory of 4064	4984	65d6fc979da0b19d9f422f71575df9a0N.exe	92
PID 4836 wrote to memory of 732	4836	65d6fc979da0b19d9f422f71575df9a0N.exe	93
PID 4836 wrote to memory of 732	4836	65d6fc979da0b19d9f422f71575df9a0N.exe	93
PID 4836 wrote to memory of 732	4836	65d6fc979da0b19d9f422f71575df9a0N.exe	93
PID 4064 wrote to memory of 2940	4064	65d6fc979da0b19d9f422f71575df9a0N.exe	95
PID 4064 wrote to memory of 2940	4064	65d6fc979da0b19d9f422f71575df9a0N.exe	95
PID 4064 wrote to memory of 2940	4064	65d6fc979da0b19d9f422f71575df9a0N.exe	95
PID 4984 wrote to memory of 3884	4984	65d6fc979da0b19d9f422f71575df9a0N.exe	96
PID 4984 wrote to memory of 3884	4984	65d6fc979da0b19d9f422f71575df9a0N.exe	96
PID 4984 wrote to memory of 3884	4984	65d6fc979da0b19d9f422f71575df9a0N.exe	96
PID 732 wrote to memory of 1420	732	65d6fc979da0b19d9f422f71575df9a0N.exe	97
PID 732 wrote to memory of 1420	732	65d6fc979da0b19d9f422f71575df9a0N.exe	97
PID 732 wrote to memory of 1420	732	65d6fc979da0b19d9f422f71575df9a0N.exe	97
PID 4836 wrote to memory of 1244	4836	65d6fc979da0b19d9f422f71575df9a0N.exe	98
PID 4836 wrote to memory of 1244	4836	65d6fc979da0b19d9f422f71575df9a0N.exe	98
PID 4836 wrote to memory of 1244	4836	65d6fc979da0b19d9f422f71575df9a0N.exe	98
PID 4064 wrote to memory of 5052	4064	65d6fc979da0b19d9f422f71575df9a0N.exe	99
PID 4064 wrote to memory of 5052	4064	65d6fc979da0b19d9f422f71575df9a0N.exe	99
PID 4064 wrote to memory of 5052	4064	65d6fc979da0b19d9f422f71575df9a0N.exe	99
PID 2940 wrote to memory of 392	2940	65d6fc979da0b19d9f422f71575df9a0N.exe	100
PID 2940 wrote to memory of 392	2940	65d6fc979da0b19d9f422f71575df9a0N.exe	100
PID 2940 wrote to memory of 392	2940	65d6fc979da0b19d9f422f71575df9a0N.exe	100
PID 4984 wrote to memory of 1616	4984	65d6fc979da0b19d9f422f71575df9a0N.exe	101
PID 4984 wrote to memory of 1616	4984	65d6fc979da0b19d9f422f71575df9a0N.exe	101
PID 4984 wrote to memory of 1616	4984	65d6fc979da0b19d9f422f71575df9a0N.exe	101
PID 3884 wrote to memory of 1428	3884	65d6fc979da0b19d9f422f71575df9a0N.exe	102
PID 3884 wrote to memory of 1428	3884	65d6fc979da0b19d9f422f71575df9a0N.exe	102
PID 3884 wrote to memory of 1428	3884	65d6fc979da0b19d9f422f71575df9a0N.exe	102
PID 4836 wrote to memory of 4780	4836	65d6fc979da0b19d9f422f71575df9a0N.exe	103
PID 4836 wrote to memory of 4780	4836	65d6fc979da0b19d9f422f71575df9a0N.exe	103
PID 4836 wrote to memory of 4780	4836	65d6fc979da0b19d9f422f71575df9a0N.exe	103
PID 732 wrote to memory of 3632	732	65d6fc979da0b19d9f422f71575df9a0N.exe	104
PID 732 wrote to memory of 3632	732	65d6fc979da0b19d9f422f71575df9a0N.exe	104
PID 732 wrote to memory of 3632	732	65d6fc979da0b19d9f422f71575df9a0N.exe	104
PID 1244 wrote to memory of 1208	1244	65d6fc979da0b19d9f422f71575df9a0N.exe	106
PID 1244 wrote to memory of 1208	1244	65d6fc979da0b19d9f422f71575df9a0N.exe	106
PID 1244 wrote to memory of 1208	1244	65d6fc979da0b19d9f422f71575df9a0N.exe	106
PID 1420 wrote to memory of 2840	1420	65d6fc979da0b19d9f422f71575df9a0N.exe	107
PID 1420 wrote to memory of 2840	1420	65d6fc979da0b19d9f422f71575df9a0N.exe	107
PID 1420 wrote to memory of 2840	1420	65d6fc979da0b19d9f422f71575df9a0N.exe	107

C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
"C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
  "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:732
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1420
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:2840
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        7⤵
        
        PID:5660
        
        C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        8⤵
        
        PID:11612
        
        C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        8⤵
        
        PID:15244
        
        C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        7⤵
        
        PID:6624
        
        C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        7⤵
        
        PID:8684
        
        C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        7⤵
        
        PID:10888
        
        C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        7⤵
        
        PID:13480
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:5596
        
        C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        7⤵
        
        PID:11556
        
        C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        7⤵
        
        PID:15252
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:6772
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:8624
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:10684
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:3108
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:3396
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:5420
        
        C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        7⤵
        
        PID:10992
        
        C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        7⤵
        
        PID:13616
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:6640
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:8700
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:10936
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:13584
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:5412
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:6668
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:8676
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:11988
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:10904
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:13512
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:3632
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:1284
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:5668
        
        C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        7⤵
        
        PID:10808
        
        C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        7⤵
        
        PID:13404
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:6764
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:8608
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:10864
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:13544
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:5620
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:11008
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:14228
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:6756
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:8632
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:14628
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:11040
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:15204
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:5040
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:5300
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:10700
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:13364
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:6592
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:8420
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:10708
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:13356
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:5140
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:11596
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:15220
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:5712
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:9436
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:10768
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:15196
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:7312
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:9308
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:11172
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:15236
- - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1244
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:1208
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:2932
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:5612
        
        C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        7⤵
        
        PID:11016
        
        C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        7⤵
        
        PID:13624
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:6728
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:8616
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:10692
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:14120
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:5580
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:10984
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:13600
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:6812
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:8924
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:10944
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:13520
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:1308
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:5428
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:11620
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:14724
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:6680
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:8764
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:14952
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:11032
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:14204
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:5404
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:11604
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:14708
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:6632
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:8456
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:11144
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:14220
- - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
    3⤵
    PID:4780
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:2028
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:5508
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:10848
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:13496
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:6708
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:8660
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:10856
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:13724
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:5452
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:11580
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:14700
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:6688
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:8668
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:10880
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:13488
- - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
    3⤵
    PID:1272
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:5212
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:11564
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:14732
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:6300
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:7956
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:11024
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:13904
- - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
    3⤵
    PID:5236
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:11636
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:15264
- - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
    3⤵
    PID:6584
- - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
    3⤵
    PID:8692
- - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
    3⤵
    PID:10872
- - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
    3⤵
    PID:13504
- C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
  "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4064
- - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:392
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:4760
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:5308
        
        C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        7⤵
        
        PID:9792
        
        C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        7⤵
        
        PID:10740
        
        C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        7⤵
        
        PID:13716
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:6600
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:8448
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:11056
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:14184
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:5268
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:10784
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:13432
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:6552
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:8232
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:11164
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:14848
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:2392
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:4280
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:5696
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:10824
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:13456
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:7224
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:9296
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:10792
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:14128
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:1452
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:11572
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:15212
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:5684
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:10800
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:13396
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:7080
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:9368
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:10776
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:13592
- - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
    3⤵
    PID:5052
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:1304
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:5340
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:10816
      - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        6⤵
        
        PID:13440
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:6608
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:8888
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:10960
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:13536
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:5368
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:15272
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:6616
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:8652
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:10912
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:13576
- - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
    3⤵
    PID:4136
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:4676
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:5704
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:10192
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:10752
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:14716
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:7176
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:9460
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:11064
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:14212
- - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
    3⤵
    PID:628
- - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
    3⤵
    PID:5680
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:11628
- - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
    3⤵
    PID:7036
- - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
    3⤵
    PID:9212
- - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
    3⤵
    PID:10968
- - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
    3⤵
    PID:13560
- C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
  "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3884
- - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
    3⤵
    PID:1428
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:4664
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:5564
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:6800
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:8172
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:11048
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:14612
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:5524
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:10716
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:2344
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:6748
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:8644
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:10896
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:13568
- - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
    3⤵
    PID:1232
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:5248
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:12296
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:15704
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:6648
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:8780
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:10920
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:13528
- - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
    3⤵
    PID:5228
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:10976
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:13704
- - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
    3⤵
    PID:6324
- - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
    3⤵
    PID:7768
- - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
    3⤵
    PID:10840
- - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
    3⤵
    PID:13472
- C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
  "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
  2⤵
  PID:1616
- - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
    3⤵
    PID:2720
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:5540
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:11000
    - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
        5⤵
        
        PID:13608
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:6720
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:9036
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:10952
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:13552
- - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
    3⤵
    PID:5460
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:10832
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:13448
- - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
    3⤵
    PID:6660
- - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
    3⤵
    PID:8772
- - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
    3⤵
    PID:10928
- - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
    3⤵
    PID:14236
- C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
  "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
  2⤵
  PID:876
- - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
    3⤵
    PID:5148
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:11588
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:15228
- - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
    3⤵
    PID:5772
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:12260
  - - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
      "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
      4⤵
      PID:15656
- - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
    3⤵
    PID:7328
- - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
    3⤵
    PID:9444
- - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
    3⤵
    PID:10732
- - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
    3⤵
    PID:12684
- C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
  "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
  2⤵
  PID:5164
- C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
  "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
  2⤵
  PID:5932
- - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
    3⤵
    PID:10724
- - C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
    3⤵
    PID:14104
- C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
  "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
  2⤵
  PID:7340
- C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
  "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
  2⤵
  PID:9576
- C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
  "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
  2⤵
  PID:10760
- C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe
  "C:\Users\Admin\AppData\Local\Temp\65d6fc979da0b19d9f422f71575df9a0N.exe"
  2⤵
  PID:13388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\black action hardcore public (Tatjana).mpg.exe

Filesize
114KB

MD5
78a0d516a6ee3d193d1abcd66241e365

SHA1
a02f2509c0c7d515ca2b7978cb3f29236339bfad

SHA256
79d7ba64d3e6e78c18592d6d9f0f64666a60a6890212507baa18e94fbddeb80a

SHA512
553c6a4dc67282dbd3abc09437ad9f97ca41ace3bb9431a3ded0989b8d4e20ed99ea25a1cc34c397bf928b1df65e2539295774b4ed4f381863186cb45b942d39

Download Submit