3c6ce930c0b09bf30fd4c89c190d76680b017f04d39f49dfd88eb4c7b2a99c30

Analysis

max time kernel
11s
max time network
72s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0da1af14348f2b0421320574ac84dd0N.exe
Size

364KB
MD5

d0da1af14348f2b0421320574ac84dd0
SHA1

469edabcb63fb8e9dde4ade0d8f12c5cb009a2df
SHA256

3c6ce930c0b09bf30fd4c89c190d76680b017f04d39f49dfd88eb4c7b2a99c30
SHA512

3541e2bf633a3840d9e1906758f38060c04c04220cdf4d05ab06c594bef5eabf07cafac4c72e19e52d7f6dd1041426df08d2409a0999e1c6683163b72867fb86
SSDEEP

6144:A//ICMmDRxs3NBRzeZG0npt0mUEtQWFEagMPvA7SkrHlMG5RZf2Hi889H:A//vi9BMMJo0MPvmSk7lr7ZT8A

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	d0da1af14348f2b0421320574ac84dd0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	d0da1af14348f2b0421320574ac84dd0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	d0da1af14348f2b0421320574ac84dd0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	d0da1af14348f2b0421320574ac84dd0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	d0da1af14348f2b0421320574ac84dd0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	d0da1af14348f2b0421320574ac84dd0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	d0da1af14348f2b0421320574ac84dd0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	d0da1af14348f2b0421320574ac84dd0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	d0da1af14348f2b0421320574ac84dd0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	d0da1af14348f2b0421320574ac84dd0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	d0da1af14348f2b0421320574ac84dd0N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	d0da1af14348f2b0421320574ac84dd0N.exe
File opened (read-only)	\??\H:	d0da1af14348f2b0421320574ac84dd0N.exe
File opened (read-only)	\??\L:	d0da1af14348f2b0421320574ac84dd0N.exe
File opened (read-only)	\??\R:	d0da1af14348f2b0421320574ac84dd0N.exe
File opened (read-only)	\??\S:	d0da1af14348f2b0421320574ac84dd0N.exe
File opened (read-only)	\??\W:	d0da1af14348f2b0421320574ac84dd0N.exe
File opened (read-only)	\??\A:	d0da1af14348f2b0421320574ac84dd0N.exe
File opened (read-only)	\??\E:	d0da1af14348f2b0421320574ac84dd0N.exe
File opened (read-only)	\??\Z:	d0da1af14348f2b0421320574ac84dd0N.exe
File opened (read-only)	\??\N:	d0da1af14348f2b0421320574ac84dd0N.exe
File opened (read-only)	\??\X:	d0da1af14348f2b0421320574ac84dd0N.exe
File opened (read-only)	\??\B:	d0da1af14348f2b0421320574ac84dd0N.exe
File opened (read-only)	\??\M:	d0da1af14348f2b0421320574ac84dd0N.exe
File opened (read-only)	\??\Q:	d0da1af14348f2b0421320574ac84dd0N.exe
File opened (read-only)	\??\V:	d0da1af14348f2b0421320574ac84dd0N.exe
File opened (read-only)	\??\J:	d0da1af14348f2b0421320574ac84dd0N.exe
File opened (read-only)	\??\P:	d0da1af14348f2b0421320574ac84dd0N.exe
File opened (read-only)	\??\O:	d0da1af14348f2b0421320574ac84dd0N.exe
File opened (read-only)	\??\T:	d0da1af14348f2b0421320574ac84dd0N.exe
File opened (read-only)	\??\U:	d0da1af14348f2b0421320574ac84dd0N.exe
File opened (read-only)	\??\Y:	d0da1af14348f2b0421320574ac84dd0N.exe
File opened (read-only)	\??\I:	d0da1af14348f2b0421320574ac84dd0N.exe
File opened (read-only)	\??\K:	d0da1af14348f2b0421320574ac84dd0N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\FxsTmp\lesbian girls .mpg.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\lesbian [bangbus] .mpeg.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\japanese kicking xxx voyeur young .mpeg.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\sperm masturbation (Liz).zip.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Windows\System32\DriverStore\Temp\russian action fucking hot (!) (Melissa).zip.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Windows\SysWOW64\FxsTmp\asian lesbian girls glans .rar.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\italian cum trambling girls black hairunshaved (Ashley,Liz).mpeg.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\japanese action trambling uncut (Janette).rar.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\italian horse sperm hot (!) pregnant .mpg.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\danish gang bang lesbian public (Samantha).avi.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\indian beastiality sperm hidden hole femdom (Sylvia).rar.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\lesbian voyeur cock .avi.exe	d0da1af14348f2b0421320574ac84dd0N.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Templates\danish handjob horse big girly .mpg.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\horse hidden bedroom .zip.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Program Files (x86)\Google\Temp\tyrkish action lesbian lesbian hole traffic .mpeg.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\trambling [milf] beautyfull (Gina,Liz).avi.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\blowjob [bangbus] granny .mpeg.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Program Files (x86)\Google\Update\Download\fucking masturbation cock .mpeg.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Program Files (x86)\Microsoft\Temp\hardcore licking fishy .zip.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Program Files\Common Files\microsoft shared\xxx hot (!) penetration .mpeg.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\russian nude hardcore girls Œã .mpeg.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\danish porn beast sleeping castration .zip.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\lesbian big black hairunshaved .mpeg.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\danish beastiality bukkake several models upskirt (Gina,Tatjana).zip.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\trambling voyeur .mpg.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sperm voyeur wifey .rar.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Program Files\dotnet\shared\tyrkish porn hardcore [bangbus] cock beautyfull (Jade).rar.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\indian action lingerie girls glans sm (Sarah).avi.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\gay voyeur .mpeg.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\spanish hardcore masturbation bedroom (Sonja,Karin).avi.exe	d0da1af14348f2b0421320574ac84dd0N.exe

Drops file in Windows directory 28 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\fucking uncut .zip.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\trambling lesbian .mpeg.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\italian animal lesbian lesbian .zip.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\trambling voyeur YEâPSè& .mpeg.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\italian horse xxx catfight circumcision .avi.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\black animal sperm masturbation cock bedroom .mpg.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\american gang bang lesbian big wifey .zip.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\sperm uncut .mpeg.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\black animal lesbian uncut traffic .rar.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\fucking girls swallow .rar.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Windows\SoftwareDistribution\Download\gay lesbian cock bondage .zip.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\sperm lesbian blondie (Sonja,Sylvia).mpeg.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\lesbian voyeur sm .avi.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Windows\assembly\tmp\italian porn hardcore several models hole .avi.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\brasilian nude horse lesbian mistress .zip.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\danish fetish bukkake big cock .zip.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Windows\InputMethod\SHARED\italian action horse catfight glans (Christine,Curtney).mpg.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Windows\security\templates\italian gang bang hardcore voyeur titts bedroom (Samantha).mpeg.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\horse sleeping hole (Anniston,Sarah).mpg.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\blowjob voyeur traffic (Sandy,Samantha).zip.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Windows\assembly\temp\blowjob [milf] titts upskirt (Melissa).mpg.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\horse voyeur feet balls .mpeg.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Windows\CbsTemp\brasilian fetish blowjob several models sweet .zip.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Windows\Downloaded Program Files\japanese action lingerie catfight hotel .rar.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Windows\PLA\Templates\danish cumshot gay hot (!) titts bedroom .rar.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\danish action sperm [bangbus] .zip.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Windows\mssrv.exe	d0da1af14348f2b0421320574ac84dd0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\italian gang bang lesbian licking femdom (Anniston,Melissa).zip.exe	d0da1af14348f2b0421320574ac84dd0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
3040	d0da1af14348f2b0421320574ac84dd0N.exe
3040	d0da1af14348f2b0421320574ac84dd0N.exe
408	d0da1af14348f2b0421320574ac84dd0N.exe
408	d0da1af14348f2b0421320574ac84dd0N.exe
3040	d0da1af14348f2b0421320574ac84dd0N.exe
3040	d0da1af14348f2b0421320574ac84dd0N.exe
3232	d0da1af14348f2b0421320574ac84dd0N.exe
3232	d0da1af14348f2b0421320574ac84dd0N.exe
3040	d0da1af14348f2b0421320574ac84dd0N.exe
3040	d0da1af14348f2b0421320574ac84dd0N.exe
4968	d0da1af14348f2b0421320574ac84dd0N.exe
4968	d0da1af14348f2b0421320574ac84dd0N.exe
408	d0da1af14348f2b0421320574ac84dd0N.exe
408	d0da1af14348f2b0421320574ac84dd0N.exe
264	d0da1af14348f2b0421320574ac84dd0N.exe
264	d0da1af14348f2b0421320574ac84dd0N.exe
3040	d0da1af14348f2b0421320574ac84dd0N.exe
3040	d0da1af14348f2b0421320574ac84dd0N.exe
4888	d0da1af14348f2b0421320574ac84dd0N.exe
4888	d0da1af14348f2b0421320574ac84dd0N.exe
3612	d0da1af14348f2b0421320574ac84dd0N.exe
3612	d0da1af14348f2b0421320574ac84dd0N.exe
3232	d0da1af14348f2b0421320574ac84dd0N.exe
3232	d0da1af14348f2b0421320574ac84dd0N.exe
408	d0da1af14348f2b0421320574ac84dd0N.exe
408	d0da1af14348f2b0421320574ac84dd0N.exe
1216	d0da1af14348f2b0421320574ac84dd0N.exe
1216	d0da1af14348f2b0421320574ac84dd0N.exe
4968	d0da1af14348f2b0421320574ac84dd0N.exe
4968	d0da1af14348f2b0421320574ac84dd0N.exe
212	d0da1af14348f2b0421320574ac84dd0N.exe
212	d0da1af14348f2b0421320574ac84dd0N.exe
2252	d0da1af14348f2b0421320574ac84dd0N.exe
2252	d0da1af14348f2b0421320574ac84dd0N.exe
3040	d0da1af14348f2b0421320574ac84dd0N.exe
3040	d0da1af14348f2b0421320574ac84dd0N.exe
264	d0da1af14348f2b0421320574ac84dd0N.exe
264	d0da1af14348f2b0421320574ac84dd0N.exe
3496	d0da1af14348f2b0421320574ac84dd0N.exe
3496	d0da1af14348f2b0421320574ac84dd0N.exe
948	d0da1af14348f2b0421320574ac84dd0N.exe
948	d0da1af14348f2b0421320574ac84dd0N.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 408	3040	d0da1af14348f2b0421320574ac84dd0N.exe	87
PID 3040 wrote to memory of 408	3040	d0da1af14348f2b0421320574ac84dd0N.exe	87
PID 3040 wrote to memory of 408	3040	d0da1af14348f2b0421320574ac84dd0N.exe	87
PID 3040 wrote to memory of 3232	3040	d0da1af14348f2b0421320574ac84dd0N.exe	90
PID 3040 wrote to memory of 3232	3040	d0da1af14348f2b0421320574ac84dd0N.exe	90
PID 3040 wrote to memory of 3232	3040	d0da1af14348f2b0421320574ac84dd0N.exe	90
PID 408 wrote to memory of 4968	408	d0da1af14348f2b0421320574ac84dd0N.exe	91
PID 408 wrote to memory of 4968	408	d0da1af14348f2b0421320574ac84dd0N.exe	91
PID 408 wrote to memory of 4968	408	d0da1af14348f2b0421320574ac84dd0N.exe	91
PID 3040 wrote to memory of 264	3040	d0da1af14348f2b0421320574ac84dd0N.exe	94
PID 3040 wrote to memory of 264	3040	d0da1af14348f2b0421320574ac84dd0N.exe	94
PID 3040 wrote to memory of 264	3040	d0da1af14348f2b0421320574ac84dd0N.exe	94
PID 3232 wrote to memory of 4888	3232	d0da1af14348f2b0421320574ac84dd0N.exe	95
PID 3232 wrote to memory of 4888	3232	d0da1af14348f2b0421320574ac84dd0N.exe	95
PID 3232 wrote to memory of 4888	3232	d0da1af14348f2b0421320574ac84dd0N.exe	95
PID 408 wrote to memory of 3612	408	d0da1af14348f2b0421320574ac84dd0N.exe	96
PID 408 wrote to memory of 3612	408	d0da1af14348f2b0421320574ac84dd0N.exe	96
PID 408 wrote to memory of 3612	408	d0da1af14348f2b0421320574ac84dd0N.exe	96
PID 4968 wrote to memory of 1216	4968	d0da1af14348f2b0421320574ac84dd0N.exe	97
PID 4968 wrote to memory of 1216	4968	d0da1af14348f2b0421320574ac84dd0N.exe	97
PID 4968 wrote to memory of 1216	4968	d0da1af14348f2b0421320574ac84dd0N.exe	97
PID 3040 wrote to memory of 212	3040	d0da1af14348f2b0421320574ac84dd0N.exe	99
PID 3040 wrote to memory of 212	3040	d0da1af14348f2b0421320574ac84dd0N.exe	99
PID 3040 wrote to memory of 212	3040	d0da1af14348f2b0421320574ac84dd0N.exe	99
PID 264 wrote to memory of 2252	264	d0da1af14348f2b0421320574ac84dd0N.exe	100
PID 264 wrote to memory of 2252	264	d0da1af14348f2b0421320574ac84dd0N.exe	100
PID 264 wrote to memory of 2252	264	d0da1af14348f2b0421320574ac84dd0N.exe	100
PID 408 wrote to memory of 3496	408	d0da1af14348f2b0421320574ac84dd0N.exe	101
PID 408 wrote to memory of 3496	408	d0da1af14348f2b0421320574ac84dd0N.exe	101
PID 408 wrote to memory of 3496	408	d0da1af14348f2b0421320574ac84dd0N.exe	101
PID 3232 wrote to memory of 948	3232	d0da1af14348f2b0421320574ac84dd0N.exe	102
PID 3232 wrote to memory of 948	3232	d0da1af14348f2b0421320574ac84dd0N.exe	102
PID 3232 wrote to memory of 948	3232	d0da1af14348f2b0421320574ac84dd0N.exe	102
PID 3612 wrote to memory of 3680	3612	d0da1af14348f2b0421320574ac84dd0N.exe	103
PID 3612 wrote to memory of 3680	3612	d0da1af14348f2b0421320574ac84dd0N.exe	103
PID 3612 wrote to memory of 3680	3612	d0da1af14348f2b0421320574ac84dd0N.exe	103
PID 4888 wrote to memory of 2456	4888	d0da1af14348f2b0421320574ac84dd0N.exe	104
PID 4888 wrote to memory of 2456	4888	d0da1af14348f2b0421320574ac84dd0N.exe	104
PID 4888 wrote to memory of 2456	4888	d0da1af14348f2b0421320574ac84dd0N.exe	104
PID 4968 wrote to memory of 3088	4968	d0da1af14348f2b0421320574ac84dd0N.exe	105
PID 4968 wrote to memory of 3088	4968	d0da1af14348f2b0421320574ac84dd0N.exe	105
PID 4968 wrote to memory of 3088	4968	d0da1af14348f2b0421320574ac84dd0N.exe	105
PID 1216 wrote to memory of 1736	1216	d0da1af14348f2b0421320574ac84dd0N.exe	106
PID 1216 wrote to memory of 1736	1216	d0da1af14348f2b0421320574ac84dd0N.exe	106
PID 1216 wrote to memory of 1736	1216	d0da1af14348f2b0421320574ac84dd0N.exe	106
PID 3040 wrote to memory of 1640	3040	d0da1af14348f2b0421320574ac84dd0N.exe	107
PID 3040 wrote to memory of 1640	3040	d0da1af14348f2b0421320574ac84dd0N.exe	107
PID 3040 wrote to memory of 1640	3040	d0da1af14348f2b0421320574ac84dd0N.exe	107
PID 212 wrote to memory of 4564	212	d0da1af14348f2b0421320574ac84dd0N.exe	109
PID 212 wrote to memory of 4564	212	d0da1af14348f2b0421320574ac84dd0N.exe	109
PID 212 wrote to memory of 4564	212	d0da1af14348f2b0421320574ac84dd0N.exe	109
PID 2252 wrote to memory of 2892	2252	d0da1af14348f2b0421320574ac84dd0N.exe	110
PID 2252 wrote to memory of 2892	2252	d0da1af14348f2b0421320574ac84dd0N.exe	110
PID 2252 wrote to memory of 2892	2252	d0da1af14348f2b0421320574ac84dd0N.exe	110
PID 264 wrote to memory of 1540	264	d0da1af14348f2b0421320574ac84dd0N.exe	111
PID 264 wrote to memory of 1540	264	d0da1af14348f2b0421320574ac84dd0N.exe	111
PID 264 wrote to memory of 1540	264	d0da1af14348f2b0421320574ac84dd0N.exe	111

C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
"C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
  "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:408
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4968
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1216
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:1736
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        7⤵
        
        PID:6360
        
        C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        8⤵
        
        PID:12016
        
        C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        8⤵
        
        PID:17140
        
        C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        7⤵
        
        PID:7812
        
        C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        8⤵
        
        PID:13796
        
        C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        7⤵
        
        PID:10828
        
        C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        7⤵
        
        PID:14916
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:5756
        
        C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        7⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        7⤵
        
        PID:12652
        
        C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        7⤵
        
        PID:17604
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:7344
        
        C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        7⤵
        
        PID:14980
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:9428
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:12904
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:1816
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:6380
        
        C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        7⤵
        
        PID:13180
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:7924
        
        C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        7⤵
        
        PID:16408
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:10804
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:14900
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:5512
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:10048
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:13740
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:6912
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:13544
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:9120
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:12540
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:17336
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:3088
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:5068
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:6504
        
        C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        7⤵
        
        PID:13236
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:7944
        
        C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        7⤵
        
        PID:2776
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:10972
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:15252
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:5764
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:10324
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:14120
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:7232
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:14584
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:9464
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:12936
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:4720
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:6396
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:11048
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:15656
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:7900
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:16356
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:10812
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:14908
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:5568
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:9024
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:3420
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:17132
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:6976
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:13668
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:9016
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:4364
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:17168
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3612
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:3680
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:1832
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:6304
        
        C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        7⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        7⤵
        
        PID:17176
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:7796
        
        C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        7⤵
        
        PID:16464
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:10820
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:14892
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:5660
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:9836
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:13488
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:7048
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:13036
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:9356
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:12764
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:17588
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:1228
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:6040
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:11252
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:16040
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:7668
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:2956
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:10424
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:14264
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:5372
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:7596
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:15800
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:10400
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:14224
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:6744
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:13220
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:8592
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:11484
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:16316
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3496
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:3124
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:5540
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:7684
        
        C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        7⤵
        
        PID:536
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:10384
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:14192
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:6888
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:14536
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:8828
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:11948
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:17008
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:5220
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:7080
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:14480
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:9372
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:12772
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:6628
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:13172
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:8180
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:13416
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:11384
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:16300
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    PID:2092
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:5500
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:9916
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:13660
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:6896
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:13604
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:8888
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:12260
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:17124
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    PID:5176
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:7008
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:13308
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:9228
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:12636
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:17580
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    PID:6312
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:11260
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:16056
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    PID:7804
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:16936
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    PID:10860
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    PID:14824
- C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
  "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3232
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4888
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:2456
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:2612
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:6512
        
        C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        7⤵
        
        PID:12268
        
        C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        7⤵
        
        PID:17116
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:7936
        
        C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        7⤵
        
        PID:16340
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:10844
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:14816
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:5748
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:10056
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:13748
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:7240
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:14772
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:9388
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:12756
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:856
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:6164
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:12480
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:17360
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:7756
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:336
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:10488
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:14316
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:5492
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:7676
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:4248
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:10416
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:14232
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:6820
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:13228
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:8820
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:12024
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:17664
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:948
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:960
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:5916
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:10480
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:14576
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:7724
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:16364
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:10376
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:14184
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:5348
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:7248
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:15132
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:9380
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:12780
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:6800
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:13196
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:8652
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:17056
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:11500
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:16348
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    PID:3752
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:6000
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:12000
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:17084
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:7660
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:15828
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:10432
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:14208
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    PID:5204
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:6992
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:15184
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:8996
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:12252
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:17148
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    PID:6408
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:13164
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    PID:8100
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:16400
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    PID:11244
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    PID:16024
- C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
  "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:264
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:2892
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:5712
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:10080
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:13960
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:7260
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:14528
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:9456
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:12928
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:3856
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:6828
      - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        6⤵
        
        PID:13204
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:8812
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:11976
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:17068
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:6276
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:11088
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:15664
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:7788
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:1376
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:10852
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:14844
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    PID:1540
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:5700
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:10064
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:13732
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:7336
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:15584
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:9436
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:13260
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    PID:2204
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:6904
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:13060
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:8880
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:12244
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:17156
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    PID:6200
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:8712
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:16048
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    PID:7772
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:16380
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    PID:10464
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    PID:14248
- C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
  "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    PID:4564
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:5972
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:11292
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:16236
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:7588
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:15808
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:10392
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:14216
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    PID:5132
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:6844
    - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
        5⤵
        
        PID:13692
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:8836
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:11992
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:17076
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    PID:6224
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:13008
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    PID:7780
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:16136
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    PID:10836
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    PID:14832
- C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
  "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
  2⤵
  PID:1640
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    PID:6092
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:11344
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:16308
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    PID:7748
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:16372
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    PID:10408
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    PID:14240
- C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
  "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
  2⤵
  PID:2496
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    PID:6724
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:13212
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    PID:8376
  - - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
      4⤵
      PID:16992
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    PID:11756
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    PID:4420
- C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
  "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
  2⤵
  PID:6156
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    PID:10472
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    PID:14304
- C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
  "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
  2⤵
  PID:7764
- - C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
    3⤵
    PID:16004
- C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
  "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
  2⤵
  PID:10440
- C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe
  "C:\Users\Admin\AppData\Local\Temp\d0da1af14348f2b0421320574ac84dd0N.exe"
  2⤵
  PID:14200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\indian action lingerie girls glans sm (Sarah).avi.exe

Filesize
1.2MB

MD5
0f788d498ea992fc2bfcb0b856b2a981

SHA1
67334c5f64936ab07868e2ab70a6f92cf09f52d4

SHA256
5e8ae23e9d65c326d6eef59a51246306525b7749caf73ad8319daa3036097d1e

SHA512
c1d6c49ba0906b4872de3533b3d9f6c0b27320539f40823a25f75160027b947fddc78fe33d6d202e6dde70a98a24a41a781734652b92f65d759efd8ccef63fbf

Download Submit