c537669a24dfc0a6d93c2da23a874b12b78bc6ff6ccb92adc648fc94023989c6

Analysis

max time kernel
16s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2024, 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fdcff5d7da9977c8404266a30c5c9b0N.exe
Size

565KB
MD5

0fdcff5d7da9977c8404266a30c5c9b0
SHA1

90bcd93b68b09605a883b911e17a40e5c7b7c663
SHA256

c537669a24dfc0a6d93c2da23a874b12b78bc6ff6ccb92adc648fc94023989c6
SHA512

9d1cb81224eeb91dd04228dc8d7f517e95a3805d163e746dad84340a6c9bd1f5ecb73b83463a1656d3bc20c90d28602adf0ddc68399c2db267a9eb63fa6895c4
SSDEEP

12288:A//vi9BpDVjj3zDaBRI12SPF2mtEjQSAI2Gt0JNSdP2onU:2w1dj3aBE2SdNtfBG2OdOoU

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	0fdcff5d7da9977c8404266a30c5c9b0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	0fdcff5d7da9977c8404266a30c5c9b0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	0fdcff5d7da9977c8404266a30c5c9b0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	0fdcff5d7da9977c8404266a30c5c9b0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	0fdcff5d7da9977c8404266a30c5c9b0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	0fdcff5d7da9977c8404266a30c5c9b0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	0fdcff5d7da9977c8404266a30c5c9b0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	0fdcff5d7da9977c8404266a30c5c9b0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	0fdcff5d7da9977c8404266a30c5c9b0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	0fdcff5d7da9977c8404266a30c5c9b0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	0fdcff5d7da9977c8404266a30c5c9b0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	0fdcff5d7da9977c8404266a30c5c9b0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	0fdcff5d7da9977c8404266a30c5c9b0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	0fdcff5d7da9977c8404266a30c5c9b0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	0fdcff5d7da9977c8404266a30c5c9b0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	0fdcff5d7da9977c8404266a30c5c9b0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	0fdcff5d7da9977c8404266a30c5c9b0N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File opened (read-only)	\??\I:	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File opened (read-only)	\??\L:	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File opened (read-only)	\??\M:	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File opened (read-only)	\??\R:	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File opened (read-only)	\??\V:	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File opened (read-only)	\??\Z:	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File opened (read-only)	\??\A:	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File opened (read-only)	\??\J:	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File opened (read-only)	\??\W:	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File opened (read-only)	\??\X:	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File opened (read-only)	\??\G:	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File opened (read-only)	\??\K:	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File opened (read-only)	\??\Q:	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File opened (read-only)	\??\U:	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File opened (read-only)	\??\B:	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File opened (read-only)	\??\H:	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File opened (read-only)	\??\N:	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File opened (read-only)	\??\O:	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File opened (read-only)	\??\P:	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File opened (read-only)	\??\S:	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File opened (read-only)	\??\T:	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File opened (read-only)	\??\Y:	0fdcff5d7da9977c8404266a30c5c9b0N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\FxsTmp\swedish hardcore bukkake girls .rar.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\gang bang girls .mpg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\sperm lesbian lady .avi.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\canadian horse beast uncut pregnant .mpeg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\SysWOW64\FxsTmp\beast lesbian gorgeoushorny .zip.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\lingerie full movie wifey (Liz,Sylvia).avi.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\asian trambling fucking girls vagina lady (Ashley).rar.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\System32\DriverStore\Temp\japanese bukkake catfight hairy .rar.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\chinese bukkake bukkake sleeping penetration .mpg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\spanish gang bang licking feet castration .mpeg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\malaysia cumshot [bangbus] boobs shower .mpg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\brasilian bukkake uncut ash latex .mpeg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Updates\Download\handjob cum lesbian hotel (Curtney).mpeg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\lesbian hot (!) gorgeoushorny (Gina).zip.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Program Files (x86)\Google\Update\Download\black lingerie several models boots .zip.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Program Files (x86)\Microsoft\Temp\beastiality bukkake sleeping titts shoes (Curtney).rar.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU7A02.tmp\german horse several models feet .rar.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\malaysia trambling uncut .zip.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Program Files\dotnet\shared\kicking porn voyeur mistress .mpg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\french hardcore cumshot lesbian ash .mpg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\swedish horse fetish public latex .zip.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\handjob several models .rar.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Program Files\Microsoft Office\root\Templates\lingerie cum licking ¼ë .mpg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\italian nude handjob masturbation .mpg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\russian animal uncut glans shoes .rar.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\sperm animal licking gorgeoushorny (Sarah,Melissa).mpeg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\action licking (Sarah).avi.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\german sperm cum lesbian hotel (Sylvia).avi.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\swedish xxx big glans YEâPSè& .rar.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\black beast [bangbus] .avi.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Program Files (x86)\Google\Temp\danish lesbian gay girls traffic .rar.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\asian beastiality sleeping hole shower (Sonja).avi.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\canadian beast licking granny .avi.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_en-us_e5f85095c4bc5d16\horse action hidden .mpg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_10.0.19041.1_none_ae957c4c35a7bf73\tyrkish fetish hidden high heels (Christine,Britney).zip.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\mssrv.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\danish cum masturbation .zip.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\fetish horse [free] YEâPSè& .mpg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\lingerie lesbian swallow .rar.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\russian kicking [bangbus] .mpg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\xxx blowjob uncut wifey (Anniston,Liz).zip.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\brasilian cumshot bukkake voyeur castration .rar.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\lingerie trambling [free] .mpeg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\french gang bang animal licking ash wifey .zip.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_e5c3ad79c4e34ebb\british blowjob bukkake full movie hole .rar.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\japanese porn cum voyeur vagina YEâPSè& (Sylvia).mpg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\spanish cum full movie .mpeg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_14c898cc82025c76\lesbian hidden .avi.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\Downloaded Program Files\brasilian blowjob big penetration (Anniston).avi.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\action horse voyeur redhair (Jade).zip.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\german nude hardcore several models (Liz,Jenna).mpeg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_e79b400a6df5fd2c\italian bukkake hidden hole (Tatjana,Liz).mpg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\assembly\temp\danish horse lesbian boobs 50+ (Sylvia,Curtney).zip.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\PLA\Templates\african horse big ash bedroom .mpeg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\canadian gay uncut .zip.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\african hardcore cum licking .mpeg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_89c0bf1761110f07\japanese kicking uncut Ôï .avi.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_de-de_3d077a9cd5de5151\brasilian lesbian hot (!) glans (Britney,Gina).avi.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\lesbian lesbian glans gorgeoushorny .mpeg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\british lingerie trambling hidden penetration .zip.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\porn voyeur .avi.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\beastiality trambling hidden .rar.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_10.0.19041.1_none_bd731e5b85dd203e\sperm trambling lesbian boots .rar.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\gang bang hot (!) fishy (Sylvia).mpeg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\gang bang cum [free] black hairunshaved .rar.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\brasilian gay cum licking 40+ .mpg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\hardcore [bangbus] mistress .avi.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\african gang bang gang bang licking hole (Samantha,Gina).mpeg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\canadian cum sleeping beautyfull .zip.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_8c0b126c198fcf70\nude several models titts bedroom .rar.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fd7349c396c417ae\french cumshot horse sleeping girly .mpeg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\assembly\tmp\xxx catfight ash .mpg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\swedish fucking masturbation (Liz).mpg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\fucking handjob full movie balls .rar.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\brasilian gay [milf] shower .avi.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\italian nude action girls (Janette).mpeg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\tyrkish fucking [milf] boobs .zip.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\animal catfight circumcision .rar.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\SoftwareDistribution\Download\indian handjob hot (!) .mpg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\swedish hardcore bukkake voyeur .zip.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\french beastiality catfight ash high heels .avi.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\spanish fucking lesbian .mpg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_5abbd3c4a3f2014c\asian animal cum masturbation (Sylvia,Sarah).mpg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\nude hot (!) ejaculation (Gina,Sarah).avi.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\british horse [milf] feet bedroom (Kathrin,Jade).mpeg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\fetish gang bang hot (!) .mpg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\black beast kicking voyeur .mpeg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\chinese handjob kicking full movie feet .avi.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\british hardcore beastiality sleeping hole leather .zip.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\horse fucking voyeur .mpg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\lingerie [bangbus] fishy (Jenna,Anniston).mpeg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\asian handjob big nipples balls .mpg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_887b2378b7b5651d\porn bukkake lesbian feet (Sarah).zip.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\brasilian sperm [milf] blondie .mpeg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\fetish horse hot (!) .mpeg.exe	0fdcff5d7da9977c8404266a30c5c9b0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1440	0fdcff5d7da9977c8404266a30c5c9b0N.exe
1440	0fdcff5d7da9977c8404266a30c5c9b0N.exe
1672	0fdcff5d7da9977c8404266a30c5c9b0N.exe
1672	0fdcff5d7da9977c8404266a30c5c9b0N.exe
1440	0fdcff5d7da9977c8404266a30c5c9b0N.exe
1440	0fdcff5d7da9977c8404266a30c5c9b0N.exe
624	0fdcff5d7da9977c8404266a30c5c9b0N.exe
624	0fdcff5d7da9977c8404266a30c5c9b0N.exe
1800	0fdcff5d7da9977c8404266a30c5c9b0N.exe
1800	0fdcff5d7da9977c8404266a30c5c9b0N.exe
1440	0fdcff5d7da9977c8404266a30c5c9b0N.exe
1440	0fdcff5d7da9977c8404266a30c5c9b0N.exe
1672	0fdcff5d7da9977c8404266a30c5c9b0N.exe
1672	0fdcff5d7da9977c8404266a30c5c9b0N.exe
4528	0fdcff5d7da9977c8404266a30c5c9b0N.exe
4528	0fdcff5d7da9977c8404266a30c5c9b0N.exe
2664	0fdcff5d7da9977c8404266a30c5c9b0N.exe
2664	0fdcff5d7da9977c8404266a30c5c9b0N.exe
2096	0fdcff5d7da9977c8404266a30c5c9b0N.exe
2096	0fdcff5d7da9977c8404266a30c5c9b0N.exe
1440	0fdcff5d7da9977c8404266a30c5c9b0N.exe
1440	0fdcff5d7da9977c8404266a30c5c9b0N.exe
624	0fdcff5d7da9977c8404266a30c5c9b0N.exe
624	0fdcff5d7da9977c8404266a30c5c9b0N.exe
1672	0fdcff5d7da9977c8404266a30c5c9b0N.exe
1672	0fdcff5d7da9977c8404266a30c5c9b0N.exe
604	0fdcff5d7da9977c8404266a30c5c9b0N.exe
604	0fdcff5d7da9977c8404266a30c5c9b0N.exe
1800	0fdcff5d7da9977c8404266a30c5c9b0N.exe
1800	0fdcff5d7da9977c8404266a30c5c9b0N.exe
3596	0fdcff5d7da9977c8404266a30c5c9b0N.exe
3596	0fdcff5d7da9977c8404266a30c5c9b0N.exe
1440	0fdcff5d7da9977c8404266a30c5c9b0N.exe
1440	0fdcff5d7da9977c8404266a30c5c9b0N.exe
1564	0fdcff5d7da9977c8404266a30c5c9b0N.exe
1564	0fdcff5d7da9977c8404266a30c5c9b0N.exe
4528	0fdcff5d7da9977c8404266a30c5c9b0N.exe
4528	0fdcff5d7da9977c8404266a30c5c9b0N.exe
4408	0fdcff5d7da9977c8404266a30c5c9b0N.exe
4408	0fdcff5d7da9977c8404266a30c5c9b0N.exe
1672	0fdcff5d7da9977c8404266a30c5c9b0N.exe
1672	0fdcff5d7da9977c8404266a30c5c9b0N.exe
1412	0fdcff5d7da9977c8404266a30c5c9b0N.exe
1412	0fdcff5d7da9977c8404266a30c5c9b0N.exe
624	0fdcff5d7da9977c8404266a30c5c9b0N.exe
624	0fdcff5d7da9977c8404266a30c5c9b0N.exe
4268	0fdcff5d7da9977c8404266a30c5c9b0N.exe
4268	0fdcff5d7da9977c8404266a30c5c9b0N.exe
2664	0fdcff5d7da9977c8404266a30c5c9b0N.exe
2664	0fdcff5d7da9977c8404266a30c5c9b0N.exe
1800	0fdcff5d7da9977c8404266a30c5c9b0N.exe
1800	0fdcff5d7da9977c8404266a30c5c9b0N.exe
1108	0fdcff5d7da9977c8404266a30c5c9b0N.exe
1108	0fdcff5d7da9977c8404266a30c5c9b0N.exe
4800	0fdcff5d7da9977c8404266a30c5c9b0N.exe
4800	0fdcff5d7da9977c8404266a30c5c9b0N.exe
2096	0fdcff5d7da9977c8404266a30c5c9b0N.exe
2096	0fdcff5d7da9977c8404266a30c5c9b0N.exe
604	0fdcff5d7da9977c8404266a30c5c9b0N.exe
604	0fdcff5d7da9977c8404266a30c5c9b0N.exe
4604	0fdcff5d7da9977c8404266a30c5c9b0N.exe
4604	0fdcff5d7da9977c8404266a30c5c9b0N.exe
3448	0fdcff5d7da9977c8404266a30c5c9b0N.exe
3448	0fdcff5d7da9977c8404266a30c5c9b0N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1440 wrote to memory of 1672	1440	0fdcff5d7da9977c8404266a30c5c9b0N.exe	87
PID 1440 wrote to memory of 1672	1440	0fdcff5d7da9977c8404266a30c5c9b0N.exe	87
PID 1440 wrote to memory of 1672	1440	0fdcff5d7da9977c8404266a30c5c9b0N.exe	87
PID 1440 wrote to memory of 624	1440	0fdcff5d7da9977c8404266a30c5c9b0N.exe	92
PID 1440 wrote to memory of 624	1440	0fdcff5d7da9977c8404266a30c5c9b0N.exe	92
PID 1440 wrote to memory of 624	1440	0fdcff5d7da9977c8404266a30c5c9b0N.exe	92
PID 1672 wrote to memory of 1800	1672	0fdcff5d7da9977c8404266a30c5c9b0N.exe	93
PID 1672 wrote to memory of 1800	1672	0fdcff5d7da9977c8404266a30c5c9b0N.exe	93
PID 1672 wrote to memory of 1800	1672	0fdcff5d7da9977c8404266a30c5c9b0N.exe	93
PID 1440 wrote to memory of 4528	1440	0fdcff5d7da9977c8404266a30c5c9b0N.exe	94
PID 1440 wrote to memory of 4528	1440	0fdcff5d7da9977c8404266a30c5c9b0N.exe	94
PID 1440 wrote to memory of 4528	1440	0fdcff5d7da9977c8404266a30c5c9b0N.exe	94
PID 624 wrote to memory of 2664	624	0fdcff5d7da9977c8404266a30c5c9b0N.exe	95
PID 624 wrote to memory of 2664	624	0fdcff5d7da9977c8404266a30c5c9b0N.exe	95
PID 624 wrote to memory of 2664	624	0fdcff5d7da9977c8404266a30c5c9b0N.exe	95
PID 1672 wrote to memory of 2096	1672	0fdcff5d7da9977c8404266a30c5c9b0N.exe	96
PID 1672 wrote to memory of 2096	1672	0fdcff5d7da9977c8404266a30c5c9b0N.exe	96
PID 1672 wrote to memory of 2096	1672	0fdcff5d7da9977c8404266a30c5c9b0N.exe	96
PID 1800 wrote to memory of 604	1800	0fdcff5d7da9977c8404266a30c5c9b0N.exe	97
PID 1800 wrote to memory of 604	1800	0fdcff5d7da9977c8404266a30c5c9b0N.exe	97
PID 1800 wrote to memory of 604	1800	0fdcff5d7da9977c8404266a30c5c9b0N.exe	97
PID 1440 wrote to memory of 3596	1440	0fdcff5d7da9977c8404266a30c5c9b0N.exe	99
PID 1440 wrote to memory of 3596	1440	0fdcff5d7da9977c8404266a30c5c9b0N.exe	99
PID 1440 wrote to memory of 3596	1440	0fdcff5d7da9977c8404266a30c5c9b0N.exe	99
PID 4528 wrote to memory of 1564	4528	0fdcff5d7da9977c8404266a30c5c9b0N.exe	100
PID 4528 wrote to memory of 1564	4528	0fdcff5d7da9977c8404266a30c5c9b0N.exe	100
PID 4528 wrote to memory of 1564	4528	0fdcff5d7da9977c8404266a30c5c9b0N.exe	100
PID 1672 wrote to memory of 2280	1672	0fdcff5d7da9977c8404266a30c5c9b0N.exe	101
PID 1672 wrote to memory of 2280	1672	0fdcff5d7da9977c8404266a30c5c9b0N.exe	101
PID 1672 wrote to memory of 2280	1672	0fdcff5d7da9977c8404266a30c5c9b0N.exe	101
PID 624 wrote to memory of 4408	624	0fdcff5d7da9977c8404266a30c5c9b0N.exe	102
PID 624 wrote to memory of 4408	624	0fdcff5d7da9977c8404266a30c5c9b0N.exe	102
PID 624 wrote to memory of 4408	624	0fdcff5d7da9977c8404266a30c5c9b0N.exe	102
PID 2664 wrote to memory of 4268	2664	0fdcff5d7da9977c8404266a30c5c9b0N.exe	103
PID 2664 wrote to memory of 4268	2664	0fdcff5d7da9977c8404266a30c5c9b0N.exe	103
PID 2664 wrote to memory of 4268	2664	0fdcff5d7da9977c8404266a30c5c9b0N.exe	103
PID 1800 wrote to memory of 1412	1800	0fdcff5d7da9977c8404266a30c5c9b0N.exe	104
PID 1800 wrote to memory of 1412	1800	0fdcff5d7da9977c8404266a30c5c9b0N.exe	104
PID 1800 wrote to memory of 1412	1800	0fdcff5d7da9977c8404266a30c5c9b0N.exe	104
PID 2096 wrote to memory of 1108	2096	0fdcff5d7da9977c8404266a30c5c9b0N.exe	105
PID 2096 wrote to memory of 1108	2096	0fdcff5d7da9977c8404266a30c5c9b0N.exe	105
PID 2096 wrote to memory of 1108	2096	0fdcff5d7da9977c8404266a30c5c9b0N.exe	105
PID 604 wrote to memory of 4800	604	0fdcff5d7da9977c8404266a30c5c9b0N.exe	106
PID 604 wrote to memory of 4800	604	0fdcff5d7da9977c8404266a30c5c9b0N.exe	106
PID 604 wrote to memory of 4800	604	0fdcff5d7da9977c8404266a30c5c9b0N.exe	106
PID 1440 wrote to memory of 4604	1440	0fdcff5d7da9977c8404266a30c5c9b0N.exe	108
PID 1440 wrote to memory of 4604	1440	0fdcff5d7da9977c8404266a30c5c9b0N.exe	108
PID 1440 wrote to memory of 4604	1440	0fdcff5d7da9977c8404266a30c5c9b0N.exe	108
PID 4528 wrote to memory of 3448	4528	0fdcff5d7da9977c8404266a30c5c9b0N.exe	109
PID 4528 wrote to memory of 3448	4528	0fdcff5d7da9977c8404266a30c5c9b0N.exe	109
PID 4528 wrote to memory of 3448	4528	0fdcff5d7da9977c8404266a30c5c9b0N.exe	109
PID 3596 wrote to memory of 1856	3596	0fdcff5d7da9977c8404266a30c5c9b0N.exe	110
PID 3596 wrote to memory of 1856	3596	0fdcff5d7da9977c8404266a30c5c9b0N.exe	110
PID 3596 wrote to memory of 1856	3596	0fdcff5d7da9977c8404266a30c5c9b0N.exe	110
PID 1564 wrote to memory of 2788	1564	0fdcff5d7da9977c8404266a30c5c9b0N.exe	111
PID 1564 wrote to memory of 2788	1564	0fdcff5d7da9977c8404266a30c5c9b0N.exe	111
PID 1564 wrote to memory of 2788	1564	0fdcff5d7da9977c8404266a30c5c9b0N.exe	111
PID 1672 wrote to memory of 384	1672	0fdcff5d7da9977c8404266a30c5c9b0N.exe	112
PID 1672 wrote to memory of 384	1672	0fdcff5d7da9977c8404266a30c5c9b0N.exe	112
PID 1672 wrote to memory of 384	1672	0fdcff5d7da9977c8404266a30c5c9b0N.exe	112
PID 624 wrote to memory of 2896	624	0fdcff5d7da9977c8404266a30c5c9b0N.exe	113
PID 624 wrote to memory of 2896	624	0fdcff5d7da9977c8404266a30c5c9b0N.exe	113
PID 624 wrote to memory of 2896	624	0fdcff5d7da9977c8404266a30c5c9b0N.exe	113
PID 1800 wrote to memory of 2088	1800	0fdcff5d7da9977c8404266a30c5c9b0N.exe	114

C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
"C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
  "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1800
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:604
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        
        PID:4800
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:5904
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        8⤵
        
        PID:9912
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        9⤵
        
        PID:17620
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        8⤵
        
        PID:13500
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        8⤵
        
        PID:18532
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:7284
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        8⤵
        
        PID:15252
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        8⤵
        
        PID:16708
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:9976
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        8⤵
        
        PID:17852
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:13460
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:18492
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:8204
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        8⤵
        
        PID:21168
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:11320
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        8⤵
        
        PID:11548
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:13340
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:17972
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:6448
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:11576
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:13160
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:17684
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:8720
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:21204
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:13620
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:18564
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:2944
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:5924
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:9492
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        8⤵
        
        PID:17548
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:13572
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:18580
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:7268
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:15276
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:4888
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:9960
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:18920
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:13220
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:17308
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:3588
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:8164
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:15524
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:21612
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:10684
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:17236
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:13364
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:18832
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:6432
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:11532
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:13172
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:17692
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:8624
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:11480
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:13660
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:18684
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:1412
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:4692
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:6024
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:9676
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        8⤵
        
        PID:11640
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:13524
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:18636
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:7308
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:15212
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:18880
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:9992
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:18904
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:13428
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:18404
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:3256
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:8332
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:18224
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:11836
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:12220
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:18240
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:6440
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:12148
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:13244
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:17396
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:8600
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:17596
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:13652
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:18452
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:2088
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:5948
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:9412
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:21312
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:13548
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:18620
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:7376
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:15868
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:6948
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:10456
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:17288
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:13388
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:18280
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:216
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:8172
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:21136
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:11120
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:15260
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:21080
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:13348
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:18272
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:6408
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:12104
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:13292
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:17340
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:8584
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:21152
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:13644
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:18596
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:1108
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:1232
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:5956
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:9576
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        8⤵
        
        PID:22500
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:13564
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:18700
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:7324
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:15184
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:18896
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:10036
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:17252
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:13404
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:18708
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:1020
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:8008
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:15640
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:21900
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:10636
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:17228
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:13372
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:18604
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:6424
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:13692
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:18872
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:8728
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:21160
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:13636
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:18540
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:2328
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:6260
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:9404
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:21212
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:13556
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:18644
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:7768
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:15760
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:21924
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:10464
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:17260
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:13380
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:18264
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:3500
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:8880
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:14868
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:13604
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:18660
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:6360
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:11604
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:13156
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:17676
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:8448
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:18232
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:12012
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:13308
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:1252
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    - Checks computer location settings
    PID:2280
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:3848
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:5888
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:9432
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:3908
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:13580
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:18840
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:7316
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:15228
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:21088
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:9944
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:21228
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:13212
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:17300
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:1356
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:8440
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:21184
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:12256
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:13284
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:17380
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:6336
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:11680
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:636
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:17356
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:8544
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:18172
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:12172
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:13276
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:17412
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    PID:384
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:6220
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:9832
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:18668
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:13508
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:18516
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:7356
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:15268
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:21104
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:10212
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:18156
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:13444
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:18428
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    PID:1040
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:8212
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:21176
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:11340
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:11620
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:13332
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:18132
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    PID:6368
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:11520
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:13252
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:17404
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    PID:8552
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:18208
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    PID:11912
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    PID:2248
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    PID:18144
- C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
  "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:4268
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:4360
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:5880
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:9820
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        8⤵
        
        PID:17428
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:13484
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:18500
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:7260
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:15220
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:18864
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:9952
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:21220
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:13468
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:18556
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:4120
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:8196
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:18676
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:11696
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:2380
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:17652
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:6376
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:12040
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:13300
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:17388
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:8576
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:21320
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:13684
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:18856
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:1244
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:6120
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:9812
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:17276
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:13516
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:18628
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:7332
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:15964
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:24048
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:10044
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:21064
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:13412
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:18412
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:1480
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:9372
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:21144
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:13204
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:17332
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:6416
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:11992
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:2964
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:13788
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:8632
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:18180
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:13628
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:18572
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:4408
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:4416
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:6000
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:9684
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:17628
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:13228
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:3392
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:7348
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:15192
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:18888
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:10204
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:17268
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:13396
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:18396
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:1028
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:8248
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:21096
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:11456
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:13316
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:18252
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:6384
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:11668
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:2704
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:17644
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:8592
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:21192
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:13236
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:17104
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    PID:2896
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:5940
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:9440
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:21056
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:13596
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:18848
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:7340
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:15236
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:18444
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:10028
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:17568
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:13416
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:18436
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    PID:400
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:8156
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:15648
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:21620
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:10972
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:17244
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:13356
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:18128
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    PID:6400
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:11660
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:13148
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:18468
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    PID:8608
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:18928
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    PID:13196
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    PID:17372
- C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
  "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1564
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:2788
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:5916
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:9384
        
        C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        7⤵
        
        PID:21072
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:13588
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:18548
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:7276
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:15752
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:21600
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:9968
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:17612
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:13452
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:18484
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:5124
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:8420
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:18692
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:11740
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:4004
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:17660
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:6352
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:11848
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:11396
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:17636
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:8616
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:21236
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:13668
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:18476
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3448
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:5896
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:9920
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:18200
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:13492
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:18524
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:7252
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:15176
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:18912
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:10072
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:17436
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:13188
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:17708
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    PID:5140
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:8288
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:21120
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:11688
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:2392
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:17668
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    PID:6344
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:11348
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:15312
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:13324
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:18164
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    PID:8456
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:14872
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    PID:12180
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    PID:13268
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    PID:17420
- C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
  "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    PID:1856
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:5872
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:9660
      - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        6⤵
        
        PID:21112
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:13540
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:18612
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:7300
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:15780
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:7948
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:10020
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:17588
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:13436
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:18420
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    PID:5132
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:8752
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:17604
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:13612
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:18588
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    PID:6328
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:11856
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:1752
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:17556
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    PID:8560
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:21128
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    PID:12164
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    PID:13260
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    PID:16328
- C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
  "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4604
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    PID:5932
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:9668
    - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
        5⤵
        
        PID:17944
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:13532
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:18652
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    PID:7292
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:15244
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:4952
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    PID:9984
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:17284
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    PID:13476
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    PID:18508
- C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
  "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
  2⤵
  PID:5148
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    PID:8220
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:18216
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    PID:11436
  - - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
      4⤵
      PID:15452
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    PID:2032
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    PID:17964
- C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
  "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
  2⤵
  PID:6392
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    PID:11920
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    PID:13004
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    PID:17364
- C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
  "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
  2⤵
  PID:8568
- - C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
    3⤵
    PID:1636
- C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
  "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
  2⤵
  PID:13676
- C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe
  "C:\Users\Admin\AppData\Local\Temp\0fdcff5d7da9977c8404266a30c5c9b0N.exe"
  2⤵
  PID:18460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\italian nude handjob masturbation .mpg.exe

Filesize
747KB

MD5
7b11c80cc821aeabfb87ea494371119b

SHA1
6e72590fc8b744a9adfd5b36e5581e49e69d7a84

SHA256
58031ee99476a75f690ae5ceb0350c2efb9bfd23a116f783c7cc3c6bd73892fb

SHA512
cada49312b9ce7f5aa443a83fff0f1956985340b4e24580f9e7aa1b4ef745d9c13ed1d32f951173eaa705b2c0be6f8879bb3c6899ecdd39c97f598f01d769ed9

Download Submit
C:\debug.txt

Filesize
146B

MD5
8699266e61ad884d34e11e94a574f9ea

SHA1
6639cc64aeeea7408e012358138e82865da6674c

SHA256
4ca30e58209b0013b2d16faea6e33cf7dd4e1b62cff3022b1f7e651c7635d921

SHA512
b918ebf4ffe4e03293e352e5a0692d7b6716d170d71b89be9dd0968a8d37f8807b69b3779fdc1b91b5ed57d6c593797610c05d0460e2ed1c2f5b49de89db728e

Download Submit