c79f8592c9099791af299913980be09c5efdef2cf12080801ec4386dcd38b7fd

Analysis

max time kernel
17s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 21:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a334cbea318243092f9b83ddce2ae70N.exe
Size

616KB
MD5

1a334cbea318243092f9b83ddce2ae70
SHA1

e97856c03ad663a07b92c3556ee4088bfc9f3373
SHA256

c79f8592c9099791af299913980be09c5efdef2cf12080801ec4386dcd38b7fd
SHA512

adc8c578d0df7d9cc95b8d0cb2b57b813be4916045229d983355b5201253bee21d023efef29f5bdb649b0ab57f143d46d06f10eee2139dcdbe00cbab20bb81ba
SSDEEP

12288:dXCNi9Bf1doy9h1Y98BZP2iLI2jm1o/R8KAxOLxPrz1ElRy:oWf1doyWOnP9I2jX/R8+LxPrpaM

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 23 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	1a334cbea318243092f9b83ddce2ae70N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	1a334cbea318243092f9b83ddce2ae70N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	1a334cbea318243092f9b83ddce2ae70N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	1a334cbea318243092f9b83ddce2ae70N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	1a334cbea318243092f9b83ddce2ae70N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	1a334cbea318243092f9b83ddce2ae70N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	1a334cbea318243092f9b83ddce2ae70N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	1a334cbea318243092f9b83ddce2ae70N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	1a334cbea318243092f9b83ddce2ae70N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	1a334cbea318243092f9b83ddce2ae70N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	1a334cbea318243092f9b83ddce2ae70N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	1a334cbea318243092f9b83ddce2ae70N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	1a334cbea318243092f9b83ddce2ae70N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	1a334cbea318243092f9b83ddce2ae70N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	1a334cbea318243092f9b83ddce2ae70N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	1a334cbea318243092f9b83ddce2ae70N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	1a334cbea318243092f9b83ddce2ae70N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	1a334cbea318243092f9b83ddce2ae70N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	1a334cbea318243092f9b83ddce2ae70N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	1a334cbea318243092f9b83ddce2ae70N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	1a334cbea318243092f9b83ddce2ae70N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	1a334cbea318243092f9b83ddce2ae70N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	1a334cbea318243092f9b83ddce2ae70N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	1a334cbea318243092f9b83ddce2ae70N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	1a334cbea318243092f9b83ddce2ae70N.exe
File opened (read-only)	\??\J:	1a334cbea318243092f9b83ddce2ae70N.exe
File opened (read-only)	\??\M:	1a334cbea318243092f9b83ddce2ae70N.exe
File opened (read-only)	\??\P:	1a334cbea318243092f9b83ddce2ae70N.exe
File opened (read-only)	\??\R:	1a334cbea318243092f9b83ddce2ae70N.exe
File opened (read-only)	\??\T:	1a334cbea318243092f9b83ddce2ae70N.exe
File opened (read-only)	\??\U:	1a334cbea318243092f9b83ddce2ae70N.exe
File opened (read-only)	\??\W:	1a334cbea318243092f9b83ddce2ae70N.exe
File opened (read-only)	\??\Z:	1a334cbea318243092f9b83ddce2ae70N.exe
File opened (read-only)	\??\E:	1a334cbea318243092f9b83ddce2ae70N.exe
File opened (read-only)	\??\K:	1a334cbea318243092f9b83ddce2ae70N.exe
File opened (read-only)	\??\N:	1a334cbea318243092f9b83ddce2ae70N.exe
File opened (read-only)	\??\O:	1a334cbea318243092f9b83ddce2ae70N.exe
File opened (read-only)	\??\V:	1a334cbea318243092f9b83ddce2ae70N.exe
File opened (read-only)	\??\X:	1a334cbea318243092f9b83ddce2ae70N.exe
File opened (read-only)	\??\S:	1a334cbea318243092f9b83ddce2ae70N.exe
File opened (read-only)	\??\Y:	1a334cbea318243092f9b83ddce2ae70N.exe
File opened (read-only)	\??\A:	1a334cbea318243092f9b83ddce2ae70N.exe
File opened (read-only)	\??\B:	1a334cbea318243092f9b83ddce2ae70N.exe
File opened (read-only)	\??\G:	1a334cbea318243092f9b83ddce2ae70N.exe
File opened (read-only)	\??\I:	1a334cbea318243092f9b83ddce2ae70N.exe
File opened (read-only)	\??\L:	1a334cbea318243092f9b83ddce2ae70N.exe
File opened (read-only)	\??\Q:	1a334cbea318243092f9b83ddce2ae70N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IME\SHARED\malaysia trambling beastiality big hole .mpg.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\lesbian licking (Samantha,Liz).rar.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\spanish gay big .mpeg.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\spanish lesbian [milf] upskirt .mpeg.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\asian lingerie several models hole 40+ .avi.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\SysWOW64\FxsTmp\horse gay girls glans sm (Sonja).avi.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\chinese cum action masturbation bedroom (Jade,Curtney).mpg.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\danish blowjob lingerie voyeur castration (Curtney).rar.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\System32\DriverStore\Temp\indian lesbian bukkake hot (!) shoes .rar.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\SysWOW64\FxsTmp\spanish gang bang [free] ejaculation .mpg.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\italian cum gang bang lesbian ash sweet (Gina,Liz).zip.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\handjob cum catfight .mpg.exe	1a334cbea318243092f9b83ddce2ae70N.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\kicking cum hot (!) redhair .zip.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\chinese fetish lingerie voyeur bedroom .mpeg.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\beast blowjob big ash bondage .avi.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\black handjob public .rar.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\indian bukkake lesbian (Kathrin).rar.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\canadian cumshot cum voyeur feet lady (Britney).avi.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Program Files (x86)\Google\Update\Download\german animal voyeur shower (Christine).rar.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Program Files (x86)\Microsoft\Temp\american bukkake sleeping high heels (Ashley).mpeg.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\german fetish beast uncut lady (Liz,Janette).zip.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Program Files\Common Files\microsoft shared\tyrkish horse lesbian ash (Sandy).mpg.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Program Files\Microsoft Office\root\Templates\tyrkish bukkake cumshot [bangbus] .zip.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\bukkake lingerie hot (!) nipples (Christine,Ashley).avi.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\blowjob catfight (Sonja).avi.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Program Files (x86)\Google\Temp\gang bang beast uncut nipples .rar.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\fetish girls .avi.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\kicking catfight .avi.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\hardcore several models (Christine,Britney).mpeg.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\german nude licking wifey .avi.exe	1a334cbea318243092f9b83ddce2ae70N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\brasilian porn licking .rar.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\russian hardcore sperm masturbation cock high heels .mpeg.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\tyrkish blowjob [bangbus] granny (Kathrin).mpeg.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\cum gang bang uncut fishy .rar.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\canadian cum [free] boobs high heels .mpg.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\handjob lesbian .avi.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\action gay [milf] .mpg.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\british action sleeping boobs penetration (Jade,Samantha).rar.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\american bukkake [milf] penetration (Sandy,Jenna).avi.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\british gay fucking lesbian vagina high heels .mpg.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\fucking beast lesbian circumcision (Samantha,Janette).rar.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\kicking several models lady .avi.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\canadian nude hidden circumcision (Sonja,Liz).mpg.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\handjob horse [milf] legs .rar.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\porn girls .mpeg.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\tyrkish bukkake [free] (Sonja,Jade).rar.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_8c0b126c198fcf70\lesbian cum lesbian leather .rar.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\InputMethod\SHARED\indian lingerie hardcore full movie mature .zip.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\british hardcore hidden .mpg.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\british xxx kicking public lady .avi.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\swedish horse blowjob big bondage (Curtney).rar.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\trambling lesbian .avi.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\cum voyeur hotel .mpg.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\assembly\tmp\malaysia hardcore catfight (Janette).zip.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\xxx sleeping .rar.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\russian porn horse [free] young .zip.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\porn several models shower .mpg.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\chinese kicking hot (!) granny .rar.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\danish gang bang lesbian [free] .mpeg.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\assembly\temp\spanish lingerie [free] gorgeoushorny (Sandy,Sonja).zip.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\Downloaded Program Files\cumshot masturbation boots .rar.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\gay sleeping (Ashley,Christine).avi.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\swedish porn lingerie licking balls .mpeg.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\spanish gang bang licking fishy (Karin,Liz).mpg.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\chinese beastiality lesbian hole shoes .mpg.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\sperm sleeping hole circumcision .zip.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\african handjob beastiality public boots (Samantha).mpeg.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\russian action beastiality [free] ash (Liz,Liz).zip.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\lesbian full movie ash .avi.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\german lingerie catfight balls .zip.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.1_none_f42978969c79336a\sperm beastiality voyeur .rar.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\chinese animal blowjob hidden ash redhair (Sonja).avi.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\canadian horse gay catfight bondage .avi.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\gang bang several models leather .zip.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_9aa486d790131d4e\danish horse beastiality licking pregnant .rar.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\CbsTemp\chinese lingerie horse catfight traffic .mpeg.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\russian beastiality sperm sleeping hole .rar.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\horse handjob [free] nipples beautyfull .avi.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\french beast [milf] ash .avi.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\gay hidden vagina bondage .mpg.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\malaysia fucking hidden wifey (Anniston,Samantha).avi.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\indian bukkake licking .zip.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\mssrv.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\xxx fetish big glans leather (Tatjana,Liz).zip.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\american fucking hot (!) ash girly .mpg.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\kicking lesbian .rar.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\italian gang bang horse girls glans shoes .zip.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\asian gay horse masturbation boobs upskirt (Janette,Gina).avi.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\canadian porn several models nipples mistress (Anniston,Samantha).mpeg.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\PLA\Templates\malaysia horse fetish [free] .mpeg.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\porn beast hot (!) YEâPSè& (Sonja).mpeg.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\fucking trambling licking .avi.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\french xxx beastiality licking latex (Curtney).avi.exe	1a334cbea318243092f9b83ddce2ae70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\gang bang lesbian ash (Sonja).zip.exe	1a334cbea318243092f9b83ddce2ae70N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1872	1a334cbea318243092f9b83ddce2ae70N.exe
1872	1a334cbea318243092f9b83ddce2ae70N.exe
4592	1a334cbea318243092f9b83ddce2ae70N.exe
4592	1a334cbea318243092f9b83ddce2ae70N.exe
1872	1a334cbea318243092f9b83ddce2ae70N.exe
1872	1a334cbea318243092f9b83ddce2ae70N.exe
3988	1a334cbea318243092f9b83ddce2ae70N.exe
3988	1a334cbea318243092f9b83ddce2ae70N.exe
2220	1a334cbea318243092f9b83ddce2ae70N.exe
2220	1a334cbea318243092f9b83ddce2ae70N.exe
4592	1a334cbea318243092f9b83ddce2ae70N.exe
4592	1a334cbea318243092f9b83ddce2ae70N.exe
1872	1a334cbea318243092f9b83ddce2ae70N.exe
1872	1a334cbea318243092f9b83ddce2ae70N.exe
2976	1a334cbea318243092f9b83ddce2ae70N.exe
2976	1a334cbea318243092f9b83ddce2ae70N.exe
2096	1a334cbea318243092f9b83ddce2ae70N.exe
2096	1a334cbea318243092f9b83ddce2ae70N.exe
1872	1a334cbea318243092f9b83ddce2ae70N.exe
1872	1a334cbea318243092f9b83ddce2ae70N.exe
4592	1a334cbea318243092f9b83ddce2ae70N.exe
4592	1a334cbea318243092f9b83ddce2ae70N.exe
4604	1a334cbea318243092f9b83ddce2ae70N.exe
4604	1a334cbea318243092f9b83ddce2ae70N.exe
748	1a334cbea318243092f9b83ddce2ae70N.exe
748	1a334cbea318243092f9b83ddce2ae70N.exe
3988	1a334cbea318243092f9b83ddce2ae70N.exe
3988	1a334cbea318243092f9b83ddce2ae70N.exe
2220	1a334cbea318243092f9b83ddce2ae70N.exe
2220	1a334cbea318243092f9b83ddce2ae70N.exe
4400	1a334cbea318243092f9b83ddce2ae70N.exe
4400	1a334cbea318243092f9b83ddce2ae70N.exe
4740	1a334cbea318243092f9b83ddce2ae70N.exe
4740	1a334cbea318243092f9b83ddce2ae70N.exe
4520	1a334cbea318243092f9b83ddce2ae70N.exe
4520	1a334cbea318243092f9b83ddce2ae70N.exe
4592	1a334cbea318243092f9b83ddce2ae70N.exe
2976	1a334cbea318243092f9b83ddce2ae70N.exe
2976	1a334cbea318243092f9b83ddce2ae70N.exe
4592	1a334cbea318243092f9b83ddce2ae70N.exe
1872	1a334cbea318243092f9b83ddce2ae70N.exe
1872	1a334cbea318243092f9b83ddce2ae70N.exe
4020	1a334cbea318243092f9b83ddce2ae70N.exe
4020	1a334cbea318243092f9b83ddce2ae70N.exe
2220	1a334cbea318243092f9b83ddce2ae70N.exe
2220	1a334cbea318243092f9b83ddce2ae70N.exe
1156	1a334cbea318243092f9b83ddce2ae70N.exe
1156	1a334cbea318243092f9b83ddce2ae70N.exe
2268	1a334cbea318243092f9b83ddce2ae70N.exe
2268	1a334cbea318243092f9b83ddce2ae70N.exe
3988	1a334cbea318243092f9b83ddce2ae70N.exe
3988	1a334cbea318243092f9b83ddce2ae70N.exe
2096	1a334cbea318243092f9b83ddce2ae70N.exe
2096	1a334cbea318243092f9b83ddce2ae70N.exe
4604	1a334cbea318243092f9b83ddce2ae70N.exe
4604	1a334cbea318243092f9b83ddce2ae70N.exe
640	1a334cbea318243092f9b83ddce2ae70N.exe
640	1a334cbea318243092f9b83ddce2ae70N.exe
768	1a334cbea318243092f9b83ddce2ae70N.exe
768	1a334cbea318243092f9b83ddce2ae70N.exe
748	1a334cbea318243092f9b83ddce2ae70N.exe
748	1a334cbea318243092f9b83ddce2ae70N.exe
2440	1a334cbea318243092f9b83ddce2ae70N.exe
2440	1a334cbea318243092f9b83ddce2ae70N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 4592	1872	1a334cbea318243092f9b83ddce2ae70N.exe	92
PID 1872 wrote to memory of 4592	1872	1a334cbea318243092f9b83ddce2ae70N.exe	92
PID 1872 wrote to memory of 4592	1872	1a334cbea318243092f9b83ddce2ae70N.exe	92
PID 4592 wrote to memory of 3988	4592	1a334cbea318243092f9b83ddce2ae70N.exe	93
PID 4592 wrote to memory of 3988	4592	1a334cbea318243092f9b83ddce2ae70N.exe	93
PID 4592 wrote to memory of 3988	4592	1a334cbea318243092f9b83ddce2ae70N.exe	93
PID 1872 wrote to memory of 2220	1872	1a334cbea318243092f9b83ddce2ae70N.exe	94
PID 1872 wrote to memory of 2220	1872	1a334cbea318243092f9b83ddce2ae70N.exe	94
PID 1872 wrote to memory of 2220	1872	1a334cbea318243092f9b83ddce2ae70N.exe	94
PID 1872 wrote to memory of 2976	1872	1a334cbea318243092f9b83ddce2ae70N.exe	96
PID 1872 wrote to memory of 2976	1872	1a334cbea318243092f9b83ddce2ae70N.exe	96
PID 1872 wrote to memory of 2976	1872	1a334cbea318243092f9b83ddce2ae70N.exe	96
PID 4592 wrote to memory of 2096	4592	1a334cbea318243092f9b83ddce2ae70N.exe	97
PID 4592 wrote to memory of 2096	4592	1a334cbea318243092f9b83ddce2ae70N.exe	97
PID 4592 wrote to memory of 2096	4592	1a334cbea318243092f9b83ddce2ae70N.exe	97
PID 3988 wrote to memory of 4604	3988	1a334cbea318243092f9b83ddce2ae70N.exe	98
PID 3988 wrote to memory of 4604	3988	1a334cbea318243092f9b83ddce2ae70N.exe	98
PID 3988 wrote to memory of 4604	3988	1a334cbea318243092f9b83ddce2ae70N.exe	98
PID 2220 wrote to memory of 748	2220	1a334cbea318243092f9b83ddce2ae70N.exe	99
PID 2220 wrote to memory of 748	2220	1a334cbea318243092f9b83ddce2ae70N.exe	99
PID 2220 wrote to memory of 748	2220	1a334cbea318243092f9b83ddce2ae70N.exe	99
PID 1872 wrote to memory of 4520	1872	1a334cbea318243092f9b83ddce2ae70N.exe	100
PID 1872 wrote to memory of 4520	1872	1a334cbea318243092f9b83ddce2ae70N.exe	100
PID 1872 wrote to memory of 4520	1872	1a334cbea318243092f9b83ddce2ae70N.exe	100
PID 4592 wrote to memory of 4400	4592	1a334cbea318243092f9b83ddce2ae70N.exe	101
PID 4592 wrote to memory of 4400	4592	1a334cbea318243092f9b83ddce2ae70N.exe	101
PID 4592 wrote to memory of 4400	4592	1a334cbea318243092f9b83ddce2ae70N.exe	101
PID 2976 wrote to memory of 4740	2976	1a334cbea318243092f9b83ddce2ae70N.exe	102
PID 2976 wrote to memory of 4740	2976	1a334cbea318243092f9b83ddce2ae70N.exe	102
PID 2976 wrote to memory of 4740	2976	1a334cbea318243092f9b83ddce2ae70N.exe	102
PID 2220 wrote to memory of 4020	2220	1a334cbea318243092f9b83ddce2ae70N.exe	103
PID 2220 wrote to memory of 4020	2220	1a334cbea318243092f9b83ddce2ae70N.exe	103
PID 2220 wrote to memory of 4020	2220	1a334cbea318243092f9b83ddce2ae70N.exe	103
PID 2096 wrote to memory of 2268	2096	1a334cbea318243092f9b83ddce2ae70N.exe	104
PID 2096 wrote to memory of 2268	2096	1a334cbea318243092f9b83ddce2ae70N.exe	104
PID 2096 wrote to memory of 2268	2096	1a334cbea318243092f9b83ddce2ae70N.exe	104
PID 3988 wrote to memory of 1156	3988	1a334cbea318243092f9b83ddce2ae70N.exe	105
PID 3988 wrote to memory of 1156	3988	1a334cbea318243092f9b83ddce2ae70N.exe	105
PID 3988 wrote to memory of 1156	3988	1a334cbea318243092f9b83ddce2ae70N.exe	105
PID 4604 wrote to memory of 640	4604	1a334cbea318243092f9b83ddce2ae70N.exe	106
PID 4604 wrote to memory of 640	4604	1a334cbea318243092f9b83ddce2ae70N.exe	106
PID 4604 wrote to memory of 640	4604	1a334cbea318243092f9b83ddce2ae70N.exe	106
PID 748 wrote to memory of 768	748	1a334cbea318243092f9b83ddce2ae70N.exe	107
PID 748 wrote to memory of 768	748	1a334cbea318243092f9b83ddce2ae70N.exe	107
PID 748 wrote to memory of 768	748	1a334cbea318243092f9b83ddce2ae70N.exe	107
PID 1872 wrote to memory of 2440	1872	1a334cbea318243092f9b83ddce2ae70N.exe	108
PID 1872 wrote to memory of 2440	1872	1a334cbea318243092f9b83ddce2ae70N.exe	108
PID 1872 wrote to memory of 2440	1872	1a334cbea318243092f9b83ddce2ae70N.exe	108
PID 2976 wrote to memory of 828	2976	1a334cbea318243092f9b83ddce2ae70N.exe	109
PID 2976 wrote to memory of 828	2976	1a334cbea318243092f9b83ddce2ae70N.exe	109
PID 2976 wrote to memory of 828	2976	1a334cbea318243092f9b83ddce2ae70N.exe	109
PID 4520 wrote to memory of 3492	4520	1a334cbea318243092f9b83ddce2ae70N.exe	110
PID 4520 wrote to memory of 3492	4520	1a334cbea318243092f9b83ddce2ae70N.exe	110
PID 4520 wrote to memory of 3492	4520	1a334cbea318243092f9b83ddce2ae70N.exe	110
PID 4740 wrote to memory of 4732	4740	1a334cbea318243092f9b83ddce2ae70N.exe	111
PID 4740 wrote to memory of 4732	4740	1a334cbea318243092f9b83ddce2ae70N.exe	111
PID 4740 wrote to memory of 4732	4740	1a334cbea318243092f9b83ddce2ae70N.exe	111
PID 4592 wrote to memory of 1408	4592	1a334cbea318243092f9b83ddce2ae70N.exe	112
PID 4592 wrote to memory of 1408	4592	1a334cbea318243092f9b83ddce2ae70N.exe	112
PID 4592 wrote to memory of 1408	4592	1a334cbea318243092f9b83ddce2ae70N.exe	112
PID 4400 wrote to memory of 1452	4400	1a334cbea318243092f9b83ddce2ae70N.exe	113
PID 4400 wrote to memory of 1452	4400	1a334cbea318243092f9b83ddce2ae70N.exe	113
PID 4400 wrote to memory of 1452	4400	1a334cbea318243092f9b83ddce2ae70N.exe	113
PID 2220 wrote to memory of 4888	2220	1a334cbea318243092f9b83ddce2ae70N.exe	114

C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
"C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
  "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3988
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4604
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        
        PID:640
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:5704
        
        C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        7⤵
        
        PID:7608
        
        C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        8⤵
        
        PID:13460
        
        C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        7⤵
        
        PID:9780
        
        C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        7⤵
        
        PID:13396
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:6568
        
        C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        7⤵
        
        PID:11968
        
        C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        7⤵
        
        PID:13304
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:8724
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:11752
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:11280
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:1912
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:7228
        
        C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        7⤵
        
        PID:14448
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:3620
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:12316
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:2912
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:4684
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:7180
        
        C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        7⤵
        
        PID:13364
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:9168
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:12260
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:11468
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:6056
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:9460
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:13324
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:7724
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:10480
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:12364
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:1156
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:5696
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:7780
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:10728
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:15012
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:6560
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:12404
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:13296
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:8708
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:11716
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:13444
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:3580
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:7244
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:13840
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:5076
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:13776
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:4340
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:7252
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:14432
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:8896
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:13640
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:6000
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:10088
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:13620
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:7732
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:14296
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:10404
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:13572
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:2268
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:5652
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:8320
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:11476
        
        C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        7⤵
        
        PID:17092
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:13476
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:6540
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:14464
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:8692
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:11708
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:13468
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:2064
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:7756
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:14288
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:10428
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:13556
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:3908
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:7188
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:13856
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:4720
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:12244
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:3972
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:5976
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:9420
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:832
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:8376
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:11372
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:13664
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:12236
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4400
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      Checks computer location settings
      PID:1452
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:5688
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:7616
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:10068
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:2352
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:6552
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:12252
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:2736
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:8700
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:11700
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:13452
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:3632
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:7568
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:14936
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:9752
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:14456
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:6016
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:10932
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:13492
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:7812
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:10444
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:13548
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    - Checks computer location settings
    PID:1408
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:5796
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:7820
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:2720
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:10956
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:13516
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:6584
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:13388
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:8716
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:11768
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:2860
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    PID:1548
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:7260
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:13832
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:9512
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:13348
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    PID:5984
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:10136
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:13864
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    PID:7956
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:14232
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    PID:10608
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    PID:13524
- C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
  "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:748
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:768
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:5768
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:7764
        
        C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        7⤵
        
        PID:14952
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:10420
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:13900
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:7012
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:14236
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:9076
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:12128
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:4540
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:3432
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:7300
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:14272
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:9672
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:13892
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:6048
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:10532
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:13144
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:7920
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:10592
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:13532
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:4020
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:5368
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:7748
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:10452
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:13564
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:6324
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:11660
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:13436
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:8548
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:11356
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:12416
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    - Checks computer location settings
    PID:4888
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:5812
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:9480
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:13316
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:6624
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:12036
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:4656
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:8924
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:11900
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:13308
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    PID:4652
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:7236
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:13792
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:4184
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:3128
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    PID:6008
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:10108
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:13812
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    PID:7796
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:14944
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    PID:10412
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    PID:13588
- C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
  "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4740
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      Checks computer location settings
      PID:4732
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:5828
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:7624
        
        C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        7⤵
        
        PID:14248
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:9808
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:13604
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:6968
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:13356
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:8940
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:12028
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:2724
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:4052
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:7488
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:14960
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:9656
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:13380
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:6040
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:11220
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:13484
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:7804
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:10472
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:13540
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    - Checks computer location settings
    PID:828
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:5804
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:7772
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:15056
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:10336
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:13596
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:6596
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:13340
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:8740
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:11744
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:13428
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    PID:3576
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:7584
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:14280
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:9908
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:13612
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    PID:6032
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:9636
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:13372
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    PID:7632
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:14968
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    PID:10096
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    PID:13848
- C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
  "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    - Checks computer location settings
    PID:3492
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:5776
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:8080
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:11028
      - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        6⤵
        
        PID:15572
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:13508
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:6576
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:12216
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:3196
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:8732
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:11760
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:13420
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    PID:5004
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:7308
    - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
        5⤵
        
        PID:13872
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:8824
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:13632
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    PID:5992
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:11236
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:13500
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    PID:7740
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    PID:10464
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    PID:13580
- C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
  "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  PID:2440
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    PID:5820
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:9228
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:13784
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    PID:6616
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:13332
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    PID:8932
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    PID:11832
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    PID:2028
- C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
  "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
  2⤵
  PID:2544
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    PID:7556
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:13768
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    PID:9744
  - - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
      "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
      4⤵
      PID:17084
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    PID:13800
- C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
  "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
  2⤵
  PID:6024
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    PID:10316
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    PID:13404
- C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
  "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
  2⤵
  PID:7828
- - C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
    "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
    3⤵
    PID:14928
- C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
  "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
  2⤵
  PID:10436
- C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe
  "C:\Users\Admin\AppData\Local\Temp\1a334cbea318243092f9b83ddce2ae70N.exe"
  2⤵
  PID:13412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4020,i,18341222626402534844,12352985901844242237,262144 --variations-seed-version --mojo-platform-channel-handle=4076 /prefetch:8
1⤵
PID:4280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\bukkake lingerie hot (!) nipples (Christine,Ashley).avi.exe

Filesize
1.2MB

MD5
ec16ca4bfedbcfa2374f00957a6a30b2

SHA1
f21c62e87917226984d3fabfc90fe12a34f401ed

SHA256
c14d50a4068e45063bcd59b26c9c1d9ff45f528fbd77e5f2d6d11bc4a7c04d61

SHA512
3f80233f249e6b646b3a556042727486f6048a93a63220c534fa507f001f1d147a8c5bebfb9e148361fa0239f536f08482d78556e0e1a2c264f3a12dcf1ba06a

Download Submit
memory/1156-226-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1872-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2096-219-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2268-225-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2440-227-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2976-218-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3632-230-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3908-229-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4020-224-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4052-231-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4184-289-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4400-221-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4520-222-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4592-123-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4604-220-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4652-228-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4740-223-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5368-232-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5652-233-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5696-234-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5704-235-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5768-236-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5776-237-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5796-238-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5804-239-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5828-240-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5976-242-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5984-241-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5992-247-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6024-243-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6032-244-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6040-245-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6056-246-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6540-253-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6552-254-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6568-248-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6576-250-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6584-249-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6596-251-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6624-252-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7012-255-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7180-256-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7188-257-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7228-258-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7236-259-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7244-260-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7260-261-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7300-262-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7308-263-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7488-264-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7556-265-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7624-266-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7724-273-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7732-267-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7756-268-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7764-269-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7780-270-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7796-275-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7804-271-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7812-276-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7820-277-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7828-272-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7956-274-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8320-278-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8376-279-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8548-280-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8692-281-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8708-283-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8716-284-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8732-282-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8896-288-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8924-285-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8932-286-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9076-287-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9228-290-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9420-292-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9460-291-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9480-293-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9512-294-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9636-295-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9656-296-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9672-297-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9752-299-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9780-298-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/10068-304-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/10088-301-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/10096-302-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/10108-303-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/10136-305-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/10404-306-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/10592-307-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/10608-308-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/10728-309-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/10956-310-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/11028-311-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/11220-312-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download