e763b8fa7e75d202dc2ca3a40df4c8ee47a79412715c92faacc982f67c31a8d6

Analysis

max time kernel
12s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2024, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5aa1947b55064cbf345c04a91d044110N.exe
Size

1.6MB
MD5

5aa1947b55064cbf345c04a91d044110
SHA1

dbcceaeede96d07770a0bc7f3387efefa4dbe28a
SHA256

e763b8fa7e75d202dc2ca3a40df4c8ee47a79412715c92faacc982f67c31a8d6
SHA512

c953d0140c4cef82caa8b6fe5291cce6bab2432ee17c348a93cab110ec36c406bb55cad368a959885537c8dc082ad11701c132767e0059a485d827800bcdb1de
SSDEEP

24576:lISjiQBofCloQGc746cI4s2Ce+0oVdPMZK96IYLGjY3Ep8LJft6/gHw5g67Q:OSjiQBpJoI4dCTdPl6LLEEP6/gQf7Q

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	5aa1947b55064cbf345c04a91d044110N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	5aa1947b55064cbf345c04a91d044110N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	5aa1947b55064cbf345c04a91d044110N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	5aa1947b55064cbf345c04a91d044110N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	5aa1947b55064cbf345c04a91d044110N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	5aa1947b55064cbf345c04a91d044110N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	5aa1947b55064cbf345c04a91d044110N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	5aa1947b55064cbf345c04a91d044110N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	5aa1947b55064cbf345c04a91d044110N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	5aa1947b55064cbf345c04a91d044110N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	5aa1947b55064cbf345c04a91d044110N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	5aa1947b55064cbf345c04a91d044110N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	5aa1947b55064cbf345c04a91d044110N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	5aa1947b55064cbf345c04a91d044110N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	5aa1947b55064cbf345c04a91d044110N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1616-0-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/files/0x000700000002345d-5.dat	upx
behavioral2/memory/4264-95-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2404-164-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/532-165-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1888-184-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1948-185-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2416-186-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4524-187-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2960-188-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1616-190-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1152-191-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1944-189-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4432-192-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2928-194-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4264-193-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4988-196-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2404-195-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4892-198-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/532-197-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1888-199-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4120-201-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1948-200-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2416-203-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3348-204-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4524-205-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4128-207-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/5048-206-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2224-212-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1152-213-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2016-215-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1420-214-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3272-219-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4064-218-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/5028-217-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4432-216-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2032-211-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3316-210-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1944-209-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2960-208-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2928-220-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3604-221-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4188-223-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4292-224-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4988-222-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1552-226-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4120-227-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4136-228-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4892-225-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3348-232-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1524-245-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2548-244-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2224-243-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2032-242-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3316-241-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3080-240-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4092-239-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3056-238-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1328-237-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3180-236-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1580-235-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4128-234-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/5048-233-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3520-246-0x0000000000400000-0x0000000000456000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	5aa1947b55064cbf345c04a91d044110N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	5aa1947b55064cbf345c04a91d044110N.exe
File opened (read-only)	\??\Y:	5aa1947b55064cbf345c04a91d044110N.exe
File opened (read-only)	\??\S:	5aa1947b55064cbf345c04a91d044110N.exe
File opened (read-only)	\??\E:	5aa1947b55064cbf345c04a91d044110N.exe
File opened (read-only)	\??\G:	5aa1947b55064cbf345c04a91d044110N.exe
File opened (read-only)	\??\J:	5aa1947b55064cbf345c04a91d044110N.exe
File opened (read-only)	\??\N:	5aa1947b55064cbf345c04a91d044110N.exe
File opened (read-only)	\??\P:	5aa1947b55064cbf345c04a91d044110N.exe
File opened (read-only)	\??\W:	5aa1947b55064cbf345c04a91d044110N.exe
File opened (read-only)	\??\B:	5aa1947b55064cbf345c04a91d044110N.exe
File opened (read-only)	\??\R:	5aa1947b55064cbf345c04a91d044110N.exe
File opened (read-only)	\??\X:	5aa1947b55064cbf345c04a91d044110N.exe
File opened (read-only)	\??\M:	5aa1947b55064cbf345c04a91d044110N.exe
File opened (read-only)	\??\H:	5aa1947b55064cbf345c04a91d044110N.exe
File opened (read-only)	\??\I:	5aa1947b55064cbf345c04a91d044110N.exe
File opened (read-only)	\??\K:	5aa1947b55064cbf345c04a91d044110N.exe
File opened (read-only)	\??\L:	5aa1947b55064cbf345c04a91d044110N.exe
File opened (read-only)	\??\O:	5aa1947b55064cbf345c04a91d044110N.exe
File opened (read-only)	\??\Q:	5aa1947b55064cbf345c04a91d044110N.exe
File opened (read-only)	\??\T:	5aa1947b55064cbf345c04a91d044110N.exe
File opened (read-only)	\??\A:	5aa1947b55064cbf345c04a91d044110N.exe
File opened (read-only)	\??\Z:	5aa1947b55064cbf345c04a91d044110N.exe
File opened (read-only)	\??\V:	5aa1947b55064cbf345c04a91d044110N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\blowjob public hole .rar.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\sperm masturbation glans bedroom .rar.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\SysWOW64\FxsTmp\malaysia lingerie voyeur .rar.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\blowjob [bangbus] young .mpeg.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\SysWOW64\FxsTmp\italian fetish beast girls titts penetration .mpg.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\danish horse xxx licking feet leather .mpeg.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\hardcore [milf] .rar.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\lingerie sleeping .rar.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\System32\DriverStore\Temp\lesbian public feet shower (Janette).zip.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\danish nude gay full movie cock shower (Melissa).rar.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\blowjob several models .avi.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\tyrkish porn blowjob full movie glans stockings (Liz).mpeg.exe	5aa1947b55064cbf345c04a91d044110N.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\indian fetish trambling hidden upskirt .avi.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Program Files\dotnet\shared\black horse lesbian [bangbus] hole .avi.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\japanese fetish hardcore [milf] titts girly (Liz).mpg.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Program Files (x86)\Google\Update\Download\beast voyeur hole (Kathrin,Samantha).rar.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\spanish bukkake lesbian cock hairy (Janette).mpg.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\russian cum lingerie licking hole ejaculation .mpg.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\trambling big .rar.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\tyrkish cum sperm licking cock mistress (Sarah).rar.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Program Files\Microsoft Office\root\Templates\hardcore licking hole YEâPSè& .mpg.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\japanese horse sperm licking lady (Sonja,Janette).avi.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\black beastiality sperm several models granny .mpeg.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\sperm big glans .zip.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Program Files (x86)\Google\Temp\swedish horse bukkake [milf] feet high heels .rar.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\russian cum lesbian public (Melissa).mpeg.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\danish horse lingerie voyeur hole femdom (Melissa).mpg.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\brasilian nude lesbian [bangbus] hole (Britney,Liz).avi.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\american horse lesbian voyeur titts .avi.exe	5aa1947b55064cbf345c04a91d044110N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\french trambling [free] titts circumcision .mpeg.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\Downloaded Program Files\black horse horse sleeping feet bedroom .rar.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\horse big .rar.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\spanish sperm [milf] titts (Ashley,Sarah).rar.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\action lesbian licking .mpeg.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\japanese animal lingerie lesbian hole (Britney,Jade).avi.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\german sperm hot (!) latex .rar.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\horse blowjob lesbian .zip.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\french beast public boots .avi.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\action xxx sleeping feet lady .rar.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\canadian trambling public titts gorgeoushorny (Samantha).mpg.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\japanese fetish xxx girls bedroom (Sonja,Sarah).avi.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_b1ffa0e7b4ed03e2\french sperm voyeur hole granny .mpeg.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_5af076e0a3cb0fa7\chinese blowjob [bangbus] feet ejaculation .mpeg.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\assembly\tmp\brasilian cum blowjob masturbation glans balls .mpg.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\bukkake [milf] blondie .mpeg.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\german lingerie licking feet pregnant .avi.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\assembly\temp\hardcore [bangbus] glans .mpg.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\canadian lingerie hot (!) high heels .rar.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\norwegian bukkake public cock .mpeg.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\american gang bang hardcore catfight (Sarah).avi.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\animal hardcore lesbian bondage .mpg.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\tyrkish gang bang lingerie licking (Liz).rar.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\african lingerie masturbation .mpg.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\action hardcore several models (Liz).avi.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\malaysia hardcore [free] glans (Ashley,Tatjana).rar.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\hardcore lesbian leather .avi.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\cum horse voyeur glans blondie (Sylvia).mpg.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.1_none_f42978969c79336a\chinese lingerie sleeping .avi.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\japanese cum gay full movie lady .zip.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\norwegian blowjob lesbian feet 40+ (Sarah).zip.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\italian handjob lesbian catfight (Curtney).rar.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\canadian trambling [bangbus] black hairunshaved .rar.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\xxx voyeur cock penetration .avi.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\security\templates\russian handjob hardcore catfight girly .rar.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\german horse masturbation girly .mpg.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\blowjob full movie (Jade).mpeg.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\british gay big bedroom .avi.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\spanish sperm masturbation cock .mpg.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\tyrkish fetish xxx hot (!) traffic .mpeg.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\british fucking full movie hole .zip.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\fucking [free] shower .rar.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_abfc9db6c377b91f\american nude beast big glans .zip.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\black kicking trambling voyeur girly (Jenna,Karin).avi.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\swedish porn hardcore uncut YEâPSè& (Sonja,Karin).mpeg.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\mssrv.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\blowjob girls boots .zip.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\indian gang bang hardcore masturbation .mpeg.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\swedish cum horse lesbian hole 50+ (Janette).mpg.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\lingerie big (Tatjana).rar.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\lesbian voyeur (Liz).rar.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\swedish beastiality bukkake [bangbus] .mpg.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\british xxx several models glans (Jenna,Curtney).rar.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\blowjob several models cock latex (Liz).mpeg.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\beastiality bukkake big ash .mpg.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_99ddc8ce8d3d6dac\american cumshot gay girls traffic .rar.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\trambling [milf] mistress .zip.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\spanish gay girls titts .rar.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\PLA\Templates\brasilian cumshot beast public titts blondie (Melissa).zip.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\beast voyeur mistress .zip.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\sperm girls cock mature .zip.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\gang bang sperm hidden feet castration (Samantha).rar.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_8c0b126c198fcf70\asian bukkake voyeur penetration .mpeg.exe	5aa1947b55064cbf345c04a91d044110N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\swedish kicking lesbian lesbian cock black hairunshaved (Karin).avi.exe	5aa1947b55064cbf345c04a91d044110N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
1616	5aa1947b55064cbf345c04a91d044110N.exe
1616	5aa1947b55064cbf345c04a91d044110N.exe
4264	5aa1947b55064cbf345c04a91d044110N.exe
4264	5aa1947b55064cbf345c04a91d044110N.exe
1616	5aa1947b55064cbf345c04a91d044110N.exe
1616	5aa1947b55064cbf345c04a91d044110N.exe
2404	5aa1947b55064cbf345c04a91d044110N.exe
2404	5aa1947b55064cbf345c04a91d044110N.exe
1616	5aa1947b55064cbf345c04a91d044110N.exe
1616	5aa1947b55064cbf345c04a91d044110N.exe
532	5aa1947b55064cbf345c04a91d044110N.exe
532	5aa1947b55064cbf345c04a91d044110N.exe
4264	5aa1947b55064cbf345c04a91d044110N.exe
4264	5aa1947b55064cbf345c04a91d044110N.exe
1888	5aa1947b55064cbf345c04a91d044110N.exe
1888	5aa1947b55064cbf345c04a91d044110N.exe
1948	5aa1947b55064cbf345c04a91d044110N.exe
1948	5aa1947b55064cbf345c04a91d044110N.exe
2404	5aa1947b55064cbf345c04a91d044110N.exe
2404	5aa1947b55064cbf345c04a91d044110N.exe
1616	5aa1947b55064cbf345c04a91d044110N.exe
1616	5aa1947b55064cbf345c04a91d044110N.exe
2416	5aa1947b55064cbf345c04a91d044110N.exe
2416	5aa1947b55064cbf345c04a91d044110N.exe
4264	5aa1947b55064cbf345c04a91d044110N.exe
4264	5aa1947b55064cbf345c04a91d044110N.exe
4524	5aa1947b55064cbf345c04a91d044110N.exe
4524	5aa1947b55064cbf345c04a91d044110N.exe
532	5aa1947b55064cbf345c04a91d044110N.exe
532	5aa1947b55064cbf345c04a91d044110N.exe
2960	5aa1947b55064cbf345c04a91d044110N.exe
2960	5aa1947b55064cbf345c04a91d044110N.exe
1888	5aa1947b55064cbf345c04a91d044110N.exe
1888	5aa1947b55064cbf345c04a91d044110N.exe
1944	5aa1947b55064cbf345c04a91d044110N.exe
1944	5aa1947b55064cbf345c04a91d044110N.exe
1152	5aa1947b55064cbf345c04a91d044110N.exe
1152	5aa1947b55064cbf345c04a91d044110N.exe
1616	5aa1947b55064cbf345c04a91d044110N.exe
1616	5aa1947b55064cbf345c04a91d044110N.exe
2404	5aa1947b55064cbf345c04a91d044110N.exe
2404	5aa1947b55064cbf345c04a91d044110N.exe
4432	5aa1947b55064cbf345c04a91d044110N.exe
4432	5aa1947b55064cbf345c04a91d044110N.exe
2928	5aa1947b55064cbf345c04a91d044110N.exe
2928	5aa1947b55064cbf345c04a91d044110N.exe
4264	5aa1947b55064cbf345c04a91d044110N.exe
4264	5aa1947b55064cbf345c04a91d044110N.exe
1948	5aa1947b55064cbf345c04a91d044110N.exe
1948	5aa1947b55064cbf345c04a91d044110N.exe
4988	5aa1947b55064cbf345c04a91d044110N.exe
4988	5aa1947b55064cbf345c04a91d044110N.exe
532	5aa1947b55064cbf345c04a91d044110N.exe
532	5aa1947b55064cbf345c04a91d044110N.exe
4892	5aa1947b55064cbf345c04a91d044110N.exe
4892	5aa1947b55064cbf345c04a91d044110N.exe
4120	5aa1947b55064cbf345c04a91d044110N.exe
4120	5aa1947b55064cbf345c04a91d044110N.exe
2416	5aa1947b55064cbf345c04a91d044110N.exe
2416	5aa1947b55064cbf345c04a91d044110N.exe
4524	5aa1947b55064cbf345c04a91d044110N.exe
4524	5aa1947b55064cbf345c04a91d044110N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 4264	1616	5aa1947b55064cbf345c04a91d044110N.exe	87
PID 1616 wrote to memory of 4264	1616	5aa1947b55064cbf345c04a91d044110N.exe	87
PID 1616 wrote to memory of 4264	1616	5aa1947b55064cbf345c04a91d044110N.exe	87
PID 1616 wrote to memory of 2404	1616	5aa1947b55064cbf345c04a91d044110N.exe	92
PID 1616 wrote to memory of 2404	1616	5aa1947b55064cbf345c04a91d044110N.exe	92
PID 1616 wrote to memory of 2404	1616	5aa1947b55064cbf345c04a91d044110N.exe	92
PID 4264 wrote to memory of 532	4264	5aa1947b55064cbf345c04a91d044110N.exe	93
PID 4264 wrote to memory of 532	4264	5aa1947b55064cbf345c04a91d044110N.exe	93
PID 4264 wrote to memory of 532	4264	5aa1947b55064cbf345c04a91d044110N.exe	93
PID 2404 wrote to memory of 1888	2404	5aa1947b55064cbf345c04a91d044110N.exe	94
PID 2404 wrote to memory of 1888	2404	5aa1947b55064cbf345c04a91d044110N.exe	94
PID 2404 wrote to memory of 1888	2404	5aa1947b55064cbf345c04a91d044110N.exe	94
PID 1616 wrote to memory of 1948	1616	5aa1947b55064cbf345c04a91d044110N.exe	95
PID 1616 wrote to memory of 1948	1616	5aa1947b55064cbf345c04a91d044110N.exe	95
PID 1616 wrote to memory of 1948	1616	5aa1947b55064cbf345c04a91d044110N.exe	95
PID 4264 wrote to memory of 2416	4264	5aa1947b55064cbf345c04a91d044110N.exe	96
PID 4264 wrote to memory of 2416	4264	5aa1947b55064cbf345c04a91d044110N.exe	96
PID 4264 wrote to memory of 2416	4264	5aa1947b55064cbf345c04a91d044110N.exe	96
PID 532 wrote to memory of 4524	532	5aa1947b55064cbf345c04a91d044110N.exe	97
PID 532 wrote to memory of 4524	532	5aa1947b55064cbf345c04a91d044110N.exe	97
PID 532 wrote to memory of 4524	532	5aa1947b55064cbf345c04a91d044110N.exe	97
PID 1888 wrote to memory of 2960	1888	5aa1947b55064cbf345c04a91d044110N.exe	99
PID 1888 wrote to memory of 2960	1888	5aa1947b55064cbf345c04a91d044110N.exe	99
PID 1888 wrote to memory of 2960	1888	5aa1947b55064cbf345c04a91d044110N.exe	99
PID 2404 wrote to memory of 1944	2404	5aa1947b55064cbf345c04a91d044110N.exe	100
PID 2404 wrote to memory of 1944	2404	5aa1947b55064cbf345c04a91d044110N.exe	100
PID 2404 wrote to memory of 1944	2404	5aa1947b55064cbf345c04a91d044110N.exe	100
PID 1616 wrote to memory of 1152	1616	5aa1947b55064cbf345c04a91d044110N.exe	101
PID 1616 wrote to memory of 1152	1616	5aa1947b55064cbf345c04a91d044110N.exe	101
PID 1616 wrote to memory of 1152	1616	5aa1947b55064cbf345c04a91d044110N.exe	101
PID 4264 wrote to memory of 4432	4264	5aa1947b55064cbf345c04a91d044110N.exe	102
PID 4264 wrote to memory of 4432	4264	5aa1947b55064cbf345c04a91d044110N.exe	102
PID 4264 wrote to memory of 4432	4264	5aa1947b55064cbf345c04a91d044110N.exe	102
PID 1948 wrote to memory of 2928	1948	5aa1947b55064cbf345c04a91d044110N.exe	103
PID 1948 wrote to memory of 2928	1948	5aa1947b55064cbf345c04a91d044110N.exe	103
PID 1948 wrote to memory of 2928	1948	5aa1947b55064cbf345c04a91d044110N.exe	103
PID 532 wrote to memory of 4988	532	5aa1947b55064cbf345c04a91d044110N.exe	104
PID 532 wrote to memory of 4988	532	5aa1947b55064cbf345c04a91d044110N.exe	104
PID 532 wrote to memory of 4988	532	5aa1947b55064cbf345c04a91d044110N.exe	104
PID 2416 wrote to memory of 4892	2416	5aa1947b55064cbf345c04a91d044110N.exe	105
PID 2416 wrote to memory of 4892	2416	5aa1947b55064cbf345c04a91d044110N.exe	105
PID 2416 wrote to memory of 4892	2416	5aa1947b55064cbf345c04a91d044110N.exe	105
PID 4524 wrote to memory of 4120	4524	5aa1947b55064cbf345c04a91d044110N.exe	106
PID 4524 wrote to memory of 4120	4524	5aa1947b55064cbf345c04a91d044110N.exe	106
PID 4524 wrote to memory of 4120	4524	5aa1947b55064cbf345c04a91d044110N.exe	106
PID 1888 wrote to memory of 3348	1888	5aa1947b55064cbf345c04a91d044110N.exe	108
PID 1888 wrote to memory of 3348	1888	5aa1947b55064cbf345c04a91d044110N.exe	108
PID 1888 wrote to memory of 3348	1888	5aa1947b55064cbf345c04a91d044110N.exe	108
PID 2404 wrote to memory of 5048	2404	5aa1947b55064cbf345c04a91d044110N.exe	109
PID 2404 wrote to memory of 5048	2404	5aa1947b55064cbf345c04a91d044110N.exe	109
PID 2404 wrote to memory of 5048	2404	5aa1947b55064cbf345c04a91d044110N.exe	109
PID 1616 wrote to memory of 4128	1616	5aa1947b55064cbf345c04a91d044110N.exe	110
PID 1616 wrote to memory of 4128	1616	5aa1947b55064cbf345c04a91d044110N.exe	110
PID 1616 wrote to memory of 4128	1616	5aa1947b55064cbf345c04a91d044110N.exe	110
PID 2960 wrote to memory of 3316	2960	5aa1947b55064cbf345c04a91d044110N.exe	111
PID 2960 wrote to memory of 3316	2960	5aa1947b55064cbf345c04a91d044110N.exe	111
PID 2960 wrote to memory of 3316	2960	5aa1947b55064cbf345c04a91d044110N.exe	111
PID 4264 wrote to memory of 2032	4264	5aa1947b55064cbf345c04a91d044110N.exe	112
PID 4264 wrote to memory of 2032	4264	5aa1947b55064cbf345c04a91d044110N.exe	112
PID 4264 wrote to memory of 2032	4264	5aa1947b55064cbf345c04a91d044110N.exe	112
PID 532 wrote to memory of 2224	532	5aa1947b55064cbf345c04a91d044110N.exe	113
PID 532 wrote to memory of 2224	532	5aa1947b55064cbf345c04a91d044110N.exe	113
PID 532 wrote to memory of 2224	532	5aa1947b55064cbf345c04a91d044110N.exe	113
PID 1944 wrote to memory of 1420	1944	5aa1947b55064cbf345c04a91d044110N.exe	115

C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
"C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
  "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:532
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4524
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        
        PID:4120
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        7⤵
        
        PID:6148
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        8⤵
        
        PID:9916
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        9⤵
        
        PID:13860
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        8⤵
        
        PID:11912
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        8⤵
        
        PID:15804
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        7⤵
        
        PID:7320
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        8⤵
        
        PID:15812
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        7⤵
        
        PID:10264
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        7⤵
        
        PID:11824
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        7⤵
        
        PID:15644
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        7⤵
        
        PID:8340
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        8⤵
        
        PID:15240
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        7⤵
        
        PID:12160
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        7⤵
        
        PID:17352
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:6428
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        7⤵
        
        PID:12176
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        7⤵
        
        PID:17368
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:8440
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        7⤵
        
        PID:15700
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:12120
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:15752
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:3272
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:6004
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        7⤵
        
        PID:9952
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        8⤵
        
        PID:13880
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        7⤵
        
        PID:11880
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        7⤵
        
        PID:16028
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:7248
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        7⤵
        
        PID:4720
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:10256
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:11832
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:15772
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:1328
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:7448
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        7⤵
        
        PID:15964
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:11076
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:11768
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:15692
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:6416
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:13064
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:17344
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:8400
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:15764
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:12080
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:16796
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4988
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:4136
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        7⤵
        
        PID:9892
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        8⤵
        
        PID:15512
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        7⤵
        
        PID:11888
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        7⤵
        
        PID:15996
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:7256
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        7⤵
        
        PID:15876
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:10204
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:11816
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:15652
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:3080
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:7616
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        7⤵
        
        PID:15296
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:10648
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:11784
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:15676
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:6444
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:12908
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:17312
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:8452
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:15780
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:12096
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:17660
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:2224
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:5680
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:12256
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:16160
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:7272
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:16020
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:10356
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:11792
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:15616
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:5132
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:7184
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:15328
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:10080
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:2220
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:11744
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:15144
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:6708
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:12360
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:15972
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:8896
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:3636
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:12072
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:16360
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:4892
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:1552
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:6128
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        7⤵
        
        PID:10552
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        7⤵
        
        PID:11728
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        7⤵
        
        PID:15204
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:7280
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:10060
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        7⤵
        
        PID:13872
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:11872
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:15712
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:1580
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:8300
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        7⤵
        
        PID:15932
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:12216
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:14264
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:6408
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:12240
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:14244
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:8372
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:15184
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:12104
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:16760
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:2016
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:5592
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:12928
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:17416
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:7296
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:15280
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:10196
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:13896
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:11840
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:16036
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:4092
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:7196
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:9404
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:15852
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:11952
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:16068
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:6448
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:12224
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:14284
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:8420
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:16012
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:12136
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:3564
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:4432
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:3604
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:6136
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:9908
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        7⤵
        
        PID:15168
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:11900
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:16004
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:6640
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:15344
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:9832
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:13144
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:14276
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:11944
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:16052
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:1524
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:8348
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:15836
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:12184
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:17384
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:6400
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:12232
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:17392
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:8408
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:15224
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:12144
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:17320
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:6044
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:9840
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:14304
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:11936
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:16328
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:7204
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:15924
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:10584
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:11736
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:16336
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    PID:5148
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:9396
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:15176
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:12008
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:16084
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    PID:6840
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:12868
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:17328
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    PID:8936
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:15820
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    PID:12040
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    PID:15352
- C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
  "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2960
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:3316
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:5504
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        7⤵
        
        PID:9672
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        8⤵
        
        PID:15908
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        7⤵
        
        PID:11968
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        7⤵
        
        PID:16368
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:7288
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        7⤵
        
        PID:15844
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:10052
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        7⤵
        
        PID:13888
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:11864
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:15736
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:5140
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:9276
        
        C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        7⤵
        
        PID:15248
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:12024
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:17288
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:6828
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:12880
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:16168
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:8944
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:15528
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:12064
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:16780
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:3348
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:1276
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:12192
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:17376
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:7304
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:15948
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:10188
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:15504
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:11848
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:15980
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:5172
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:9312
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:15256
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:12000
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:17336
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:6100
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:15892
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:8748
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:15304
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:12056
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:16344
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:1420
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:6120
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:9724
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:11920
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:16060
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:7328
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:15868
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:10272
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:11800
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:15636
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:3520
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:8976
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:15884
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:12016
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:16376
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:6392
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:12920
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:2924
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:8364
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:15956
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:11752
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:15196
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    PID:5048
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:5584
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:12168
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:17360
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:7312
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:15900
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:10284
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:19832
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:11760
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:15684
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    PID:5164
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:9348
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:15232
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:11992
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:16752
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    PID:6304
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:15288
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    PID:8664
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:15788
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    PID:12032
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    PID:16768
- C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
  "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:2928
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:4188
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:6236
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:12248
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:16152
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:7336
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:16352
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:9900
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:15520
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:11896
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:15988
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:3180
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:8280
      - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        6⤵
        
        PID:15336
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:12264
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:14272
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:6436
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:13072
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:17304
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:8492
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:15216
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:12088
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:16556
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    PID:5028
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:6052
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:9716
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:11928
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:15728
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:7176
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:15916
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:9764
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:15588
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:11960
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:16044
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    PID:5124
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:7608
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:3628
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:10324
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:11808
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:15720
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    PID:6384
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:12208
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:17400
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    PID:8356
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:15272
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    PID:12152
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    PID:16188
- C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
  "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  PID:1152
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    PID:4064
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:6092
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:12200
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:14296
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:7748
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:15264
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:10720
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:11776
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:15668
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    PID:3056
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:8484
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:15796
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:12112
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:17296
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    PID:6460
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:12760
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:16268
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    PID:8432
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:15828
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    PID:12128
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    PID:2896
- C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
  "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
  2⤵
  PID:4128
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    PID:6060
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:9568
    - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
        5⤵
        
        PID:15860
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:11976
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:17280
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    PID:7264
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:4552
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    PID:10072
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    PID:11856
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    PID:15660
- C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
  "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
  2⤵
  PID:5156
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    PID:9416
  - - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
      4⤵
      PID:16076
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    PID:11984
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    PID:16176
- C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
  "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
  2⤵
  PID:7052
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    PID:13568
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    PID:2820
- C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
  "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
  2⤵
  PID:8212
- - C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
    3⤵
    PID:15940
- C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
  "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
  2⤵
  PID:12048
- C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe
  "C:\Users\Admin\AppData\Local\Temp\5aa1947b55064cbf345c04a91d044110N.exe"
  2⤵
  PID:912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\russian cum lingerie licking hole ejaculation .mpg.exe

Filesize
1.8MB

MD5
7a009c182aad243af0498a15513954b4

SHA1
f0cd6f7ab120a10670a26ca2e607ea54dcad4e25

SHA256
05643805b805a7fb9032bfdefd1af25401b5575fe321ddc036c4aafd868153ad

SHA512
ac45dfbe97220b832119bd53bdab9ec9a440f02919698bd162e135db64deb61bd572928b2bdb3cd8827aeccd8dd56187daa72451194001ead8da4e2c3da2db87

Download Submit
C:\debug.txt

Filesize
146B

MD5
5e29527cab8dead58c67e2f01d2a2211

SHA1
8d6b5c7940302f4f9965058eac22c119111665f5

SHA256
5245ef31a119bcdd890ee67555228aaeebeaff5b78bb2be3f61c4497d1de79b6

SHA512
6db64c3877b82892129bb3b0f851764911b72da17d66d26ef70f2ddfe6df8ae1af30ec256becf1b51c5772fde40013a8bb8ba2d7edd268d132ee2add2cbd5a59

Download Submit
memory/8-281-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/532-197-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/532-165-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1152-213-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1152-191-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1328-237-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1328-270-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1420-247-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1420-214-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1524-279-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1524-245-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1552-226-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1552-259-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1580-268-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1580-235-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1616-190-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1616-0-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1888-199-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1888-184-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1944-189-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1944-209-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1948-185-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1948-200-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2016-215-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2016-248-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2032-242-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2032-211-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2224-212-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2224-243-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2404-195-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2404-164-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2416-203-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2416-186-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2548-278-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2548-244-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2928-220-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2928-194-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2960-208-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2960-188-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3056-238-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3056-271-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3080-240-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3080-274-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3180-236-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3180-269-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3272-219-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3272-252-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3316-210-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3316-241-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3348-204-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3348-232-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3520-280-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3520-246-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3604-254-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3604-221-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4064-218-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4064-251-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4092-272-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4092-239-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4120-227-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4120-201-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4128-207-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4128-234-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4136-261-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4136-228-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4188-223-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4188-256-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4264-193-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4264-95-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4292-224-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4292-257-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4432-192-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4432-216-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4524-205-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4524-187-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4892-225-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4892-198-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4988-222-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4988-196-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5028-217-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5028-250-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5048-206-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5048-233-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5124-249-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5132-253-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5140-255-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5148-258-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5156-260-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5164-262-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5172-266-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/6004-276-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/6044-273-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/6052-275-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/6060-282-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/6120-283-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/6136-277-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download