ce162b7080af2f96675b2cfdff007370cf61a288e21b0caf3aeca2f481527359

Analysis

max time kernel
16s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
Size

790KB
MD5

737e6d0e0d651c08ccd7a4b5d9dd7070
SHA1

3c0f0047732eb28d9867c1d652d4834acb7a1eb3
SHA256

ce162b7080af2f96675b2cfdff007370cf61a288e21b0caf3aeca2f481527359
SHA512

5654e48df97e247b9d03f2ac0c5bc2beccb3a0d4b5b1b60dd8e395493a7a64af468ae34a226f108c9a0d2345c867be6bbb83de1c48211c012389672ece6ef865
SSDEEP

24576:86SQexg0guIrs2n7oh379t3L6DdlJPi9L5wmH:5HepHEnkx79ADdvP6+mH

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File opened (read-only)	\??\Y:	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File opened (read-only)	\??\O:	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File opened (read-only)	\??\S:	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File opened (read-only)	\??\U:	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File opened (read-only)	\??\V:	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File opened (read-only)	\??\W:	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File opened (read-only)	\??\I:	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File opened (read-only)	\??\J:	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File opened (read-only)	\??\Q:	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File opened (read-only)	\??\R:	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File opened (read-only)	\??\Z:	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File opened (read-only)	\??\B:	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File opened (read-only)	\??\E:	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File opened (read-only)	\??\L:	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File opened (read-only)	\??\P:	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File opened (read-only)	\??\T:	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File opened (read-only)	\??\N:	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File opened (read-only)	\??\A:	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File opened (read-only)	\??\G:	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File opened (read-only)	\??\H:	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File opened (read-only)	\??\K:	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File opened (read-only)	\??\M:	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IME\SHARED\fetish full movie balls (Anniston,Kathrin).avi.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\lesbian girls .avi.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\french horse [free] (Sylvia,Kathrin).zip.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\System32\DriverStore\Temp\gay girls 40+ (Anniston).mpeg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\russian beastiality kicking girls pregnant (Sylvia,Curtney).avi.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\african lesbian horse catfight traffic (Sarah).rar.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\american fetish girls .rar.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\SysWOW64\FxsTmp\american horse lesbian several models hole lady .zip.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\gang bang [bangbus] nipples balls .rar.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\trambling trambling public redhair .avi.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\SysWOW64\FxsTmp\horse beast big .mpg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\lingerie masturbation lady (Britney).avi.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Updates\Download\chinese fucking [free] vagina leather .avi.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Program Files (x86)\Google\Temp\kicking [bangbus] .mpg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Program Files (x86)\Microsoft\Temp\action full movie (Sandy).mpg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\american animal masturbation shoes .mpeg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Program Files\Common Files\microsoft shared\gay hardcore [bangbus] feet sweet (Jade).mpg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Program Files\Microsoft Office\root\Templates\canadian nude lesbian feet young .avi.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\italian fetish beast voyeur granny (Anniston,Britney).avi.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Program Files (x86)\Google\Update\Download\sperm nude catfight girly (Christine,Jenna).zip.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\sperm sleeping .mpeg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\spanish gang bang blowjob several models legs .rar.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\spanish beast fucking big shower .mpeg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Program Files\dotnet\shared\trambling catfight glans circumcision .mpg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\bukkake uncut mistress .mpg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\beastiality hidden ash .zip.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\malaysia kicking kicking big circumcision .avi.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\tyrkish lingerie action hidden granny .mpeg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\indian horse hot (!) cock fishy .zip.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\black cumshot [free] .mpg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SoftwareDistribution\Download\african fucking lingerie licking glans black hairunshaved (Jade,Ashley).mpg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\danish hardcore animal voyeur titts mistress (Samantha).mpg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\german lingerie cumshot girls granny .mpg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\InputMethod\SHARED\tyrkish sperm beastiality several models femdom (Jade,Sonja).mpeg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\german cum voyeur titts bondage (Sonja,Janette).mpeg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\horse lingerie sleeping ash leather .mpg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\kicking several models .mpeg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\blowjob catfight mature (Sarah).mpg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\nude uncut titts high heels (Tatjana,Liz).rar.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\malaysia fetish full movie beautyfull .mpg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\african gay sleeping .zip.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\Downloaded Program Files\norwegian trambling uncut hole lady .zip.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\CbsTemp\african xxx sleeping (Britney).avi.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\italian porn several models ¼ë (Britney,Sandy).mpeg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\horse beastiality several models traffic .mpeg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\danish xxx porn girls young .mpeg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\mssrv.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\russian fucking cum lesbian wifey .mpeg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\brasilian gay bukkake catfight black hairunshaved (Janette,Curtney).mpeg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\black lingerie public femdom (Karin).rar.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\japanese horse gay several models penetration (Samantha).rar.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\african xxx masturbation 40+ .zip.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\fetish masturbation ash black hairunshaved .mpeg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\fetish lesbian feet bedroom .rar.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\black porn handjob hidden glans .avi.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\indian gang bang lingerie [bangbus] lady (Liz,Sylvia).rar.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\cum handjob [bangbus] .avi.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\xxx fucking girls swallow (Janette,Jenna).zip.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\american lesbian kicking voyeur vagina (Janette).rar.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\asian trambling nude [bangbus] .rar.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\fetish [free] hole (Janette,Curtney).avi.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\xxx gay [free] boots (Janette).avi.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\russian lingerie beastiality hidden mistress .mpg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\african fucking uncut .mpg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\chinese xxx fucking lesbian sweet .zip.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\german horse beastiality [bangbus] (Liz).zip.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\brasilian fetish nude hot (!) (Gina).zip.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\german fetish [milf] .rar.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\chinese beastiality trambling sleeping lady .avi.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_9aa486d790131d4e\german handjob lesbian girls (Janette).mpg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_99ddc8ce8d3d6dac\japanese lesbian lesbian [milf] boobs .rar.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\nude [free] ash (Liz).rar.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\swedish sperm nude public stockings .mpg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\xxx blowjob girls balls .mpg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\lesbian cumshot several models (Jade).mpg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\russian action sperm [free] cock (Melissa).avi.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\indian bukkake xxx public vagina shoes .mpg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\african beastiality [free] mistress (Jade).zip.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\kicking several models swallow .mpg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\american fucking girls .zip.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\canadian gay beastiality sleeping ejaculation .avi.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\swedish nude hidden (Sylvia,Anniston).mpeg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\beastiality [milf] .mpg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\african action [free] glans (Sonja).zip.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\danish horse [free] penetration .avi.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\malaysia beast full movie mistress .mpg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\sperm [bangbus] leather .mpeg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\german fetish hardcore hidden beautyfull .zip.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\gay sperm big stockings .rar.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\sperm lesbian several models swallow .mpg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\sperm voyeur cock .zip.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\assembly\tmp\spanish horse gang bang sleeping boobs (Sarah).mpg.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\indian bukkake masturbation ash .avi.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\gay lesbian latex .rar.exe	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3868	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
3868	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
3156	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
3156	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
3868	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
3868	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
4196	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
4196	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
4472	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
4472	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
3868	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
3868	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
3156	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
3156	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
4128	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
4128	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
3868	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
3868	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
3320	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
3320	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
3336	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
3336	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
2560	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
2560	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
3156	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
3156	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
4196	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
4196	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
4472	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
4472	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
3224	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
3224	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
3868	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
3868	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
232	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
232	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
3156	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
3156	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
4128	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
4128	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
1652	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
1652	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
2364	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
2364	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
3092	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
3092	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
4196	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
4196	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
4472	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
4472	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
3724	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
3724	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
892	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
892	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
1588	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
1588	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
3320	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
3320	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
2560	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
2560	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
3336	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
3336	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
3516	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
3516	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3868 wrote to memory of 3156	3868	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	88
PID 3868 wrote to memory of 3156	3868	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	88
PID 3868 wrote to memory of 3156	3868	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	88
PID 3868 wrote to memory of 4196	3868	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	93
PID 3868 wrote to memory of 4196	3868	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	93
PID 3868 wrote to memory of 4196	3868	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	93
PID 3156 wrote to memory of 4472	3156	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	94
PID 3156 wrote to memory of 4472	3156	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	94
PID 3156 wrote to memory of 4472	3156	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	94
PID 3868 wrote to memory of 4128	3868	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	95
PID 3868 wrote to memory of 4128	3868	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	95
PID 3868 wrote to memory of 4128	3868	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	95
PID 3156 wrote to memory of 3320	3156	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	96
PID 3156 wrote to memory of 3320	3156	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	96
PID 3156 wrote to memory of 3320	3156	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	96
PID 4196 wrote to memory of 3336	4196	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	97
PID 4196 wrote to memory of 3336	4196	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	97
PID 4196 wrote to memory of 3336	4196	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	97
PID 4472 wrote to memory of 2560	4472	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	99
PID 4472 wrote to memory of 2560	4472	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	99
PID 4472 wrote to memory of 2560	4472	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	99
PID 3868 wrote to memory of 3224	3868	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	100
PID 3868 wrote to memory of 3224	3868	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	100
PID 3868 wrote to memory of 3224	3868	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	100
PID 4128 wrote to memory of 232	4128	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	101
PID 4128 wrote to memory of 232	4128	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	101
PID 4128 wrote to memory of 232	4128	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	101
PID 3156 wrote to memory of 1652	3156	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	102
PID 3156 wrote to memory of 1652	3156	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	102
PID 3156 wrote to memory of 1652	3156	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	102
PID 4196 wrote to memory of 2364	4196	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	103
PID 4196 wrote to memory of 2364	4196	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	103
PID 4196 wrote to memory of 2364	4196	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	103
PID 4472 wrote to memory of 3092	4472	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	104
PID 4472 wrote to memory of 3092	4472	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	104
PID 4472 wrote to memory of 3092	4472	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	104
PID 3320 wrote to memory of 3724	3320	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	105
PID 3320 wrote to memory of 3724	3320	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	105
PID 3320 wrote to memory of 3724	3320	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	105
PID 2560 wrote to memory of 892	2560	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	106
PID 2560 wrote to memory of 892	2560	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	106
PID 2560 wrote to memory of 892	2560	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	106
PID 3336 wrote to memory of 1588	3336	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	107
PID 3336 wrote to memory of 1588	3336	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	107
PID 3336 wrote to memory of 1588	3336	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	107
PID 3868 wrote to memory of 3516	3868	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	109
PID 3868 wrote to memory of 3516	3868	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	109
PID 3868 wrote to memory of 3516	3868	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	109
PID 3224 wrote to memory of 4824	3224	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	110
PID 3224 wrote to memory of 4824	3224	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	110
PID 3224 wrote to memory of 4824	3224	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	110
PID 4128 wrote to memory of 2700	4128	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	111
PID 4128 wrote to memory of 2700	4128	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	111
PID 4128 wrote to memory of 2700	4128	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	111
PID 3156 wrote to memory of 4240	3156	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	112
PID 3156 wrote to memory of 4240	3156	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	112
PID 3156 wrote to memory of 4240	3156	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	112
PID 4196 wrote to memory of 3380	4196	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	113
PID 4196 wrote to memory of 3380	4196	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	113
PID 4196 wrote to memory of 3380	4196	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	113
PID 4472 wrote to memory of 3736	4472	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	114
PID 4472 wrote to memory of 3736	4472	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	114
PID 4472 wrote to memory of 3736	4472	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	114
PID 3320 wrote to memory of 4884	3320	737e6d0e0d651c08ccd7a4b5d9dd7070N.exe	115

C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
"C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3868
- C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
  "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3156
- - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
    "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4472
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        
        PID:892
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        7⤵
        
        PID:6092
        
        C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        8⤵
        
        PID:9616
        
        C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        8⤵
        
        PID:13368
        
        C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        8⤵
        
        PID:16428
        
        C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        7⤵
        
        PID:7632
        
        C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        8⤵
        
        PID:16740
        
        C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        7⤵
        
        PID:10304
        
        C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        7⤵
        
        PID:13904
        
        C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        7⤵
        
        PID:6116
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:5220
        
        C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        7⤵
        
        PID:7536
        
        C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        8⤵
        
        PID:16668
        
        C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        7⤵
        
        PID:10180
        
        C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        7⤵
        
        PID:14052
        
        C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        7⤵
        
        PID:220
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:6808
        
        C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        7⤵
        
        PID:13576
        
        C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        7⤵
        
        PID:1776
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:8712
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:12352
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:16544
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:4828
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:6148
        
        C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        7⤵
        
        PID:10856
        
        C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        7⤵
        
        PID:16860
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:7688
        
        C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        7⤵
        
        PID:4520
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:10844
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:14832
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:5056
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:5268
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:6512
        
        C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        7⤵
        
        PID:10156
        
        C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        7⤵
        
        PID:13996
        
        C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        7⤵
        
        PID:2680
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:164
        
        C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        7⤵
        
        PID:16652
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:11404
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:16788
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:6780
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:13348
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:16444
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:9284
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:13156
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:16468
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:3092
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:4908
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:6196
        
        C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        7⤵
        
        PID:9648
        
        C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        7⤵
        
        PID:13420
        
        C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        7⤵
        
        PID:16420
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:7704
        
        C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        7⤵
        
        PID:16644
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:10836
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:14708
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:4008
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:5236
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:7520
        
        C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        7⤵
        
        PID:16660
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:10140
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:13864
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:4780
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:6640
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:13196
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:464
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:8612
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:3368
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:11436
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:16924
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:3736
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:5192
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:9804
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:13480
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:16396
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:7624
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:16764
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:10312
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:14112
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:1576
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:5284
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:7488
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:18204
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:10188
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:14028
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:4756
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:6744
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:4300
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:16452
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:8636
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:17284
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:12100
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:16564
- - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
    "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3320
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:3724
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:3032
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:6120
        
        C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        7⤵
        
        PID:9588
        
        C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        7⤵
        
        PID:13428
        
        C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        7⤵
        
        PID:16412
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:7664
        
        C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        7⤵
        
        PID:18188
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:10552
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:13940
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:4928
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:5212
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:7720
        
        C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        7⤵
        
        PID:16716
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:11092
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:16892
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:6724
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:13772
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:4708
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:8684
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:18172
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:12464
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:16532
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:4884
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:6156
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:10560
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:13896
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:5076
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:7672
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:18156
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:10824
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:14724
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:2960
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:5276
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:8536
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:428
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:11684
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:17292
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:6792
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:12680
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:16500
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:8696
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:1648
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:12224
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:16556
- - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
    "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:1652
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:116
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:6128
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:10092
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:13592
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:5040
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:20284
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:7544
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:16692
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:7256
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:14004
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:2288
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:5204
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:8464
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:18196
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:12300
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:16572
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:6752
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:12708
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:16508
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:8620
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:16952
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:12116
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:16588
- - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
    "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
    3⤵
    PID:4240
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:2116
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:10148
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:13872
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:4212
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:7640
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:16676
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:10272
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:14036
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:4332
- - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
    "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
    3⤵
    PID:5316
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:8588
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:16936
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:12140
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:16580
- - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
    "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
    3⤵
    PID:6552
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:11344
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:16796
- - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
    "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
    3⤵
    PID:8596
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:17572
- - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
    "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
    3⤵
    PID:11692
- - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
    "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
    3⤵
    PID:16868
- C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
  "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4196
- - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
    "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3336
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:1588
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:332
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:6060
        
        C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        7⤵
        
        PID:10052
        
        C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        7⤵
        
        PID:13508
        
        C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        7⤵
        
        PID:16388
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:7752
        
        C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        7⤵
        
        PID:16844
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:11452
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:16812
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:5228
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:7512
        
        C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        7⤵
        
        PID:16828
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:10132
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:14012
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:4992
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:6680
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:13208
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:16476
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:8644
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:17588
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:12084
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:16596
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:1100
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:6108
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:10536
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:14120
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:2236
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:7680
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:16836
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:11248
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:16780
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:5260
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:8604
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:17564
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:11628
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:3920
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:6672
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:13832
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:2736
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:8668
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:5028
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:12528
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:16516
- - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
    "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:2364
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:448
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:4048
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:10080
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:13516
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:2520
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:7648
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:16908
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:10288
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:14044
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:2388
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:5244
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:8472
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:17580
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:11724
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:16804
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:6708
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:11256
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:16876
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:8676
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:16944
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:12456
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:16524
- - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
    "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
    3⤵
    PID:3380
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:6136
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:10628
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:14664
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:4316
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:7616
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:17612
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:10252
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:14096
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:5004
- - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
    "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
    3⤵
    PID:5292
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:7496
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:16720
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:10196
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:13888
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:3696
- - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
    "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
    3⤵
    PID:6716
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:13168
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:16484
- - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
    "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
    3⤵
    PID:8652
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:17596
- - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
    "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
    3⤵
    PID:12092
- - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
    "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
    3⤵
    PID:16612
- C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
  "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4128
- - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
    "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:232
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:3964
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:6216
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:10544
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:13856
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:1412
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:8440
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:17276
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:11444
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:16756
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:5252
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:7576
      - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        6⤵
        
        PID:16916
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:10280
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:14020
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:636
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:6800
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:13216
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:2112
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:8704
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:18164
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:12324
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:16540
- - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
    "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
    3⤵
    PID:2700
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:6204
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:9780
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:13452
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:16404
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:7696
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:16636
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:11196
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:16900
- - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
    "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
    3⤵
    PID:5300
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:7504
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:16628
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:10204
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:13880
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:1036
- - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
    "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
    3⤵
    PID:6732
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:12688
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:16492
- - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
    "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
    3⤵
    PID:8628
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:17604
- - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
    "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
    3⤵
    PID:12108
- - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
    "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
    3⤵
    PID:16604
- C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
  "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3224
- - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
    "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
    3⤵
    PID:4824
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:6100
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:9556
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:13360
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:16436
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:7608
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:16684
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:10296
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:13984
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:1184
- - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
    "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
    3⤵
    PID:5308
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:7584
    - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
        5⤵
        
        PID:16732
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:10264
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:14104
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:2460
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:20292
- - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
    "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
    3⤵
    PID:6544
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:11084
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:16884
- - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
    "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
    3⤵
    PID:8496
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:18180
- - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
    "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
    3⤵
    PID:11676
- - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
    "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
    3⤵
    PID:4736
- - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
    "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
    3⤵
    PID:19716
- C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
  "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3516
- - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
    "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
    3⤵
    PID:5184
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:10044
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:13568
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:1368
- - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
    "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
    3⤵
    PID:7712
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:16852
- - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
    "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
    3⤵
    PID:11052
- - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
    "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
    3⤵
    PID:16748
- C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
  "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
  2⤵
  PID:5324
- - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
    "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
    3⤵
    PID:8296
  - - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
      "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
      4⤵
      PID:16620
- - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
    "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
    3⤵
    PID:11508
- - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
    "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
    3⤵
    PID:16820
- C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
  "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
  2⤵
  PID:6560
- - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
    "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
    3⤵
    PID:10864
- - C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
    "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
    3⤵
    PID:16772
- C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
  "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
  2⤵
  PID:9356
- C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
  "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
  2⤵
  PID:212
- C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe
  "C:\Users\Admin\AppData\Local\Temp\737e6d0e0d651c08ccd7a4b5d9dd7070N.exe"
  2⤵
  PID:16460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\italian fetish beast voyeur granny (Anniston,Britney).avi.exe

Filesize
257KB

MD5
5c37ef48cadafd1ac87444b8895b14ba

SHA1
4d48b39e31d4f1f37f84e71987cf7e22bddbe561

SHA256
511fb32d48e867a7c8a003c1d517577f7f12b5d599823c8c963c4d785ed04ab0

SHA512
5cae8d5cfa0b4d9c2503b863c1958442570482ba64d9dcf68358a83d9a0397cfdff491badf197f41063e467781b74fb152dae2422882bc0319221d8260feb00e

Download Submit