69894d1e944290f9eb0c4928390176e2f69cfae083fc010fd6a5d3421d80bbc9

Analysis

max time kernel
118s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2024 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ed28304d64274af0b0b2a26cfd544d0N.exe
Size

1.2MB
MD5

1ed28304d64274af0b0b2a26cfd544d0
SHA1

ebc9b9cfa6a70d3ca6804eed67b860410a25dcb8
SHA256

69894d1e944290f9eb0c4928390176e2f69cfae083fc010fd6a5d3421d80bbc9
SHA512

7b4c1418ee4882bfcdd631f57e20ab59b175787b559b8232c1e0f11c38773415e22acf0658c079f0a3758c2f539715a0536a6f99241bb36ac84e23ad433ade82
SSDEEP

24576:2wiSc7OFbZmXxCtM/wopdFlKZU3IOQC5QQ+djKz8qcjDMu0MlxI:h0CRoXiMYozSU397mQ+RCODagI

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	1ed28304d64274af0b0b2a26cfd544d0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	1ed28304d64274af0b0b2a26cfd544d0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	1ed28304d64274af0b0b2a26cfd544d0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	1ed28304d64274af0b0b2a26cfd544d0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	1ed28304d64274af0b0b2a26cfd544d0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	1ed28304d64274af0b0b2a26cfd544d0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	1ed28304d64274af0b0b2a26cfd544d0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	1ed28304d64274af0b0b2a26cfd544d0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	1ed28304d64274af0b0b2a26cfd544d0N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	1ed28304d64274af0b0b2a26cfd544d0N.exe
File opened (read-only)	\??\B:	1ed28304d64274af0b0b2a26cfd544d0N.exe
File opened (read-only)	\??\H:	1ed28304d64274af0b0b2a26cfd544d0N.exe
File opened (read-only)	\??\U:	1ed28304d64274af0b0b2a26cfd544d0N.exe
File opened (read-only)	\??\W:	1ed28304d64274af0b0b2a26cfd544d0N.exe
File opened (read-only)	\??\X:	1ed28304d64274af0b0b2a26cfd544d0N.exe
File opened (read-only)	\??\J:	1ed28304d64274af0b0b2a26cfd544d0N.exe
File opened (read-only)	\??\M:	1ed28304d64274af0b0b2a26cfd544d0N.exe
File opened (read-only)	\??\N:	1ed28304d64274af0b0b2a26cfd544d0N.exe
File opened (read-only)	\??\G:	1ed28304d64274af0b0b2a26cfd544d0N.exe
File opened (read-only)	\??\K:	1ed28304d64274af0b0b2a26cfd544d0N.exe
File opened (read-only)	\??\I:	1ed28304d64274af0b0b2a26cfd544d0N.exe
File opened (read-only)	\??\L:	1ed28304d64274af0b0b2a26cfd544d0N.exe
File opened (read-only)	\??\O:	1ed28304d64274af0b0b2a26cfd544d0N.exe
File opened (read-only)	\??\P:	1ed28304d64274af0b0b2a26cfd544d0N.exe
File opened (read-only)	\??\Q:	1ed28304d64274af0b0b2a26cfd544d0N.exe
File opened (read-only)	\??\R:	1ed28304d64274af0b0b2a26cfd544d0N.exe
File opened (read-only)	\??\A:	1ed28304d64274af0b0b2a26cfd544d0N.exe
File opened (read-only)	\??\E:	1ed28304d64274af0b0b2a26cfd544d0N.exe
File opened (read-only)	\??\V:	1ed28304d64274af0b0b2a26cfd544d0N.exe
File opened (read-only)	\??\Y:	1ed28304d64274af0b0b2a26cfd544d0N.exe
File opened (read-only)	\??\S:	1ed28304d64274af0b0b2a26cfd544d0N.exe
File opened (read-only)	\??\T:	1ed28304d64274af0b0b2a26cfd544d0N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\german fucking masturbation sm (Jenna,Curtney).mpg.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\norwegian bukkake bukkake voyeur .rar.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\SysWOW64\FxsTmp\french fucking [milf] (Sarah,Gina).mpg.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\blowjob hidden (Jenna,Britney).rar.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\canadian porn licking vagina pregnant .mpg.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\SysWOW64\FxsTmp\black fucking hot (!) feet shoes .avi.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\beastiality girls shoes .mpg.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\malaysia beast hot (!) feet .avi.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\black trambling cum uncut high heels .avi.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\tyrkish xxx several models .mpeg.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\System32\DriverStore\Temp\malaysia lesbian full movie castration (Sonja,Jenna).mpg.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\horse gay hidden cock YEâPSè& .zip.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\japanese horse blowjob big femdom .mpg.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\tyrkish beast [bangbus] boobs .mpeg.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\sperm beast uncut YEâPSè& .mpeg.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\italian cum sperm [bangbus] vagina upskirt (Sonja,Karin).mpg.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\cumshot lesbian hole .zip.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Program Files (x86)\Google\Update\Download\african horse lingerie [milf] (Samantha).zip.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Program Files\Common Files\microsoft shared\indian beastiality sleeping upskirt (Sarah,Janette).rar.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Program Files\dotnet\shared\american trambling catfight .avi.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Program Files\Microsoft Office\root\Templates\lesbian hot (!) (Sandy).zip.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\xxx voyeur .rar.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\indian xxx lesbian boots (Sarah).mpg.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\brasilian cum public .mpg.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\horse licking penetration .mpg.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\nude xxx full movie vagina (Sonja).zip.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Program Files (x86)\Google\Temp\action sleeping boobs high heels .mpg.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\hardcore licking wifey .rar.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\gay handjob public ash (Jenna,Sonja).mpeg.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe

Drops file in Windows directory 50 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\russian beast uncut .zip.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\brasilian fetish uncut wifey .avi.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\tyrkish sperm sperm [bangbus] ejaculation .zip.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\swedish nude catfight .mpg.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\british animal handjob uncut wifey .zip.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\lingerie catfight shoes (Jenna,Karin).zip.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\tyrkish lesbian catfight pregnant .zip.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\security\templates\swedish horse sleeping (Sylvia).mpeg.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\lesbian beast big swallow (Sonja).avi.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\canadian beastiality [bangbus] .rar.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\french gay voyeur hairy .mpeg.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\beastiality gay masturbation .mpg.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\beastiality horse full movie hole .zip.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\gang bang several models (Gina).zip.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\swedish porn [bangbus] leather .mpg.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\norwegian gang bang horse girls black hairunshaved .avi.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\SoftwareDistribution\Download\asian handjob cumshot licking titts (Tatjana,Jade).mpg.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\malaysia beastiality big penetration .zip.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\black gang bang voyeur circumcision .mpeg.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\hardcore lesbian masturbation vagina 50+ .mpg.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\asian lesbian nude full movie feet balls (Karin,Melissa).zip.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\african xxx hot (!) hotel (Britney,Sonja).mpeg.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\blowjob [bangbus] (Kathrin).avi.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\PLA\Templates\swedish trambling sleeping .mpg.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\spanish gang bang handjob [milf] wifey .avi.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\italian gay horse girls (Ashley,Janette).mpg.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\italian fetish public .zip.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\Downloaded Program Files\black hardcore horse voyeur cock sweet (Karin).mpg.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\indian beast blowjob catfight leather .avi.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\russian horse public penetration .zip.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\african lingerie big boobs fishy .avi.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\malaysia animal cum big .rar.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\InputMethod\SHARED\american handjob [milf] vagina high heels .avi.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\horse public .avi.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\german nude licking .mpeg.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\black trambling full movie vagina girly (Sonja).mpeg.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\fucking uncut bondage .rar.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\french beast gang bang lesbian .avi.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\german beast hot (!) .rar.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\gay cumshot voyeur \Û .rar.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\asian horse [bangbus] bondage .mpg.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\action lingerie public .avi.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\horse licking .mpeg.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\african gang bang voyeur circumcision .mpg.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\CbsTemp\asian sperm [milf] boots .mpeg.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\trambling uncut femdom (Jade).mpeg.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\assembly\temp\norwegian gang bang handjob sleeping castration .avi.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\assembly\tmp\swedish horse girls titts hairy .mpeg.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\american fetish animal hidden (Jade,Samantha).mpg.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe
File created	C:\Windows\mssrv.exe	1ed28304d64274af0b0b2a26cfd544d0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ed28304d64274af0b0b2a26cfd544d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ed28304d64274af0b0b2a26cfd544d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ed28304d64274af0b0b2a26cfd544d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ed28304d64274af0b0b2a26cfd544d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ed28304d64274af0b0b2a26cfd544d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ed28304d64274af0b0b2a26cfd544d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ed28304d64274af0b0b2a26cfd544d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ed28304d64274af0b0b2a26cfd544d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ed28304d64274af0b0b2a26cfd544d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ed28304d64274af0b0b2a26cfd544d0N.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
1300	1ed28304d64274af0b0b2a26cfd544d0N.exe
1300	1ed28304d64274af0b0b2a26cfd544d0N.exe
4804	1ed28304d64274af0b0b2a26cfd544d0N.exe
4804	1ed28304d64274af0b0b2a26cfd544d0N.exe
1300	1ed28304d64274af0b0b2a26cfd544d0N.exe
1300	1ed28304d64274af0b0b2a26cfd544d0N.exe
1576	1ed28304d64274af0b0b2a26cfd544d0N.exe
1576	1ed28304d64274af0b0b2a26cfd544d0N.exe
1188	1ed28304d64274af0b0b2a26cfd544d0N.exe
1188	1ed28304d64274af0b0b2a26cfd544d0N.exe
1300	1ed28304d64274af0b0b2a26cfd544d0N.exe
1300	1ed28304d64274af0b0b2a26cfd544d0N.exe
4804	1ed28304d64274af0b0b2a26cfd544d0N.exe
4804	1ed28304d64274af0b0b2a26cfd544d0N.exe
216	1ed28304d64274af0b0b2a26cfd544d0N.exe
216	1ed28304d64274af0b0b2a26cfd544d0N.exe
4372	1ed28304d64274af0b0b2a26cfd544d0N.exe
4372	1ed28304d64274af0b0b2a26cfd544d0N.exe
1300	1ed28304d64274af0b0b2a26cfd544d0N.exe
1300	1ed28304d64274af0b0b2a26cfd544d0N.exe
4020	1ed28304d64274af0b0b2a26cfd544d0N.exe
4020	1ed28304d64274af0b0b2a26cfd544d0N.exe
1576	1ed28304d64274af0b0b2a26cfd544d0N.exe
1576	1ed28304d64274af0b0b2a26cfd544d0N.exe
4804	1ed28304d64274af0b0b2a26cfd544d0N.exe
4804	1ed28304d64274af0b0b2a26cfd544d0N.exe
5108	1ed28304d64274af0b0b2a26cfd544d0N.exe
5108	1ed28304d64274af0b0b2a26cfd544d0N.exe
1188	1ed28304d64274af0b0b2a26cfd544d0N.exe
1188	1ed28304d64274af0b0b2a26cfd544d0N.exe
4716	1ed28304d64274af0b0b2a26cfd544d0N.exe
4716	1ed28304d64274af0b0b2a26cfd544d0N.exe
1300	1ed28304d64274af0b0b2a26cfd544d0N.exe
1300	1ed28304d64274af0b0b2a26cfd544d0N.exe
1576	1ed28304d64274af0b0b2a26cfd544d0N.exe
1576	1ed28304d64274af0b0b2a26cfd544d0N.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 4804	1300	1ed28304d64274af0b0b2a26cfd544d0N.exe	87
PID 1300 wrote to memory of 4804	1300	1ed28304d64274af0b0b2a26cfd544d0N.exe	87
PID 1300 wrote to memory of 4804	1300	1ed28304d64274af0b0b2a26cfd544d0N.exe	87
PID 1300 wrote to memory of 1576	1300	1ed28304d64274af0b0b2a26cfd544d0N.exe	90
PID 1300 wrote to memory of 1576	1300	1ed28304d64274af0b0b2a26cfd544d0N.exe	90
PID 1300 wrote to memory of 1576	1300	1ed28304d64274af0b0b2a26cfd544d0N.exe	90
PID 4804 wrote to memory of 1188	4804	1ed28304d64274af0b0b2a26cfd544d0N.exe	91
PID 4804 wrote to memory of 1188	4804	1ed28304d64274af0b0b2a26cfd544d0N.exe	91
PID 4804 wrote to memory of 1188	4804	1ed28304d64274af0b0b2a26cfd544d0N.exe	91
PID 1576 wrote to memory of 216	1576	1ed28304d64274af0b0b2a26cfd544d0N.exe	94
PID 1576 wrote to memory of 216	1576	1ed28304d64274af0b0b2a26cfd544d0N.exe	94
PID 1576 wrote to memory of 216	1576	1ed28304d64274af0b0b2a26cfd544d0N.exe	94
PID 1300 wrote to memory of 4372	1300	1ed28304d64274af0b0b2a26cfd544d0N.exe	95
PID 1300 wrote to memory of 4372	1300	1ed28304d64274af0b0b2a26cfd544d0N.exe	95
PID 1300 wrote to memory of 4372	1300	1ed28304d64274af0b0b2a26cfd544d0N.exe	95
PID 4804 wrote to memory of 4020	4804	1ed28304d64274af0b0b2a26cfd544d0N.exe	96
PID 4804 wrote to memory of 4020	4804	1ed28304d64274af0b0b2a26cfd544d0N.exe	96
PID 4804 wrote to memory of 4020	4804	1ed28304d64274af0b0b2a26cfd544d0N.exe	96
PID 1188 wrote to memory of 5108	1188	1ed28304d64274af0b0b2a26cfd544d0N.exe	97
PID 1188 wrote to memory of 5108	1188	1ed28304d64274af0b0b2a26cfd544d0N.exe	97
PID 1188 wrote to memory of 5108	1188	1ed28304d64274af0b0b2a26cfd544d0N.exe	97
PID 1300 wrote to memory of 4476	1300	1ed28304d64274af0b0b2a26cfd544d0N.exe	99
PID 1300 wrote to memory of 4476	1300	1ed28304d64274af0b0b2a26cfd544d0N.exe	99
PID 1300 wrote to memory of 4476	1300	1ed28304d64274af0b0b2a26cfd544d0N.exe	99
PID 1576 wrote to memory of 4716	1576	1ed28304d64274af0b0b2a26cfd544d0N.exe	100
PID 1576 wrote to memory of 4716	1576	1ed28304d64274af0b0b2a26cfd544d0N.exe	100
PID 1576 wrote to memory of 4716	1576	1ed28304d64274af0b0b2a26cfd544d0N.exe	100
PID 216 wrote to memory of 3596	216	1ed28304d64274af0b0b2a26cfd544d0N.exe	101
PID 216 wrote to memory of 3596	216	1ed28304d64274af0b0b2a26cfd544d0N.exe	101
PID 216 wrote to memory of 3596	216	1ed28304d64274af0b0b2a26cfd544d0N.exe	101
PID 4804 wrote to memory of 960	4804	1ed28304d64274af0b0b2a26cfd544d0N.exe	102
PID 4804 wrote to memory of 960	4804	1ed28304d64274af0b0b2a26cfd544d0N.exe	102
PID 4804 wrote to memory of 960	4804	1ed28304d64274af0b0b2a26cfd544d0N.exe	102
PID 4372 wrote to memory of 4548	4372	1ed28304d64274af0b0b2a26cfd544d0N.exe	103
PID 4372 wrote to memory of 4548	4372	1ed28304d64274af0b0b2a26cfd544d0N.exe	103
PID 4372 wrote to memory of 4548	4372	1ed28304d64274af0b0b2a26cfd544d0N.exe	103
PID 4020 wrote to memory of 5012	4020	1ed28304d64274af0b0b2a26cfd544d0N.exe	104
PID 4020 wrote to memory of 5012	4020	1ed28304d64274af0b0b2a26cfd544d0N.exe	104
PID 4020 wrote to memory of 5012	4020	1ed28304d64274af0b0b2a26cfd544d0N.exe	104
PID 1188 wrote to memory of 2780	1188	1ed28304d64274af0b0b2a26cfd544d0N.exe	105
PID 1188 wrote to memory of 2780	1188	1ed28304d64274af0b0b2a26cfd544d0N.exe	105
PID 1188 wrote to memory of 2780	1188	1ed28304d64274af0b0b2a26cfd544d0N.exe	105
PID 5108 wrote to memory of 1760	5108	1ed28304d64274af0b0b2a26cfd544d0N.exe	106
PID 5108 wrote to memory of 1760	5108	1ed28304d64274af0b0b2a26cfd544d0N.exe	106
PID 5108 wrote to memory of 1760	5108	1ed28304d64274af0b0b2a26cfd544d0N.exe	106
PID 1300 wrote to memory of 4032	1300	1ed28304d64274af0b0b2a26cfd544d0N.exe	107
PID 1300 wrote to memory of 4032	1300	1ed28304d64274af0b0b2a26cfd544d0N.exe	107
PID 1300 wrote to memory of 4032	1300	1ed28304d64274af0b0b2a26cfd544d0N.exe	107
PID 1576 wrote to memory of 1164	1576	1ed28304d64274af0b0b2a26cfd544d0N.exe	108
PID 1576 wrote to memory of 1164	1576	1ed28304d64274af0b0b2a26cfd544d0N.exe	108
PID 1576 wrote to memory of 1164	1576	1ed28304d64274af0b0b2a26cfd544d0N.exe	108

C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
"C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
  "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1188
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:5108
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:1760
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:6484
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        8⤵
        
        PID:10420
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        9⤵
        
        PID:23184
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        8⤵
        
        PID:14116
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        8⤵
        
        PID:19972
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:8372
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        8⤵
        
        PID:16944
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        8⤵
        
        PID:24616
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:11252
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        8⤵
        
        PID:23612
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:15924
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:22276
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:5944
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:9344
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        8⤵
        
        PID:20616
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:13008
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:18828
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:7552
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:15964
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:8552
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:10288
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:21948
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:13732
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:20036
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:3976
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:6360
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:10280
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        8⤵
        
        PID:21696
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:13692
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:19556
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:17484
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:10660
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:22824
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:14840
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:20696
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:5672
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:8020
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:16780
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:24800
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:10652
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:22816
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:14748
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:20404
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:7112
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:15152
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:20984
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:9176
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:20364
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:12752
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:17848
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:2780
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:2456
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:6376
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:10008
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        8⤵
        
        PID:21648
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:13380
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:18884
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:8200
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:16968
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:24976
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:10668
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:22848
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:14928
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:20992
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:5896
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:9360
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:20444
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:12992
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:18860
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:7508
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:16148
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:8984
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:10044
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:20704
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:13668
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:19548
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:828
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:6288
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:9976
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:21712
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:13412
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:19596
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:8144
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:16692
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:23752
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:10628
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:23388
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:14672
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:20396
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:5656
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:8236
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:16952
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:24948
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:10788
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:23396
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:15380
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:21296
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:7128
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:15216
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:21000
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:9336
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:20356
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:12932
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:17872
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4020
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:5012
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:2332
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:6352
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:10388
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        8⤵
        
        PID:21688
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:14640
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:20412
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:4376
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:11104
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:23068
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:15664
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:21440
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:5928
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:9464
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:21016
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:13016
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:18844
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:7536
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:16200
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:22544
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:10300
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:22840
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:2264
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:19480
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:1736
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:5988
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:9824
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:21772
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:12900
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:17776
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:7516
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:15456
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:21216
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:10052
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:21632
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:13652
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:19728
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:5460
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:7480
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:15956
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:22456
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:10036
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:21544
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:13676
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:19668
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:6748
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:12728
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:17468
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:25592
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:9084
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:20288
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:13388
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:19492
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:960
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:1076
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:6276
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:10120
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:21656
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:13684
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:19568
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:7960
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:15996
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:8640
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:10592
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:24124
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:14384
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:20136
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:5780
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:8768
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:18796
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:11944
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:16704
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:13956
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:7156
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:14628
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:20420
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:9488
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:20388
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:13052
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:18876
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:2676
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:6200
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:9352
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:21672
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:13000
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:18832
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:7904
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:16140
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:9012
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:10552
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:21680
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:14244
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:20128
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:5400
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:7396
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:15820
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:6040
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:9984
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:21640
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:13372
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:19536
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:6676
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:12404
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:16976
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:24936
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:8776
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:18804
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:11908
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:16712
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:24376
- C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
  "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:216
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:3596
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:2660
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:6260
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:10104
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        8⤵
        
        PID:6068
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:13740
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:19896
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:7968
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:15972
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:22424
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:10544
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:21796
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:14776
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:20428
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:5788
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:8852
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:19736
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:12384
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:17768
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:7164
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:15044
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:21008
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:9496
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:20640
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:13112
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:18852
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:3612
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:5980
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:9624
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:20632
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:13148
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:19304
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:7776
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:16164
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:22556
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:10516
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:23468
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:14104
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:19952
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:5408
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:7380
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:15576
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:21208
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:10000
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:21664
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:13404
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:19520
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:6716
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:12236
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:16960
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:24896
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:8788
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:19472
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:12108
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:16732
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:13832
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4716
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:4864
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:6252
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:10168
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:21788
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:13644
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:19676
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:7976
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:16044
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:8604
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:10560
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:23420
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:14252
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:20212
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:5620
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:8012
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:16004
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:8532
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:10644
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:21780
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:14660
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:20336
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:6944
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:12768
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:17760
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:9368
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:956
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:12960
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:18232
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:1164
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:5320
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:6992
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:12632
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:17356
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:9092
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:19528
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:12952
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:18240
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:6528
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:12412
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:17684
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:8476
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:18056
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:11416
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:14052
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:16372
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:22636
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:5260
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:6928
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:12640
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:2240
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:9100
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:20120
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:12712
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:17460
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:6512
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:10940
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:23060
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:15236
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:21088
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:8256
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:18128
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:10860
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:23192
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:15308
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:21192
- C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
  "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:4548
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:3992
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:6368
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:10100
        
        C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        7⤵
        
        PID:21624
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:13864
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:20112
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:3676
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:15980
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:22436
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:10636
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:21764
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:14760
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:1928
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:5964
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:9816
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:20624
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:13192
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:19228
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:7708
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:16620
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:23172
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:10524
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:21704
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:14256
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:20220
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:2460
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:5996
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:8964
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:21200
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:12656
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:548
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:7528
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:16156
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:18284
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:10128
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:23164
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:13764
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:19812
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:5420
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:7388
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:15988
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:22444
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:9992
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:16916
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:13396
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:18892
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:6704
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:12508
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:17100
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:24844
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:8796
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:19220
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:12092
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:16720
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:14020
- C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
  "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4476
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:1868
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:5740
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:8860
      - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        6⤵
        
        PID:20436
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:12392
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:17092
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:24852
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:7140
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:12784
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:17732
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:9192
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:20236
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:12664
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:3080
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:5468
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:7544
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:15948
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:8888
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:10448
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:21720
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:14224
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:20228
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:6724
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:12100
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:16924
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:24968
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:8804
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:3244
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:12176
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:16932
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:24904
- C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
  "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
  2⤵
  PID:4032
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:5304
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:7120
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:968
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:21472
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:9184
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:20104
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:12760
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:17720
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:6536
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:11172
    - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
        5⤵
        
        PID:23076
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:15940
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:8884
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:8484
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:17616
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:11408
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:23944
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:16088
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:8916
- C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
  "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
  2⤵
  PID:5272
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:7016
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:12776
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:17784
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:9076
  - - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
      "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
      4⤵
      PID:20684
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:12720
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:17476
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:228
- C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
  "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
  2⤵
  PID:6520
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:12372
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:17108
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:24788
- C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
  "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
  2⤵
  PID:8380
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:16180
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:9148
- C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
  "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
  2⤵
  PID:11260
- - C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
    3⤵
    PID:23200
- C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
  "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
  2⤵
  PID:15932
- C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe
  "C:\Users\Admin\AppData\Local\Temp\1ed28304d64274af0b0b2a26cfd544d0N.exe"
  2⤵
  PID:6804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\xxx voyeur .rar.exe

Filesize
1.9MB

MD5
6d445076834156fedd57b8f665fcdd95

SHA1
e3a9e604d32eee5bcfe174c4f492092798629856

SHA256
e865fc42a4599b8dba1d796a429d9355ed72d916b162677b88372521b09688d2

SHA512
4711a66b75670cb7f85c165c585946145d73082ac03fa39d4799983d246bac0c6169d90c0eccc9fa6121d68e10918d19ddea49b1a482084dc767336afd48df49

Download Submit