ee218af0b512af8a58cdb0cad0e27a7b92c6b3d664a92b31c676c0ead6d8a05c

Analysis

max time kernel
16s
max time network
7s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6964bed45b2863e836b42d3e3f6c2e80N.exe
Size

1.4MB
MD5

6964bed45b2863e836b42d3e3f6c2e80
SHA1

5ffd1ca8b16784387178cc0d0cc6b701b903c8c1
SHA256

ee218af0b512af8a58cdb0cad0e27a7b92c6b3d664a92b31c676c0ead6d8a05c
SHA512

e9bd6309a0feef5d5d67f81048ef982ca143ecc9d9a40cf5b5fc0d00c480c00617f7cf5d91cb3256b0152d5a2fb09f0403d84f6ce7d5725e0a71ed9b0e11faf6
SSDEEP

24576:oWrDY0+95rOEOUsfh+fVYtmtu9qZeACLnHUItRVGYzFf/M+DjSN:VvjEOUsfh+dYzqZUnHUuRVJzZM+DjSN

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	6964bed45b2863e836b42d3e3f6c2e80N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	6964bed45b2863e836b42d3e3f6c2e80N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	6964bed45b2863e836b42d3e3f6c2e80N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	6964bed45b2863e836b42d3e3f6c2e80N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	6964bed45b2863e836b42d3e3f6c2e80N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	6964bed45b2863e836b42d3e3f6c2e80N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	6964bed45b2863e836b42d3e3f6c2e80N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	6964bed45b2863e836b42d3e3f6c2e80N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	6964bed45b2863e836b42d3e3f6c2e80N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	6964bed45b2863e836b42d3e3f6c2e80N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	6964bed45b2863e836b42d3e3f6c2e80N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	6964bed45b2863e836b42d3e3f6c2e80N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	6964bed45b2863e836b42d3e3f6c2e80N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	6964bed45b2863e836b42d3e3f6c2e80N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	6964bed45b2863e836b42d3e3f6c2e80N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	6964bed45b2863e836b42d3e3f6c2e80N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	6964bed45b2863e836b42d3e3f6c2e80N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	6964bed45b2863e836b42d3e3f6c2e80N.exe
File opened (read-only)	\??\B:	6964bed45b2863e836b42d3e3f6c2e80N.exe
File opened (read-only)	\??\I:	6964bed45b2863e836b42d3e3f6c2e80N.exe
File opened (read-only)	\??\K:	6964bed45b2863e836b42d3e3f6c2e80N.exe
File opened (read-only)	\??\P:	6964bed45b2863e836b42d3e3f6c2e80N.exe
File opened (read-only)	\??\G:	6964bed45b2863e836b42d3e3f6c2e80N.exe
File opened (read-only)	\??\H:	6964bed45b2863e836b42d3e3f6c2e80N.exe
File opened (read-only)	\??\J:	6964bed45b2863e836b42d3e3f6c2e80N.exe
File opened (read-only)	\??\O:	6964bed45b2863e836b42d3e3f6c2e80N.exe
File opened (read-only)	\??\W:	6964bed45b2863e836b42d3e3f6c2e80N.exe
File opened (read-only)	\??\Y:	6964bed45b2863e836b42d3e3f6c2e80N.exe
File opened (read-only)	\??\E:	6964bed45b2863e836b42d3e3f6c2e80N.exe
File opened (read-only)	\??\L:	6964bed45b2863e836b42d3e3f6c2e80N.exe
File opened (read-only)	\??\N:	6964bed45b2863e836b42d3e3f6c2e80N.exe
File opened (read-only)	\??\Q:	6964bed45b2863e836b42d3e3f6c2e80N.exe
File opened (read-only)	\??\T:	6964bed45b2863e836b42d3e3f6c2e80N.exe
File opened (read-only)	\??\U:	6964bed45b2863e836b42d3e3f6c2e80N.exe
File opened (read-only)	\??\X:	6964bed45b2863e836b42d3e3f6c2e80N.exe
File opened (read-only)	\??\Z:	6964bed45b2863e836b42d3e3f6c2e80N.exe
File opened (read-only)	\??\M:	6964bed45b2863e836b42d3e3f6c2e80N.exe
File opened (read-only)	\??\R:	6964bed45b2863e836b42d3e3f6c2e80N.exe
File opened (read-only)	\??\S:	6964bed45b2863e836b42d3e3f6c2e80N.exe
File opened (read-only)	\??\V:	6964bed45b2863e836b42d3e3f6c2e80N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IME\SHARED\italian sperm porn hot (!) shoes .mpg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\japanese cum sleeping .zip.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\SysWOW64\FxsTmp\brasilian hardcore sleeping bedroom .zip.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\italian fetish lesbian sleeping ¼ë (Gina,Ashley).avi.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\swedish fucking voyeur legs boots (Sonja).mpeg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\sperm uncut legs ejaculation .mpg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\indian kicking cum hot (!) gorgeoushorny (Curtney,Sylvia).rar.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\fetish beastiality hot (!) mistress .mpg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\System32\DriverStore\Temp\fucking lesbian ¼ë .avi.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\SysWOW64\FxsTmp\tyrkish fucking sperm big hairy .mpeg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\canadian horse [bangbus] ash stockings (Gina).mpg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\chinese cum hardcore [milf] .zip.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\brasilian lingerie girls cock .zip.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\norwegian beastiality big hole femdom (Melissa,Britney).rar.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\handjob hot (!) swallow .rar.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\tyrkish sperm several models .rar.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Program Files\dotnet\shared\fetish nude voyeur .mpg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Program Files\Microsoft Office\root\Templates\gang bang hidden redhair .mpg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\indian blowjob bukkake hidden glans (Kathrin,Sarah).mpeg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\gay trambling girls .avi.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\tyrkish gay hot (!) ash beautyfull (Gina,Janette).zip.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\japanese beastiality masturbation bondage (Britney,Sarah).rar.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\danish kicking sleeping legs mistress .mpg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Program Files (x86)\Google\Temp\italian cumshot lesbian .mpeg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\lesbian lesbian uncut hotel .mpg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\hardcore animal [free] (Britney,Samantha).mpeg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\indian fucking [bangbus] hole penetration .avi.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Program Files (x86)\Google\Update\Download\american horse full movie ejaculation .mpeg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\black gay girls vagina .rar.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\fetish horse voyeur .mpg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\norwegian gay hardcore catfight ash .mpg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\norwegian horse beastiality masturbation redhair .mpeg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\assembly\temp\porn [bangbus] .rar.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\japanese porn horse [bangbus] sweet .mpeg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\gay hardcore lesbian .mpg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\bukkake hidden (Sonja,Gina).mpg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\sperm hidden hole blondie (Melissa,Sonja).mpeg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\tyrkish fetish horse [free] hole pregnant .mpg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\trambling several models (Sandy).avi.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\japanese trambling hot (!) cock ¼ë .mpg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\assembly\tmp\norwegian gang bang lesbian [bangbus] .mpg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\italian hardcore lesbian masturbation leather .mpg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\indian beast girls leather .zip.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\indian hardcore action masturbation 50+ .mpeg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\brasilian horse gay public mature .mpeg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\african lesbian catfight (Jade,Gina).avi.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\malaysia gang bang handjob [free] gorgeoushorny .rar.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\chinese horse hot (!) feet hairy .mpeg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\french horse xxx uncut .mpeg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\danish beastiality bukkake uncut feet .mpg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\black xxx big ash circumcision .avi.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\canadian blowjob cumshot hidden beautyfull .avi.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\kicking cum several models titts (Ashley).mpeg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\norwegian hardcore beastiality uncut swallow (Kathrin).zip.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\french lesbian horse [bangbus] high heels .rar.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\french bukkake licking feet .zip.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\japanese gang bang hardcore licking hole 50+ .mpeg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\handjob beastiality sleeping bedroom .zip.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\lingerie several models .mpg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\lingerie hardcore [bangbus] glans blondie (Curtney).mpg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\swedish beast hidden .zip.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\security\templates\horse fetish [free] nipples lady .rar.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\cum fucking sleeping .zip.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\russian lesbian hidden (Sarah).rar.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\trambling bukkake public castration (Jenna).rar.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\indian lingerie kicking [free] .zip.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\french animal bukkake uncut ash high heels .zip.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\gang bang sperm hidden gorgeoushorny (Christine,Kathrin).mpg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\spanish bukkake masturbation (Karin).avi.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\lingerie [free] .avi.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\hardcore nude licking glans hairy .mpeg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\danish beast sleeping boobs ash (Liz).zip.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\SoftwareDistribution\Download\german trambling horse [milf] wifey .zip.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\british gang bang big .rar.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\german action gang bang hot (!) bondage .zip.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\swedish kicking gay hidden .mpg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_9aa486d790131d4e\black blowjob beast lesbian leather .zip.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\bukkake nude hidden glans .mpg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\xxx voyeur .zip.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\canadian animal xxx hidden ash .rar.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\horse lesbian shower .zip.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\american hardcore nude licking .zip.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\asian lingerie animal uncut nipples .mpeg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\british hardcore beast licking sweet .avi.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\brasilian blowjob xxx big blondie .mpg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\mssrv.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\CbsTemp\spanish horse xxx hot (!) (Karin).zip.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\PLA\Templates\black trambling fucking several models ash ejaculation (Sylvia).avi.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\black bukkake lingerie voyeur 50+ .rar.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\asian fucking xxx big .rar.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\danish xxx full movie ash (Curtney,Sylvia).mpg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\Downloaded Program Files\chinese fetish full movie penetration .mpeg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\fetish cumshot several models balls .mpg.exe	6964bed45b2863e836b42d3e3f6c2e80N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2280	6964bed45b2863e836b42d3e3f6c2e80N.exe
2280	6964bed45b2863e836b42d3e3f6c2e80N.exe
4048	6964bed45b2863e836b42d3e3f6c2e80N.exe
4048	6964bed45b2863e836b42d3e3f6c2e80N.exe
2280	6964bed45b2863e836b42d3e3f6c2e80N.exe
2280	6964bed45b2863e836b42d3e3f6c2e80N.exe
1732	6964bed45b2863e836b42d3e3f6c2e80N.exe
1732	6964bed45b2863e836b42d3e3f6c2e80N.exe
4148	6964bed45b2863e836b42d3e3f6c2e80N.exe
4148	6964bed45b2863e836b42d3e3f6c2e80N.exe
2280	6964bed45b2863e836b42d3e3f6c2e80N.exe
2280	6964bed45b2863e836b42d3e3f6c2e80N.exe
4048	6964bed45b2863e836b42d3e3f6c2e80N.exe
4048	6964bed45b2863e836b42d3e3f6c2e80N.exe
1124	6964bed45b2863e836b42d3e3f6c2e80N.exe
1124	6964bed45b2863e836b42d3e3f6c2e80N.exe
3512	6964bed45b2863e836b42d3e3f6c2e80N.exe
3512	6964bed45b2863e836b42d3e3f6c2e80N.exe
1264	6964bed45b2863e836b42d3e3f6c2e80N.exe
1264	6964bed45b2863e836b42d3e3f6c2e80N.exe
4048	6964bed45b2863e836b42d3e3f6c2e80N.exe
4048	6964bed45b2863e836b42d3e3f6c2e80N.exe
2280	6964bed45b2863e836b42d3e3f6c2e80N.exe
2280	6964bed45b2863e836b42d3e3f6c2e80N.exe
4360	6964bed45b2863e836b42d3e3f6c2e80N.exe
4360	6964bed45b2863e836b42d3e3f6c2e80N.exe
1732	6964bed45b2863e836b42d3e3f6c2e80N.exe
1732	6964bed45b2863e836b42d3e3f6c2e80N.exe
4148	6964bed45b2863e836b42d3e3f6c2e80N.exe
4148	6964bed45b2863e836b42d3e3f6c2e80N.exe
3980	6964bed45b2863e836b42d3e3f6c2e80N.exe
3980	6964bed45b2863e836b42d3e3f6c2e80N.exe
2372	6964bed45b2863e836b42d3e3f6c2e80N.exe
2372	6964bed45b2863e836b42d3e3f6c2e80N.exe
4048	6964bed45b2863e836b42d3e3f6c2e80N.exe
4048	6964bed45b2863e836b42d3e3f6c2e80N.exe
2280	6964bed45b2863e836b42d3e3f6c2e80N.exe
2280	6964bed45b2863e836b42d3e3f6c2e80N.exe
4004	6964bed45b2863e836b42d3e3f6c2e80N.exe
4004	6964bed45b2863e836b42d3e3f6c2e80N.exe
4964	6964bed45b2863e836b42d3e3f6c2e80N.exe
4964	6964bed45b2863e836b42d3e3f6c2e80N.exe
1732	6964bed45b2863e836b42d3e3f6c2e80N.exe
1732	6964bed45b2863e836b42d3e3f6c2e80N.exe
4148	6964bed45b2863e836b42d3e3f6c2e80N.exe
4148	6964bed45b2863e836b42d3e3f6c2e80N.exe
3144	6964bed45b2863e836b42d3e3f6c2e80N.exe
3144	6964bed45b2863e836b42d3e3f6c2e80N.exe
4352	6964bed45b2863e836b42d3e3f6c2e80N.exe
4352	6964bed45b2863e836b42d3e3f6c2e80N.exe
4392	6964bed45b2863e836b42d3e3f6c2e80N.exe
4392	6964bed45b2863e836b42d3e3f6c2e80N.exe
1124	6964bed45b2863e836b42d3e3f6c2e80N.exe
1124	6964bed45b2863e836b42d3e3f6c2e80N.exe
228	6964bed45b2863e836b42d3e3f6c2e80N.exe
228	6964bed45b2863e836b42d3e3f6c2e80N.exe
3512	6964bed45b2863e836b42d3e3f6c2e80N.exe
3512	6964bed45b2863e836b42d3e3f6c2e80N.exe
1264	6964bed45b2863e836b42d3e3f6c2e80N.exe
1264	6964bed45b2863e836b42d3e3f6c2e80N.exe
4360	6964bed45b2863e836b42d3e3f6c2e80N.exe
4360	6964bed45b2863e836b42d3e3f6c2e80N.exe
4832	6964bed45b2863e836b42d3e3f6c2e80N.exe
4832	6964bed45b2863e836b42d3e3f6c2e80N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 4048	2280	6964bed45b2863e836b42d3e3f6c2e80N.exe	87
PID 2280 wrote to memory of 4048	2280	6964bed45b2863e836b42d3e3f6c2e80N.exe	87
PID 2280 wrote to memory of 4048	2280	6964bed45b2863e836b42d3e3f6c2e80N.exe	87
PID 2280 wrote to memory of 4148	2280	6964bed45b2863e836b42d3e3f6c2e80N.exe	93
PID 2280 wrote to memory of 4148	2280	6964bed45b2863e836b42d3e3f6c2e80N.exe	93
PID 2280 wrote to memory of 4148	2280	6964bed45b2863e836b42d3e3f6c2e80N.exe	93
PID 4048 wrote to memory of 1732	4048	6964bed45b2863e836b42d3e3f6c2e80N.exe	92
PID 4048 wrote to memory of 1732	4048	6964bed45b2863e836b42d3e3f6c2e80N.exe	92
PID 4048 wrote to memory of 1732	4048	6964bed45b2863e836b42d3e3f6c2e80N.exe	92
PID 4048 wrote to memory of 1264	4048	6964bed45b2863e836b42d3e3f6c2e80N.exe	94
PID 4048 wrote to memory of 1264	4048	6964bed45b2863e836b42d3e3f6c2e80N.exe	94
PID 4048 wrote to memory of 1264	4048	6964bed45b2863e836b42d3e3f6c2e80N.exe	94
PID 2280 wrote to memory of 1124	2280	6964bed45b2863e836b42d3e3f6c2e80N.exe	95
PID 2280 wrote to memory of 1124	2280	6964bed45b2863e836b42d3e3f6c2e80N.exe	95
PID 2280 wrote to memory of 1124	2280	6964bed45b2863e836b42d3e3f6c2e80N.exe	95
PID 1732 wrote to memory of 3512	1732	6964bed45b2863e836b42d3e3f6c2e80N.exe	96
PID 1732 wrote to memory of 3512	1732	6964bed45b2863e836b42d3e3f6c2e80N.exe	96
PID 1732 wrote to memory of 3512	1732	6964bed45b2863e836b42d3e3f6c2e80N.exe	96
PID 4148 wrote to memory of 4360	4148	6964bed45b2863e836b42d3e3f6c2e80N.exe	97
PID 4148 wrote to memory of 4360	4148	6964bed45b2863e836b42d3e3f6c2e80N.exe	97
PID 4148 wrote to memory of 4360	4148	6964bed45b2863e836b42d3e3f6c2e80N.exe	97
PID 4048 wrote to memory of 3980	4048	6964bed45b2863e836b42d3e3f6c2e80N.exe	99
PID 4048 wrote to memory of 3980	4048	6964bed45b2863e836b42d3e3f6c2e80N.exe	99
PID 4048 wrote to memory of 3980	4048	6964bed45b2863e836b42d3e3f6c2e80N.exe	99
PID 2280 wrote to memory of 2372	2280	6964bed45b2863e836b42d3e3f6c2e80N.exe	100
PID 2280 wrote to memory of 2372	2280	6964bed45b2863e836b42d3e3f6c2e80N.exe	100
PID 2280 wrote to memory of 2372	2280	6964bed45b2863e836b42d3e3f6c2e80N.exe	100
PID 1732 wrote to memory of 4004	1732	6964bed45b2863e836b42d3e3f6c2e80N.exe	101
PID 1732 wrote to memory of 4004	1732	6964bed45b2863e836b42d3e3f6c2e80N.exe	101
PID 1732 wrote to memory of 4004	1732	6964bed45b2863e836b42d3e3f6c2e80N.exe	101
PID 4148 wrote to memory of 4964	4148	6964bed45b2863e836b42d3e3f6c2e80N.exe	102
PID 4148 wrote to memory of 4964	4148	6964bed45b2863e836b42d3e3f6c2e80N.exe	102
PID 4148 wrote to memory of 4964	4148	6964bed45b2863e836b42d3e3f6c2e80N.exe	102
PID 1124 wrote to memory of 4352	1124	6964bed45b2863e836b42d3e3f6c2e80N.exe	103
PID 1124 wrote to memory of 4352	1124	6964bed45b2863e836b42d3e3f6c2e80N.exe	103
PID 1124 wrote to memory of 4352	1124	6964bed45b2863e836b42d3e3f6c2e80N.exe	103
PID 3512 wrote to memory of 3144	3512	6964bed45b2863e836b42d3e3f6c2e80N.exe	104
PID 3512 wrote to memory of 3144	3512	6964bed45b2863e836b42d3e3f6c2e80N.exe	104
PID 3512 wrote to memory of 3144	3512	6964bed45b2863e836b42d3e3f6c2e80N.exe	104
PID 1264 wrote to memory of 4392	1264	6964bed45b2863e836b42d3e3f6c2e80N.exe	105
PID 1264 wrote to memory of 4392	1264	6964bed45b2863e836b42d3e3f6c2e80N.exe	105
PID 1264 wrote to memory of 4392	1264	6964bed45b2863e836b42d3e3f6c2e80N.exe	105
PID 4360 wrote to memory of 228	4360	6964bed45b2863e836b42d3e3f6c2e80N.exe	106
PID 4360 wrote to memory of 228	4360	6964bed45b2863e836b42d3e3f6c2e80N.exe	106
PID 4360 wrote to memory of 228	4360	6964bed45b2863e836b42d3e3f6c2e80N.exe	106
PID 4048 wrote to memory of 4832	4048	6964bed45b2863e836b42d3e3f6c2e80N.exe	108
PID 4048 wrote to memory of 4832	4048	6964bed45b2863e836b42d3e3f6c2e80N.exe	108
PID 4048 wrote to memory of 4832	4048	6964bed45b2863e836b42d3e3f6c2e80N.exe	108
PID 2280 wrote to memory of 4592	2280	6964bed45b2863e836b42d3e3f6c2e80N.exe	109
PID 2280 wrote to memory of 4592	2280	6964bed45b2863e836b42d3e3f6c2e80N.exe	109
PID 2280 wrote to memory of 4592	2280	6964bed45b2863e836b42d3e3f6c2e80N.exe	109
PID 4148 wrote to memory of 3496	4148	6964bed45b2863e836b42d3e3f6c2e80N.exe	110
PID 4148 wrote to memory of 3496	4148	6964bed45b2863e836b42d3e3f6c2e80N.exe	110
PID 4148 wrote to memory of 3496	4148	6964bed45b2863e836b42d3e3f6c2e80N.exe	110
PID 1732 wrote to memory of 2292	1732	6964bed45b2863e836b42d3e3f6c2e80N.exe	111
PID 1732 wrote to memory of 2292	1732	6964bed45b2863e836b42d3e3f6c2e80N.exe	111
PID 1732 wrote to memory of 2292	1732	6964bed45b2863e836b42d3e3f6c2e80N.exe	111
PID 2372 wrote to memory of 3124	2372	6964bed45b2863e836b42d3e3f6c2e80N.exe	112
PID 2372 wrote to memory of 3124	2372	6964bed45b2863e836b42d3e3f6c2e80N.exe	112
PID 2372 wrote to memory of 3124	2372	6964bed45b2863e836b42d3e3f6c2e80N.exe	112
PID 3980 wrote to memory of 4652	3980	6964bed45b2863e836b42d3e3f6c2e80N.exe	113
PID 3980 wrote to memory of 4652	3980	6964bed45b2863e836b42d3e3f6c2e80N.exe	113
PID 3980 wrote to memory of 4652	3980	6964bed45b2863e836b42d3e3f6c2e80N.exe	113
PID 1124 wrote to memory of 3632	1124	6964bed45b2863e836b42d3e3f6c2e80N.exe	114

C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
"C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
  "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
    "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3512
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        
        PID:3144
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        7⤵
        
        PID:6108
        
        C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        8⤵
        
        PID:10940
        
        C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        8⤵
        
        PID:15532
        
        C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        7⤵
        
        PID:7696
        
        C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        8⤵
        
        PID:15876
        
        C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        7⤵
        
        PID:10112
        
        C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        7⤵
        
        PID:14084
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:5124
        
        C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        7⤵
        
        PID:7476
        
        C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        8⤵
        
        PID:15220
        
        C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        7⤵
        
        PID:9672
        
        C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        7⤵
        
        PID:13052
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:6604
        
        C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        7⤵
        
        PID:2404
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:8920
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:2760
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:2920
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:6156
        
        C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        7⤵
        
        PID:10764
        
        C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        7⤵
        
        PID:14700
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:7836
        
        C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        7⤵
        
        PID:16260
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:10256
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:14136
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:5168
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:8000
        
        C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        7⤵
        
        PID:16052
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:10932
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:15540
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:6620
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:14544
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:8856
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:12212
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:4004
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:2196
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:6100
        
        C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        7⤵
        
        PID:9420
        
        C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        7⤵
        
        PID:14340
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:7720
        
        C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        7⤵
        
        PID:15576
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:10544
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:14252
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:5144
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:8524
        
        C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        7⤵
        
        PID:16368
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:11392
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:16412
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:6612
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:11936
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:8812
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:12220
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:2292
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:6080
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:9756
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:13152
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:7672
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:15676
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:10104
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:13800
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:5192
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:9116
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:12460
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:6636
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:13068
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:1892
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:12520
- - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
    "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1264
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:4392
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:4672
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:6064
        
        C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        7⤵
        
        PID:9792
        
        C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        7⤵
        
        PID:13308
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:7712
        
        C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        7⤵
        
        PID:16356
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:10288
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:14076
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:3344
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:8344
        
        C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        7⤵
        
        PID:16244
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:10832
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:2144
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:6544
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:11880
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:8604
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:12116
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:3104
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:6048
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:9712
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:12844
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:7664
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:15684
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:9284
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:14068
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:5152
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:8580
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:12100
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:6644
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:12876
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:8864
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:12308
- - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
    "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3980
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:4652
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:5956
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:9764
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:13060
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:7436
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:14972
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:9496
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:12808
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:5184
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:8588
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:12108
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:6696
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:11952
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:8964
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:12572
- - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
    "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4832
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:6272
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:9816
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:11544
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:7828
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:15716
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:10640
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:14476
- - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
    "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
    3⤵
    PID:5216
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:7460
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:15008
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:9572
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:13144
- - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
    "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
    3⤵
    PID:6680
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:13032
- - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
    "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
    3⤵
    PID:8892
- - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
    "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
    3⤵
    PID:11536
- C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
  "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4148
- - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
    "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4360
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:228
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:4288
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:6020
        
        C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        7⤵
        
        PID:10280
        
        C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        7⤵
        
        PID:14128
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:7656
        
        C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        7⤵
        
        PID:15396
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:9808
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:4144
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:4716
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:6704
        
        C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        7⤵
        
        PID:14924
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:8956
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:12452
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:6492
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:11920
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:8540
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:11376
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:5004
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:1004
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:6032
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:9748
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:12964
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:7740
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:15868
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:10560
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:14328
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:5160
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:8384
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:16528
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:10592
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:3460
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:6664
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:11944
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:8624
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:12160
- - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
    "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:4964
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:1580
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:5964
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:9784
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:13580
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:7444
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:14988
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:9588
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:12776
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:5132
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:7492
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:15208
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:9680
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:12852
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:6688
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:12880
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:8948
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:1160
- - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
    "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
    3⤵
    PID:3496
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:6072
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:9800
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:10684
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:7844
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:15796
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:10552
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:14312
- - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
    "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
    3⤵
    PID:5200
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:6856
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:16124
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:11772
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:16420
- - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
    "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
    3⤵
    PID:6724
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:14980
- - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
    "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
    3⤵
    PID:7992
- - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
    "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
    3⤵
    PID:12556
- C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
  "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
    "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:4352
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:3616
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:6056
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:9720
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:13136
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:7688
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:14440
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:10264
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:14144
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:2664
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:7156
      - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        6⤵
        
        PID:14864
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:9352
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:12800
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:6672
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:13160
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:8940
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:11404
- - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
    "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
    3⤵
    PID:3632
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:6040
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:10948
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:15552
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:7876
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:16044
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:10648
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:14528
- - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
    "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
    3⤵
    PID:5176
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:8548
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:11656
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:14092
- - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
    "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
    3⤵
    PID:6628
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:13044
- - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
    "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
    3⤵
    PID:8804
- - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
    "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
    3⤵
    PID:12232
- C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
  "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
    "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
    3⤵
    PID:3124
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:3112
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:9728
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:12860
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:7704
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:16376
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:10248
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:14320
- - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
    "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
    3⤵
    PID:4776
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:7484
    - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
        5⤵
        
        PID:14964
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:9580
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:13184
- - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
    "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
    3⤵
    PID:6416
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:11384
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:3608
- - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
    "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
    3⤵
    PID:8240
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:16320
- - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
    "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
    3⤵
    PID:10204
- - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
    "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
    3⤵
    PID:15996
- C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
  "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
  2⤵
  PID:4592
- - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
    "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
    3⤵
    PID:6092
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:11848
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:16652
- - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
    "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
    3⤵
    PID:7728
  - - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
      "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
      4⤵
      PID:15884
- - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
    "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
    3⤵
    PID:10272
- - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
    "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
    3⤵
    PID:14120
- C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
  "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
  2⤵
  PID:5208
- - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
    "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
    3⤵
    PID:8616
- - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
    "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
    3⤵
    PID:12168
- C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
  "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
  2⤵
  PID:6712
- - C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
    "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
    3⤵
    PID:14916
- C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
  "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
  2⤵
  PID:8972
- C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe
  "C:\Users\Admin\AppData\Local\Temp\6964bed45b2863e836b42d3e3f6c2e80N.exe"
  2⤵
  PID:11872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\indian blowjob bukkake hidden glans (Kathrin,Sarah).mpeg.exe

Filesize
958KB

MD5
ead972b63b51e40ba0d439509a9b4c92

SHA1
c7134fc522156d8af8c07b68746e527cc815af47

SHA256
567d008c65cbb96214b1fb49c6f177b16ca6aeecc3a86fdda5ca0ca625f40b38

SHA512
03b104c1421c4f2fe320ddd51503cf6921ab3fa4b9d022a8092a59c0a8accae4d4d2ff2b858c0a9b6b1a1b4c9f883a97847db671d708f0f225afd12f642ecaea

Download Submit
memory/228-235-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1004-242-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1124-220-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1580-243-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1732-194-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1892-308-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2280-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2632-244-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2664-249-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2920-241-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3112-257-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3124-238-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3144-233-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3512-221-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3616-245-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3632-240-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3980-230-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4004-231-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4148-195-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4288-246-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4360-222-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4392-234-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4592-237-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4652-239-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4672-247-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4716-248-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4832-236-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4964-232-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5124-251-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5160-252-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5216-250-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5964-253-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6048-254-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6064-255-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6072-258-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6080-256-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6100-260-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6156-259-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6272-261-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6416-262-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6492-263-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6544-264-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6604-265-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6612-266-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6620-267-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6636-269-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6664-268-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6672-270-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6688-271-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6696-272-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6704-273-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6712-274-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6724-275-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7156-276-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7436-277-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7476-278-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7688-283-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7696-284-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7704-285-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7712-279-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7720-280-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7728-281-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7740-282-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7836-289-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7844-286-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7876-287-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8000-288-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8240-290-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8344-291-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8384-292-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8524-293-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8540-295-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8548-294-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8580-297-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8604-298-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8624-296-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8804-299-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8812-300-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8856-301-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8892-302-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8920-303-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8948-305-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8956-306-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8972-304-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9116-307-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9352-309-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9496-310-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9588-313-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9672-311-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9680-312-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9712-314-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9720-315-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9728-316-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9756-317-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9784-318-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9792-319-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download