3f472ec0cc29e581fa98a8403d24d3e72b1e7d2cbd38f9d3bc586295bd9787d1

Analysis

max time kernel
13s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
16/07/2024, 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

449800e5cc59a94c185471db521f39d0N.exe
Size

465KB
MD5

449800e5cc59a94c185471db521f39d0
SHA1

d9347a26551393544fc657a1bf1f0a8a6bfbcaac
SHA256

3f472ec0cc29e581fa98a8403d24d3e72b1e7d2cbd38f9d3bc586295bd9787d1
SHA512

9f9d7aa46583f067a9169224bd8b7a4521a2e30213919dd8fc848915014c154fbfabed6c03e3c43f94d101257aa3d0a055966b18e1cfd329bf8277b67cf3209e
SSDEEP

12288:dXCNi9B74fdY8XV91FzMyygbDlhaLDb1LvzH107kQ:oW7gJTze2baLVLvzS7kQ

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	449800e5cc59a94c185471db521f39d0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	449800e5cc59a94c185471db521f39d0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	449800e5cc59a94c185471db521f39d0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	449800e5cc59a94c185471db521f39d0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	449800e5cc59a94c185471db521f39d0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	449800e5cc59a94c185471db521f39d0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	449800e5cc59a94c185471db521f39d0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	449800e5cc59a94c185471db521f39d0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	449800e5cc59a94c185471db521f39d0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	449800e5cc59a94c185471db521f39d0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	449800e5cc59a94c185471db521f39d0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	449800e5cc59a94c185471db521f39d0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	449800e5cc59a94c185471db521f39d0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	449800e5cc59a94c185471db521f39d0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	449800e5cc59a94c185471db521f39d0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	449800e5cc59a94c185471db521f39d0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	449800e5cc59a94c185471db521f39d0N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	449800e5cc59a94c185471db521f39d0N.exe
File opened (read-only)	\??\K:	449800e5cc59a94c185471db521f39d0N.exe
File opened (read-only)	\??\P:	449800e5cc59a94c185471db521f39d0N.exe
File opened (read-only)	\??\S:	449800e5cc59a94c185471db521f39d0N.exe
File opened (read-only)	\??\T:	449800e5cc59a94c185471db521f39d0N.exe
File opened (read-only)	\??\X:	449800e5cc59a94c185471db521f39d0N.exe
File opened (read-only)	\??\Y:	449800e5cc59a94c185471db521f39d0N.exe
File opened (read-only)	\??\Z:	449800e5cc59a94c185471db521f39d0N.exe
File opened (read-only)	\??\O:	449800e5cc59a94c185471db521f39d0N.exe
File opened (read-only)	\??\V:	449800e5cc59a94c185471db521f39d0N.exe
File opened (read-only)	\??\W:	449800e5cc59a94c185471db521f39d0N.exe
File opened (read-only)	\??\B:	449800e5cc59a94c185471db521f39d0N.exe
File opened (read-only)	\??\E:	449800e5cc59a94c185471db521f39d0N.exe
File opened (read-only)	\??\I:	449800e5cc59a94c185471db521f39d0N.exe
File opened (read-only)	\??\J:	449800e5cc59a94c185471db521f39d0N.exe
File opened (read-only)	\??\L:	449800e5cc59a94c185471db521f39d0N.exe
File opened (read-only)	\??\M:	449800e5cc59a94c185471db521f39d0N.exe
File opened (read-only)	\??\N:	449800e5cc59a94c185471db521f39d0N.exe
File opened (read-only)	\??\R:	449800e5cc59a94c185471db521f39d0N.exe
File opened (read-only)	\??\A:	449800e5cc59a94c185471db521f39d0N.exe
File opened (read-only)	\??\H:	449800e5cc59a94c185471db521f39d0N.exe
File opened (read-only)	\??\Q:	449800e5cc59a94c185471db521f39d0N.exe
File opened (read-only)	\??\U:	449800e5cc59a94c185471db521f39d0N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\tyrkish gang bang bukkake public hole high heels .mpeg.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\bukkake hot (!) (Karin).zip.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\indian handjob gay voyeur penetration .rar.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\bukkake full movie feet circumcision (Liz).avi.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\swedish action fucking [milf] .rar.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\System32\DriverStore\Temp\italian handjob trambling several models hole .avi.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\SysWOW64\FxsTmp\italian animal gay voyeur feet blondie .zip.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\trambling girls lady .mpg.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\italian animal fucking masturbation titts .zip.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\indian cumshot gay uncut pregnant .mpeg.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\sperm full movie hole ejaculation .zip.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\SysWOW64\FxsTmp\tyrkish nude sperm voyeur .avi.exe	449800e5cc59a94c185471db521f39d0N.exe

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\indian cum bukkake [milf] titts .rar.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\swedish cum beast [milf] glans mature .rar.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\horse voyeur .avi.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Program Files (x86)\Google\Update\Download\tyrkish fetish trambling [free] .mpg.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\lingerie [free] boots (Ashley,Curtney).zip.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Program Files\Common Files\microsoft shared\american action bukkake voyeur titts wifey (Melissa).mpg.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Program Files\dotnet\shared\trambling [bangbus] femdom .rar.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Program Files (x86)\Google\Temp\lingerie [milf] high heels .rar.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Program Files (x86)\Microsoft\Temp\lesbian big titts shower .avi.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Program Files\Microsoft Office\root\Templates\lesbian [free] titts .mpeg.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\russian animal trambling public beautyfull .mpg.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\black porn blowjob [free] .rar.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\indian nude sperm full movie hole wifey (Curtney).mpeg.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\cumshot hardcore girls ¤ç .mpeg.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\fucking several models gorgeoushorny .mpg.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\tyrkish horse gay uncut glans wifey .mpg.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\japanese action xxx hidden (Curtney).mpg.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\gay [milf] (Karin).rar.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU7A02.tmp\japanese nude bukkake hot (!) glans beautyfull (Karin).mpeg.exe	449800e5cc59a94c185471db521f39d0N.exe

Drops file in Windows directory 49 IoCs

description	ioc	Process
File created	C:\Windows\SoftwareDistribution\Download\italian nude trambling sleeping hole Ôï .mpeg.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\hardcore voyeur .zip.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\lingerie [bangbus] hole (Christine,Melissa).mpeg.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\trambling [free] hole (Sonja,Sarah).mpeg.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\beast catfight glans .zip.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\spanish beast masturbation hole ejaculation (Curtney).rar.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\brasilian cumshot fucking several models pregnant (Kathrin,Tatjana).mpg.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\porn sperm licking .zip.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\nude xxx [free] (Liz).zip.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\PLA\Templates\beast [milf] girly .zip.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\brasilian porn bukkake girls femdom .mpeg.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\mssrv.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\assembly\temp\bukkake hot (!) granny .mpeg.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\indian porn trambling lesbian femdom .mpg.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\InputMethod\SHARED\xxx hot (!) Ôï .zip.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\sperm public bondage .rar.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\Downloaded Program Files\gay public .avi.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\trambling hot (!) .rar.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\russian animal xxx big YEâPSè& .avi.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\brasilian handjob lingerie big feet .zip.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\brasilian handjob xxx catfight titts 50+ (Jade).mpg.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\black porn fucking hot (!) (Samantha).avi.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\animal horse hidden .mpg.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\horse full movie hole redhair .mpg.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\kicking lingerie hidden glans mistress .zip.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\gay full movie feet mature (Karin).mpg.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\canadian gay licking cock .rar.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\danish handjob bukkake girls penetration .rar.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\nude hardcore catfight sweet (Sonja,Karin).mpg.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\assembly\tmp\russian nude blowjob hot (!) glans 40+ (Melissa).zip.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\asian trambling big bondage (Ashley,Tatjana).rar.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\danish porn fucking licking blondie .mpg.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\japanese gang bang lesbian voyeur hole .avi.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\lesbian full movie (Tatjana).avi.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\black gang bang bukkake voyeur balls .zip.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\horse hot (!) .zip.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\trambling sleeping beautyfull .zip.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\security\templates\danish kicking sperm voyeur .mpeg.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\russian horse fucking [milf] glans .zip.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\tyrkish fetish bukkake masturbation (Jade).avi.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\CbsTemp\american nude lingerie voyeur (Samantha).zip.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\tyrkish cumshot blowjob uncut ash .avi.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\british trambling masturbation .rar.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\chinese blowjob lesbian glans high heels .rar.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\handjob gay catfight titts sweet (Sarah).zip.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\beast hidden hotel .avi.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\asian xxx public young .rar.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\norwegian blowjob girls .mpg.exe	449800e5cc59a94c185471db521f39d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\canadian blowjob [bangbus] hole .mpg.exe	449800e5cc59a94c185471db521f39d0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
5036	449800e5cc59a94c185471db521f39d0N.exe
5036	449800e5cc59a94c185471db521f39d0N.exe
1744	449800e5cc59a94c185471db521f39d0N.exe
1744	449800e5cc59a94c185471db521f39d0N.exe
5036	449800e5cc59a94c185471db521f39d0N.exe
5036	449800e5cc59a94c185471db521f39d0N.exe
3980	449800e5cc59a94c185471db521f39d0N.exe
3980	449800e5cc59a94c185471db521f39d0N.exe
1404	449800e5cc59a94c185471db521f39d0N.exe
1404	449800e5cc59a94c185471db521f39d0N.exe
1744	449800e5cc59a94c185471db521f39d0N.exe
1744	449800e5cc59a94c185471db521f39d0N.exe
5036	449800e5cc59a94c185471db521f39d0N.exe
5036	449800e5cc59a94c185471db521f39d0N.exe
3524	449800e5cc59a94c185471db521f39d0N.exe
3524	449800e5cc59a94c185471db521f39d0N.exe
1608	449800e5cc59a94c185471db521f39d0N.exe
1608	449800e5cc59a94c185471db521f39d0N.exe
1744	449800e5cc59a94c185471db521f39d0N.exe
1744	449800e5cc59a94c185471db521f39d0N.exe
3980	449800e5cc59a94c185471db521f39d0N.exe
3980	449800e5cc59a94c185471db521f39d0N.exe
3368	449800e5cc59a94c185471db521f39d0N.exe
3368	449800e5cc59a94c185471db521f39d0N.exe
4444	449800e5cc59a94c185471db521f39d0N.exe
4444	449800e5cc59a94c185471db521f39d0N.exe
5036	449800e5cc59a94c185471db521f39d0N.exe
5036	449800e5cc59a94c185471db521f39d0N.exe
1404	449800e5cc59a94c185471db521f39d0N.exe
1404	449800e5cc59a94c185471db521f39d0N.exe
4712	449800e5cc59a94c185471db521f39d0N.exe
4712	449800e5cc59a94c185471db521f39d0N.exe
2100	449800e5cc59a94c185471db521f39d0N.exe
2100	449800e5cc59a94c185471db521f39d0N.exe
3980	449800e5cc59a94c185471db521f39d0N.exe
3980	449800e5cc59a94c185471db521f39d0N.exe
1744	449800e5cc59a94c185471db521f39d0N.exe
1744	449800e5cc59a94c185471db521f39d0N.exe
4964	449800e5cc59a94c185471db521f39d0N.exe
4964	449800e5cc59a94c185471db521f39d0N.exe
1388	449800e5cc59a94c185471db521f39d0N.exe
1388	449800e5cc59a94c185471db521f39d0N.exe
3524	449800e5cc59a94c185471db521f39d0N.exe
3524	449800e5cc59a94c185471db521f39d0N.exe
5036	449800e5cc59a94c185471db521f39d0N.exe
5036	449800e5cc59a94c185471db521f39d0N.exe
436	449800e5cc59a94c185471db521f39d0N.exe
436	449800e5cc59a94c185471db521f39d0N.exe
4308	449800e5cc59a94c185471db521f39d0N.exe
4308	449800e5cc59a94c185471db521f39d0N.exe
1404	449800e5cc59a94c185471db521f39d0N.exe
1404	449800e5cc59a94c185471db521f39d0N.exe
3368	449800e5cc59a94c185471db521f39d0N.exe
3368	449800e5cc59a94c185471db521f39d0N.exe
4804	449800e5cc59a94c185471db521f39d0N.exe
732	449800e5cc59a94c185471db521f39d0N.exe
4804	449800e5cc59a94c185471db521f39d0N.exe
732	449800e5cc59a94c185471db521f39d0N.exe
1608	449800e5cc59a94c185471db521f39d0N.exe
1608	449800e5cc59a94c185471db521f39d0N.exe
4444	449800e5cc59a94c185471db521f39d0N.exe
4444	449800e5cc59a94c185471db521f39d0N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 1744	5036	449800e5cc59a94c185471db521f39d0N.exe	86
PID 5036 wrote to memory of 1744	5036	449800e5cc59a94c185471db521f39d0N.exe	86
PID 5036 wrote to memory of 1744	5036	449800e5cc59a94c185471db521f39d0N.exe	86
PID 1744 wrote to memory of 3980	1744	449800e5cc59a94c185471db521f39d0N.exe	87
PID 1744 wrote to memory of 3980	1744	449800e5cc59a94c185471db521f39d0N.exe	87
PID 1744 wrote to memory of 3980	1744	449800e5cc59a94c185471db521f39d0N.exe	87
PID 5036 wrote to memory of 1404	5036	449800e5cc59a94c185471db521f39d0N.exe	88
PID 5036 wrote to memory of 1404	5036	449800e5cc59a94c185471db521f39d0N.exe	88
PID 5036 wrote to memory of 1404	5036	449800e5cc59a94c185471db521f39d0N.exe	88
PID 3980 wrote to memory of 3524	3980	449800e5cc59a94c185471db521f39d0N.exe	89
PID 3980 wrote to memory of 3524	3980	449800e5cc59a94c185471db521f39d0N.exe	89
PID 3980 wrote to memory of 3524	3980	449800e5cc59a94c185471db521f39d0N.exe	89
PID 1744 wrote to memory of 1608	1744	449800e5cc59a94c185471db521f39d0N.exe	90
PID 1744 wrote to memory of 1608	1744	449800e5cc59a94c185471db521f39d0N.exe	90
PID 1744 wrote to memory of 1608	1744	449800e5cc59a94c185471db521f39d0N.exe	90
PID 5036 wrote to memory of 3368	5036	449800e5cc59a94c185471db521f39d0N.exe	91
PID 5036 wrote to memory of 3368	5036	449800e5cc59a94c185471db521f39d0N.exe	91
PID 5036 wrote to memory of 3368	5036	449800e5cc59a94c185471db521f39d0N.exe	91
PID 1404 wrote to memory of 4444	1404	449800e5cc59a94c185471db521f39d0N.exe	92
PID 1404 wrote to memory of 4444	1404	449800e5cc59a94c185471db521f39d0N.exe	92
PID 1404 wrote to memory of 4444	1404	449800e5cc59a94c185471db521f39d0N.exe	92
PID 1744 wrote to memory of 4712	1744	449800e5cc59a94c185471db521f39d0N.exe	93
PID 1744 wrote to memory of 4712	1744	449800e5cc59a94c185471db521f39d0N.exe	93
PID 1744 wrote to memory of 4712	1744	449800e5cc59a94c185471db521f39d0N.exe	93
PID 3980 wrote to memory of 2100	3980	449800e5cc59a94c185471db521f39d0N.exe	94
PID 3980 wrote to memory of 2100	3980	449800e5cc59a94c185471db521f39d0N.exe	94
PID 3980 wrote to memory of 2100	3980	449800e5cc59a94c185471db521f39d0N.exe	94
PID 5036 wrote to memory of 4964	5036	449800e5cc59a94c185471db521f39d0N.exe	95
PID 5036 wrote to memory of 4964	5036	449800e5cc59a94c185471db521f39d0N.exe	95
PID 5036 wrote to memory of 4964	5036	449800e5cc59a94c185471db521f39d0N.exe	95
PID 3524 wrote to memory of 1388	3524	449800e5cc59a94c185471db521f39d0N.exe	96
PID 3524 wrote to memory of 1388	3524	449800e5cc59a94c185471db521f39d0N.exe	96
PID 3524 wrote to memory of 1388	3524	449800e5cc59a94c185471db521f39d0N.exe	96
PID 1404 wrote to memory of 436	1404	449800e5cc59a94c185471db521f39d0N.exe	97
PID 1404 wrote to memory of 436	1404	449800e5cc59a94c185471db521f39d0N.exe	97
PID 1404 wrote to memory of 436	1404	449800e5cc59a94c185471db521f39d0N.exe	97
PID 3368 wrote to memory of 4308	3368	449800e5cc59a94c185471db521f39d0N.exe	98
PID 3368 wrote to memory of 4308	3368	449800e5cc59a94c185471db521f39d0N.exe	98
PID 3368 wrote to memory of 4308	3368	449800e5cc59a94c185471db521f39d0N.exe	98
PID 1608 wrote to memory of 732	1608	449800e5cc59a94c185471db521f39d0N.exe	99
PID 1608 wrote to memory of 732	1608	449800e5cc59a94c185471db521f39d0N.exe	99
PID 1608 wrote to memory of 732	1608	449800e5cc59a94c185471db521f39d0N.exe	99
PID 4444 wrote to memory of 4804	4444	449800e5cc59a94c185471db521f39d0N.exe	100
PID 4444 wrote to memory of 4804	4444	449800e5cc59a94c185471db521f39d0N.exe	100
PID 4444 wrote to memory of 4804	4444	449800e5cc59a94c185471db521f39d0N.exe	100
PID 1744 wrote to memory of 4508	1744	449800e5cc59a94c185471db521f39d0N.exe	101
PID 1744 wrote to memory of 4508	1744	449800e5cc59a94c185471db521f39d0N.exe	101
PID 1744 wrote to memory of 4508	1744	449800e5cc59a94c185471db521f39d0N.exe	101
PID 3980 wrote to memory of 1200	3980	449800e5cc59a94c185471db521f39d0N.exe	102
PID 3980 wrote to memory of 1200	3980	449800e5cc59a94c185471db521f39d0N.exe	102
PID 3980 wrote to memory of 1200	3980	449800e5cc59a94c185471db521f39d0N.exe	102
PID 4712 wrote to memory of 2700	4712	449800e5cc59a94c185471db521f39d0N.exe	103
PID 4712 wrote to memory of 2700	4712	449800e5cc59a94c185471db521f39d0N.exe	103
PID 4712 wrote to memory of 2700	4712	449800e5cc59a94c185471db521f39d0N.exe	103
PID 2100 wrote to memory of 672	2100	449800e5cc59a94c185471db521f39d0N.exe	104
PID 2100 wrote to memory of 672	2100	449800e5cc59a94c185471db521f39d0N.exe	104
PID 2100 wrote to memory of 672	2100	449800e5cc59a94c185471db521f39d0N.exe	104
PID 3524 wrote to memory of 2324	3524	449800e5cc59a94c185471db521f39d0N.exe	105
PID 3524 wrote to memory of 2324	3524	449800e5cc59a94c185471db521f39d0N.exe	105
PID 3524 wrote to memory of 2324	3524	449800e5cc59a94c185471db521f39d0N.exe	105
PID 5036 wrote to memory of 2400	5036	449800e5cc59a94c185471db521f39d0N.exe	106
PID 5036 wrote to memory of 2400	5036	449800e5cc59a94c185471db521f39d0N.exe	106
PID 5036 wrote to memory of 2400	5036	449800e5cc59a94c185471db521f39d0N.exe	106
PID 1404 wrote to memory of 3884	1404	449800e5cc59a94c185471db521f39d0N.exe	107

C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
"C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
  "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3980
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3524
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        
        PID:1388
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        7⤵
        
        PID:5708
        
        C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        8⤵
        
        PID:10548
        
        C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        8⤵
        
        PID:14948
        
        C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        7⤵
        
        PID:7264
        
        C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        8⤵
        
        PID:14940
        
        C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        7⤵
        
        PID:9940
        
        C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        7⤵
        
        PID:13848
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        7⤵
        
        PID:7036
        
        C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        8⤵
        
        PID:13996
        
        C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        7⤵
        
        PID:9332
        
        C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        7⤵
        
        PID:13268
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:6316
        
        C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        7⤵
        
        PID:12688
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:8676
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:11636
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:16188
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:2324
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:5764
        
        C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        7⤵
        
        PID:10012
        
        C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        7⤵
        
        PID:14036
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:7456
        
        C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        7⤵
        
        PID:1920
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:10372
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:14924
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:1056
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:7940
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:10956
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:15372
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:6116
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:12528
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:8160
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:11048
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:15448
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2100
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:672
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:5788
        
        C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        7⤵
        
        PID:10020
        
        C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        7⤵
        
        PID:14028
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:7540
        
        C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        7⤵
        
        PID:16340
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:10572
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:15056
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:3296
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:7572
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:10624
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:15336
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:6072
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:11056
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:15576
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:8152
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:11040
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:15440
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:1200
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:5780
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:11032
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:15396
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:7240
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:14688
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:9788
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:13588
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:2352
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:6784
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:12512
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:8996
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:12960
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:6100
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:11928
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:8264
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:11148
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:15828
- - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:732
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:3532
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:5756
        
        C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        7⤵
        
        PID:10112
        
        C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        7⤵
        
        PID:376
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:7524
        
        C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        7⤵
        
        PID:16380
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:10648
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:15212
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:4632
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:7992
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:10964
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:15456
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:6568
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:12496
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:8608
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:11540
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:16064
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:628
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:5820
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:10184
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:14556
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:7532
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:2000
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:10564
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:15048
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:2480
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:7348
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:16372
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:10192
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:14496
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:6304
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:12420
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:8552
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:11412
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:15864
- - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4712
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:2700
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:5624
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:9700
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:13524
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:7148
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:14300
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:9668
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:13540
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:4640
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:6832
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:13276
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:9148
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:13256
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:6084
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:11064
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:15584
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:8336
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:11256
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:15636
- - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
    3⤵
    PID:4508
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:5876
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:10176
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:14488
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:7564
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:10812
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:14932
- - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
    3⤵
    PID:616
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:6948
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:12856
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:9184
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:13164
- - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
    3⤵
    PID:6060
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:11420
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:15844
- - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
    3⤵
    PID:8000
- - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
    3⤵
    PID:10972
- - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
    3⤵
    PID:15388
- C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
  "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4444
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:4804
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:4244
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:5896
        
        C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        7⤵
        
        PID:10204
        
        C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        7⤵
        
        PID:14592
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:7548
        
        C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        7⤵
        
        PID:16356
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:10616
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:15380
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:5152
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:8408
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:11220
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:15644
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:6588
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:12536
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:8876
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:12260
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:1904
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:5616
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:9692
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:13532
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:7140
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:13980
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:9660
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:13516
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:352
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:8424
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:11212
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:15652
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:6544
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:12520
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:8816
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:11912
- - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:436
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:4240
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:5696
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:9960
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:13972
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:7248
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:14328
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:9968
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:14044
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:1872
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:7640
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:1652
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:10764
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:15164
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:6560
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:12780
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:8808
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:11748
- - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
    3⤵
    PID:3884
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:5804
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:10276
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:14524
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:7472
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:16348
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:10388
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:15072
- - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
    3⤵
    PID:544
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:7004
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:13300
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:9176
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:13412
- - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
    3⤵
    PID:6124
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:11744
- - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
    3⤵
    PID:8296
- - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
    3⤵
    PID:11248
- - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
    3⤵
    PID:15604
- C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
  "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3368
- - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:4308
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:4332
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:5672
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:9564
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:13580
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:7256
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:14796
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:9912
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:13856
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:4944
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:7188
      - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        6⤵
        
        PID:14224
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:9780
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:13596
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:6604
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:12504
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:8868
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:12224
- - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
    3⤵
    PID:3540
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:5812
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:10348
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:14680
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:7444
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:3800
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:10364
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:14916
- - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
    3⤵
    PID:4664
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:7556
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:10632
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:15172
- - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
    3⤵
    PID:6412
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:12768
- - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
    3⤵
    PID:8684
- - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
    3⤵
    PID:11532
- - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
    3⤵
    PID:16072
- C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
  "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  PID:4964
- - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
    3⤵
    PID:2092
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:5796
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:10896
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:15364
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:7464
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:10380
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:14804
- - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
    3⤵
    PID:1760
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:7372
    - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
        5⤵
        
        PID:14956
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:10540
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:14904
- - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
    3⤵
    PID:6340
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:12384
- - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
    3⤵
    PID:8592
- - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
    3⤵
    PID:11524
- - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
    3⤵
    PID:16080
- C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
  "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
  2⤵
  PID:2400
- - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
    3⤵
    PID:5632
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:9764
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:13932
- - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
    3⤵
    PID:7196
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:14460
- - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
    3⤵
    PID:9820
- - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
    3⤵
    PID:13752
- C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
  "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
  2⤵
  PID:4100
- - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
    3⤵
    PID:6928
  - - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
      4⤵
      PID:10296
- - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
    3⤵
    PID:9136
- - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
    3⤵
    PID:13100
- C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
  "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
  2⤵
  PID:6184
- - C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
    3⤵
    PID:11920
- C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
  "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
  2⤵
  PID:8400
- C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
  "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
  2⤵
  PID:11228
- C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe
  "C:\Users\Admin\AppData\Local\Temp\449800e5cc59a94c185471db521f39d0N.exe"
  2⤵
  PID:15596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\fucking several models gorgeoushorny .mpg.exe

Filesize
576KB

MD5
9df4fd393d74f82a09a9b41789673208

SHA1
9b37ce8b96211c1ccac2912ce652131ce5be1f09

SHA256
64dcd6c4d0f634a720a4bef81054230f711f003b7329ff7b32abeb1ac35fa106

SHA512
a79af0263ab283f7cbdd309b7d1dd11c78f94241cb6d148d462b3d2aabf26269dca70ecf6dedfeaed1ee877055ccf994cf28d716b3a86e39f32840d8a894f066

Download Submit