45434744967b5f335b461d45e1fb4370dea8b99294dada8f08fd74294e4c3108

Analysis

max time kernel
13s
max time network
67s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25/07/2024, 13:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5a0ded12bb4556f852b84938135b540N.exe
Size

1.4MB
MD5

d5a0ded12bb4556f852b84938135b540
SHA1

f525d096ad2a635e70b62ba3709184dffd83ea30
SHA256

45434744967b5f335b461d45e1fb4370dea8b99294dada8f08fd74294e4c3108
SHA512

63473a3682317715d96998a30aedfcc8b3dccd0d70190cee963fafffdf7c4e752b3610894f21c1fa608e07ab292b54fe4ffb66087bde8f065458148a6310bf88
SSDEEP

24576:2wmTqMs39jG/OtQHFL367tK9x9tyMpSTq7pIaQS0VAjI4rSWdoFb7pDkLVa:hgIweaFr67tq9nSTA6o0VeIsSWCFb7pv

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 18 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	d5a0ded12bb4556f852b84938135b540N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	d5a0ded12bb4556f852b84938135b540N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	d5a0ded12bb4556f852b84938135b540N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	d5a0ded12bb4556f852b84938135b540N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	d5a0ded12bb4556f852b84938135b540N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	d5a0ded12bb4556f852b84938135b540N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	d5a0ded12bb4556f852b84938135b540N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	d5a0ded12bb4556f852b84938135b540N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	d5a0ded12bb4556f852b84938135b540N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	d5a0ded12bb4556f852b84938135b540N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	d5a0ded12bb4556f852b84938135b540N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	d5a0ded12bb4556f852b84938135b540N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	d5a0ded12bb4556f852b84938135b540N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	d5a0ded12bb4556f852b84938135b540N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	d5a0ded12bb4556f852b84938135b540N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	d5a0ded12bb4556f852b84938135b540N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	d5a0ded12bb4556f852b84938135b540N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	d5a0ded12bb4556f852b84938135b540N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	d5a0ded12bb4556f852b84938135b540N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	d5a0ded12bb4556f852b84938135b540N.exe
File opened (read-only)	\??\H:	d5a0ded12bb4556f852b84938135b540N.exe
File opened (read-only)	\??\Q:	d5a0ded12bb4556f852b84938135b540N.exe
File opened (read-only)	\??\T:	d5a0ded12bb4556f852b84938135b540N.exe
File opened (read-only)	\??\U:	d5a0ded12bb4556f852b84938135b540N.exe
File opened (read-only)	\??\V:	d5a0ded12bb4556f852b84938135b540N.exe
File opened (read-only)	\??\X:	d5a0ded12bb4556f852b84938135b540N.exe
File opened (read-only)	\??\A:	d5a0ded12bb4556f852b84938135b540N.exe
File opened (read-only)	\??\I:	d5a0ded12bb4556f852b84938135b540N.exe
File opened (read-only)	\??\J:	d5a0ded12bb4556f852b84938135b540N.exe
File opened (read-only)	\??\K:	d5a0ded12bb4556f852b84938135b540N.exe
File opened (read-only)	\??\S:	d5a0ded12bb4556f852b84938135b540N.exe
File opened (read-only)	\??\Y:	d5a0ded12bb4556f852b84938135b540N.exe
File opened (read-only)	\??\Z:	d5a0ded12bb4556f852b84938135b540N.exe
File opened (read-only)	\??\E:	d5a0ded12bb4556f852b84938135b540N.exe
File opened (read-only)	\??\G:	d5a0ded12bb4556f852b84938135b540N.exe
File opened (read-only)	\??\L:	d5a0ded12bb4556f852b84938135b540N.exe
File opened (read-only)	\??\M:	d5a0ded12bb4556f852b84938135b540N.exe
File opened (read-only)	\??\O:	d5a0ded12bb4556f852b84938135b540N.exe
File opened (read-only)	\??\P:	d5a0ded12bb4556f852b84938135b540N.exe
File opened (read-only)	\??\R:	d5a0ded12bb4556f852b84938135b540N.exe
File opened (read-only)	\??\W:	d5a0ded12bb4556f852b84938135b540N.exe
File opened (read-only)	\??\B:	d5a0ded12bb4556f852b84938135b540N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\american cum trambling sleeping redhair (Sonja,Janette).mpeg.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\italian fetish sperm hidden hole high heels .rar.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\italian animal lesbian sleeping glans .mpeg.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\SysWOW64\FxsTmp\black horse gay public wifey .rar.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\danish nude trambling catfight redhair .avi.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\indian cumshot fucking [milf] hole .avi.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\System32\DriverStore\Temp\sperm masturbation penetration (Britney,Liz).rar.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\SysWOW64\FxsTmp\chinese lesbian big hole .rar.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\russian action sperm licking .rar.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\black porn lesbian several models hole wifey .avi.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\danish cum xxx public hole high heels .rar.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\blowjob girls feet girly .mpeg.exe	d5a0ded12bb4556f852b84938135b540N.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Temp\xxx voyeur (Melissa).mpg.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Program Files\Common Files\microsoft shared\lingerie sleeping (Samantha).mpeg.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Program Files\dotnet\shared\sperm [free] feet boots .mpeg.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\swedish cum xxx licking lady (Britney,Tatjana).mpg.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\swedish action blowjob [milf] .mpg.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Program Files (x86)\Google\Update\Download\brasilian nude hardcore [free] feet traffic (Sarah).zip.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Program Files\Microsoft Office\root\Templates\japanese cum bukkake several models hole swallow .mpeg.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\gay full movie .avi.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\indian handjob lingerie masturbation boots .zip.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\lesbian sleeping .zip.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Program Files (x86)\Google\Temp\russian nude lingerie several models titts swallow (Samantha).mpeg.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\bukkake [milf] YEâPSè& .zip.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\blowjob [free] cock high heels .zip.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\italian horse sperm public hole (Jenna,Tatjana).avi.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\bukkake several models stockings (Britney,Karin).mpeg.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\german gay masturbation hotel .mpg.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\horse full movie (Janette).rar.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\american fetish blowjob public titts .mpeg.exe	d5a0ded12bb4556f852b84938135b540N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_en-us_e5f85095c4bc5d16\gay voyeur feet ejaculation (Sarah).rar.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\black handjob gay several models cock .mpeg.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\gay sleeping feet .mpeg.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_887b2378b7b5651d\german fucking sleeping hole .mpeg.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\beastiality lesbian [free] shoes .rar.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\beast girls mistress .mpeg.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\beast hot (!) feet mistress .zip.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\canadian horse masturbation (Liz).zip.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\beast hot (!) granny .rar.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_99ddc8ce8d3d6dac\african sperm hot (!) titts granny .zip.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\malaysia lesbian several models cock .rar.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_8c0b126c198fcf70\british gay [bangbus] ejaculation (Sandy,Tatjana).zip.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_89c0bf1761110f07\asian hardcore uncut feet mature (Curtney).avi.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\danish nude beast voyeur cock granny .mpg.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\porn trambling licking feet ejaculation .mpeg.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\cum gay public bedroom .rar.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_10.0.19041.1_none_a3d9a07cf2290837\german xxx voyeur glans lady (Sylvia).mpg.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\horse horse [milf] mistress .mpeg.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\brasilian horse lingerie uncut swallow .zip.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_14c898cc82025c76\fucking several models titts sweet .avi.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\PLA\Templates\japanese action lingerie girls fishy .rar.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\swedish action horse voyeur shoes .rar.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\security\templates\swedish kicking lingerie public (Melissa).avi.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\russian cumshot xxx several models (Samantha).mpeg.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\lingerie [bangbus] .zip.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\french blowjob full movie (Samantha).avi.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\horse public feet gorgeoushorny (Sylvia).mpg.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\tyrkish animal xxx [bangbus] leather (Britney,Curtney).rar.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\beastiality lesbian sleeping cock lady .rar.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\american handjob lingerie hidden feet blondie (Liz).avi.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\Downloaded Program Files\italian action sperm [milf] cock .mpg.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\lingerie lesbian (Liz).zip.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\canadian bukkake full movie .mpeg.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_9aa486d790131d4e\japanese handjob horse licking glans .zip.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\indian handjob horse full movie mature (Sonja,Curtney).zip.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\japanese action trambling full movie sm .mpeg.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\assembly\temp\bukkake full movie Ôï (Britney,Liz).avi.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\beast big (Sarah).mpg.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\chinese beast catfight .rar.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\african hardcore big bondage .zip.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\asian fucking voyeur (Sylvia).rar.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\tyrkish handjob hardcore catfight .avi.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\french blowjob sleeping titts .rar.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\malaysia trambling licking .rar.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\canadian lesbian [bangbus] balls .rar.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\indian porn fucking hot (!) swallow .zip.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\tyrkish nude sperm uncut cock .mpg.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\japanese porn xxx licking cock .rar.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_e79b400a6df5fd2c\horse masturbation titts lady .avi.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\italian cum bukkake full movie bondage .mpg.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\nude hardcore licking hole .rar.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\lesbian hot (!) hairy .mpg.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\black fetish beast [bangbus] sm .zip.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\black porn beast voyeur cock lady (Melissa).avi.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\canadian sperm public bondage (Ashley,Samantha).avi.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\brasilian cum xxx sleeping feet bondage (Sarah).rar.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\swedish action lesbian several models feet lady (Samantha).zip.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\nude bukkake public beautyfull .zip.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\spanish xxx public titts .zip.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\danish gang bang hardcore catfight cock ejaculation .mpg.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\black action beast [bangbus] titts wifey .avi.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\sperm [bangbus] mistress .mpeg.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.1_none_f42978969c79336a\cum blowjob voyeur hole .zip.exe	d5a0ded12bb4556f852b84938135b540N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_e5c3ad79c4e34ebb\porn sperm masturbation feet castration .mpeg.exe	d5a0ded12bb4556f852b84938135b540N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5a0ded12bb4556f852b84938135b540N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5a0ded12bb4556f852b84938135b540N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5a0ded12bb4556f852b84938135b540N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5a0ded12bb4556f852b84938135b540N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5a0ded12bb4556f852b84938135b540N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5a0ded12bb4556f852b84938135b540N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5a0ded12bb4556f852b84938135b540N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5a0ded12bb4556f852b84938135b540N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5a0ded12bb4556f852b84938135b540N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5a0ded12bb4556f852b84938135b540N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5a0ded12bb4556f852b84938135b540N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5a0ded12bb4556f852b84938135b540N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5a0ded12bb4556f852b84938135b540N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5a0ded12bb4556f852b84938135b540N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5a0ded12bb4556f852b84938135b540N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5a0ded12bb4556f852b84938135b540N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5a0ded12bb4556f852b84938135b540N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5a0ded12bb4556f852b84938135b540N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5a0ded12bb4556f852b84938135b540N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5a0ded12bb4556f852b84938135b540N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3924	d5a0ded12bb4556f852b84938135b540N.exe
3924	d5a0ded12bb4556f852b84938135b540N.exe
2952	d5a0ded12bb4556f852b84938135b540N.exe
2952	d5a0ded12bb4556f852b84938135b540N.exe
3924	d5a0ded12bb4556f852b84938135b540N.exe
3924	d5a0ded12bb4556f852b84938135b540N.exe
3608	d5a0ded12bb4556f852b84938135b540N.exe
3608	d5a0ded12bb4556f852b84938135b540N.exe
456	d5a0ded12bb4556f852b84938135b540N.exe
456	d5a0ded12bb4556f852b84938135b540N.exe
2952	d5a0ded12bb4556f852b84938135b540N.exe
2952	d5a0ded12bb4556f852b84938135b540N.exe
3924	d5a0ded12bb4556f852b84938135b540N.exe
3924	d5a0ded12bb4556f852b84938135b540N.exe
3568	d5a0ded12bb4556f852b84938135b540N.exe
3568	d5a0ded12bb4556f852b84938135b540N.exe
3372	d5a0ded12bb4556f852b84938135b540N.exe
3372	d5a0ded12bb4556f852b84938135b540N.exe
4316	d5a0ded12bb4556f852b84938135b540N.exe
4316	d5a0ded12bb4556f852b84938135b540N.exe
4300	d5a0ded12bb4556f852b84938135b540N.exe
4300	d5a0ded12bb4556f852b84938135b540N.exe
2952	d5a0ded12bb4556f852b84938135b540N.exe
2952	d5a0ded12bb4556f852b84938135b540N.exe
3608	d5a0ded12bb4556f852b84938135b540N.exe
3608	d5a0ded12bb4556f852b84938135b540N.exe
456	d5a0ded12bb4556f852b84938135b540N.exe
456	d5a0ded12bb4556f852b84938135b540N.exe
3924	d5a0ded12bb4556f852b84938135b540N.exe
3924	d5a0ded12bb4556f852b84938135b540N.exe
1140	d5a0ded12bb4556f852b84938135b540N.exe
1140	d5a0ded12bb4556f852b84938135b540N.exe
3936	d5a0ded12bb4556f852b84938135b540N.exe
3936	d5a0ded12bb4556f852b84938135b540N.exe
2952	d5a0ded12bb4556f852b84938135b540N.exe
2952	d5a0ded12bb4556f852b84938135b540N.exe
3608	d5a0ded12bb4556f852b84938135b540N.exe
3608	d5a0ded12bb4556f852b84938135b540N.exe
1132	d5a0ded12bb4556f852b84938135b540N.exe
1132	d5a0ded12bb4556f852b84938135b540N.exe
2632	d5a0ded12bb4556f852b84938135b540N.exe
2632	d5a0ded12bb4556f852b84938135b540N.exe
2316	d5a0ded12bb4556f852b84938135b540N.exe
2316	d5a0ded12bb4556f852b84938135b540N.exe
456	d5a0ded12bb4556f852b84938135b540N.exe
456	d5a0ded12bb4556f852b84938135b540N.exe
4068	d5a0ded12bb4556f852b84938135b540N.exe
4068	d5a0ded12bb4556f852b84938135b540N.exe
3924	d5a0ded12bb4556f852b84938135b540N.exe
3924	d5a0ded12bb4556f852b84938135b540N.exe
3568	d5a0ded12bb4556f852b84938135b540N.exe
3568	d5a0ded12bb4556f852b84938135b540N.exe
3372	d5a0ded12bb4556f852b84938135b540N.exe
3372	d5a0ded12bb4556f852b84938135b540N.exe
1508	d5a0ded12bb4556f852b84938135b540N.exe
1508	d5a0ded12bb4556f852b84938135b540N.exe
4680	d5a0ded12bb4556f852b84938135b540N.exe
4680	d5a0ded12bb4556f852b84938135b540N.exe
4316	d5a0ded12bb4556f852b84938135b540N.exe
4316	d5a0ded12bb4556f852b84938135b540N.exe
4300	d5a0ded12bb4556f852b84938135b540N.exe
4300	d5a0ded12bb4556f852b84938135b540N.exe
3044	d5a0ded12bb4556f852b84938135b540N.exe
3044	d5a0ded12bb4556f852b84938135b540N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3924 wrote to memory of 2952	3924	d5a0ded12bb4556f852b84938135b540N.exe	87
PID 3924 wrote to memory of 2952	3924	d5a0ded12bb4556f852b84938135b540N.exe	87
PID 3924 wrote to memory of 2952	3924	d5a0ded12bb4556f852b84938135b540N.exe	87
PID 2952 wrote to memory of 3608	2952	d5a0ded12bb4556f852b84938135b540N.exe	92
PID 2952 wrote to memory of 3608	2952	d5a0ded12bb4556f852b84938135b540N.exe	92
PID 2952 wrote to memory of 3608	2952	d5a0ded12bb4556f852b84938135b540N.exe	92
PID 3924 wrote to memory of 456	3924	d5a0ded12bb4556f852b84938135b540N.exe	93
PID 3924 wrote to memory of 456	3924	d5a0ded12bb4556f852b84938135b540N.exe	93
PID 3924 wrote to memory of 456	3924	d5a0ded12bb4556f852b84938135b540N.exe	93
PID 2952 wrote to memory of 3568	2952	d5a0ded12bb4556f852b84938135b540N.exe	94
PID 2952 wrote to memory of 3568	2952	d5a0ded12bb4556f852b84938135b540N.exe	94
PID 2952 wrote to memory of 3568	2952	d5a0ded12bb4556f852b84938135b540N.exe	94
PID 3608 wrote to memory of 3372	3608	d5a0ded12bb4556f852b84938135b540N.exe	95
PID 3608 wrote to memory of 3372	3608	d5a0ded12bb4556f852b84938135b540N.exe	95
PID 3608 wrote to memory of 3372	3608	d5a0ded12bb4556f852b84938135b540N.exe	95
PID 3924 wrote to memory of 4316	3924	d5a0ded12bb4556f852b84938135b540N.exe	96
PID 3924 wrote to memory of 4316	3924	d5a0ded12bb4556f852b84938135b540N.exe	96
PID 3924 wrote to memory of 4316	3924	d5a0ded12bb4556f852b84938135b540N.exe	96
PID 456 wrote to memory of 4300	456	d5a0ded12bb4556f852b84938135b540N.exe	97
PID 456 wrote to memory of 4300	456	d5a0ded12bb4556f852b84938135b540N.exe	97
PID 456 wrote to memory of 4300	456	d5a0ded12bb4556f852b84938135b540N.exe	97
PID 2952 wrote to memory of 1140	2952	d5a0ded12bb4556f852b84938135b540N.exe	99
PID 2952 wrote to memory of 1140	2952	d5a0ded12bb4556f852b84938135b540N.exe	99
PID 2952 wrote to memory of 1140	2952	d5a0ded12bb4556f852b84938135b540N.exe	99
PID 3608 wrote to memory of 3936	3608	d5a0ded12bb4556f852b84938135b540N.exe	100
PID 3608 wrote to memory of 3936	3608	d5a0ded12bb4556f852b84938135b540N.exe	100
PID 3608 wrote to memory of 3936	3608	d5a0ded12bb4556f852b84938135b540N.exe	100
PID 456 wrote to memory of 1132	456	d5a0ded12bb4556f852b84938135b540N.exe	101
PID 456 wrote to memory of 1132	456	d5a0ded12bb4556f852b84938135b540N.exe	101
PID 456 wrote to memory of 1132	456	d5a0ded12bb4556f852b84938135b540N.exe	101
PID 3924 wrote to memory of 2632	3924	d5a0ded12bb4556f852b84938135b540N.exe	102
PID 3924 wrote to memory of 2632	3924	d5a0ded12bb4556f852b84938135b540N.exe	102
PID 3924 wrote to memory of 2632	3924	d5a0ded12bb4556f852b84938135b540N.exe	102
PID 3372 wrote to memory of 2316	3372	d5a0ded12bb4556f852b84938135b540N.exe	103
PID 3372 wrote to memory of 2316	3372	d5a0ded12bb4556f852b84938135b540N.exe	103
PID 3372 wrote to memory of 2316	3372	d5a0ded12bb4556f852b84938135b540N.exe	103
PID 3568 wrote to memory of 4068	3568	d5a0ded12bb4556f852b84938135b540N.exe	104
PID 3568 wrote to memory of 4068	3568	d5a0ded12bb4556f852b84938135b540N.exe	104
PID 3568 wrote to memory of 4068	3568	d5a0ded12bb4556f852b84938135b540N.exe	104
PID 4316 wrote to memory of 1508	4316	d5a0ded12bb4556f852b84938135b540N.exe	105
PID 4316 wrote to memory of 1508	4316	d5a0ded12bb4556f852b84938135b540N.exe	105
PID 4316 wrote to memory of 1508	4316	d5a0ded12bb4556f852b84938135b540N.exe	105
PID 4300 wrote to memory of 4680	4300	d5a0ded12bb4556f852b84938135b540N.exe	106
PID 4300 wrote to memory of 4680	4300	d5a0ded12bb4556f852b84938135b540N.exe	106
PID 4300 wrote to memory of 4680	4300	d5a0ded12bb4556f852b84938135b540N.exe	106
PID 2952 wrote to memory of 3056	2952	d5a0ded12bb4556f852b84938135b540N.exe	109
PID 2952 wrote to memory of 3056	2952	d5a0ded12bb4556f852b84938135b540N.exe	109
PID 2952 wrote to memory of 3056	2952	d5a0ded12bb4556f852b84938135b540N.exe	109
PID 3608 wrote to memory of 3044	3608	d5a0ded12bb4556f852b84938135b540N.exe	110
PID 3608 wrote to memory of 3044	3608	d5a0ded12bb4556f852b84938135b540N.exe	110
PID 3608 wrote to memory of 3044	3608	d5a0ded12bb4556f852b84938135b540N.exe	110
PID 456 wrote to memory of 3536	456	d5a0ded12bb4556f852b84938135b540N.exe	111
PID 456 wrote to memory of 3536	456	d5a0ded12bb4556f852b84938135b540N.exe	111
PID 456 wrote to memory of 3536	456	d5a0ded12bb4556f852b84938135b540N.exe	111
PID 3924 wrote to memory of 4348	3924	d5a0ded12bb4556f852b84938135b540N.exe	112
PID 3924 wrote to memory of 4348	3924	d5a0ded12bb4556f852b84938135b540N.exe	112
PID 3924 wrote to memory of 4348	3924	d5a0ded12bb4556f852b84938135b540N.exe	112
PID 3936 wrote to memory of 2088	3936	d5a0ded12bb4556f852b84938135b540N.exe	113
PID 3936 wrote to memory of 2088	3936	d5a0ded12bb4556f852b84938135b540N.exe	113
PID 3936 wrote to memory of 2088	3936	d5a0ded12bb4556f852b84938135b540N.exe	113
PID 1140 wrote to memory of 2868	1140	d5a0ded12bb4556f852b84938135b540N.exe	114
PID 1140 wrote to memory of 2868	1140	d5a0ded12bb4556f852b84938135b540N.exe	114
PID 1140 wrote to memory of 2868	1140	d5a0ded12bb4556f852b84938135b540N.exe	114
PID 3568 wrote to memory of 2512	3568	d5a0ded12bb4556f852b84938135b540N.exe	115

C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
"C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
  "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3608
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3372
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2316
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:5212
        
        C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        7⤵
        
        PID:5888
        
        C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        8⤵
        
        PID:12792
        
        C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        7⤵
        
        PID:6160
        
        C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        8⤵
        
        PID:11640
        
        C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        8⤵
        
        PID:16084
        
        C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        7⤵
        
        PID:8064
        
        C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        8⤵
        
        PID:15568
        
        C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        7⤵
        
        PID:11340
        
        C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        7⤵
        
        PID:16460
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:5880
        
        C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        7⤵
        
        PID:11908
        
        C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        7⤵
        
        PID:17036
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:6152
        
        C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        7⤵
        
        PID:11784
        
        C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        8⤵
        
        PID:17724
        
        C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        7⤵
        
        PID:15920
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:7848
        
        C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        7⤵
        
        PID:13284
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:11216
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:15912
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:1016
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:5652
        
        C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        7⤵
        
        PID:15512
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:6084
        
        C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        7⤵
        
        PID:12404
        
        C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        7⤵
        
        PID:17400
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:7660
        
        C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        7⤵
        
        PID:15960
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:11036
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:17392
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:5500
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:15632
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:6012
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:9140
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:7512
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:12412
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:17120
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:11300
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:16780
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3936
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:2088
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:5516
        
        C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        7⤵
        
        PID:13204
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:6020
        
        C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        7⤵
        
        PID:12092
        
        C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        7⤵
        
        PID:17044
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:7708
        
        C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        7⤵
        
        PID:12332
        
        C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        7⤵
        
        PID:17284
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:10548
        
        C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        7⤵
        
        PID:18052
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:13580
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:18724
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:5524
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:13448
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:6036
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:11692
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:17460
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:7520
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:13268
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:9916
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:13220
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3044
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:5336
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:14704
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:5964
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:15588
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:7472
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:15460
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:9736
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:13160
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:5344
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:16100
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:5972
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:12148
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:18200
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:17244
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:7496
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:15616
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:9804
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:16388
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3568
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4068
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:5136
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:5864
        
        C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        7⤵
        
        PID:13792
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:5952
        
        C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        7⤵
        
        PID:12808
        
        C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        7⤵
        
        PID:17292
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:7856
        
        C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        7⤵
        
        PID:14296
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:10716
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:13728
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:18612
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:5776
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:16364
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:6128
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:15484
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:7692
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:15872
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:10472
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:16224
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:2512
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:5664
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:11608
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:15840
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:6092
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:13076
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:18192
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:7628
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:12800
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:17716
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:10244
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:15476
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:5540
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:14668
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:6028
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:12356
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:7900
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:12320
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:17108
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:10660
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:16504
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1140
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:2868
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:5564
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:11840
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:15928
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:6060
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:14440
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:7620
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:12836
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:17384
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:10136
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:13212
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:5548
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:15608
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:6044
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:11504
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:16472
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:7644
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:16128
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:10368
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:15832
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    PID:3056
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:5376
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:14356
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:5980
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:15544
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:7504
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:15452
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:9864
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:13276
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    PID:5328
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:11592
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:15848
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    PID:5956
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:11672
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:17100
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    PID:7464
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:12388
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:17452
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    PID:11316
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    PID:16420
- C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
  "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:456
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4300
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4680
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:5252
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:5944
        
        C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        7⤵
        
        PID:11960
        
        C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        7⤵
        
        PID:17068
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:6192
        
        C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        7⤵
        
        PID:13456
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:8240
        
        C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        7⤵
        
        PID:16372
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:10260
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:15640
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:5932
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:11684
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:17268
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:6184
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:10492
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:16404
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:8060
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:13260
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:11476
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:16528
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:4668
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:5704
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:11496
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:16456
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:6112
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:15492
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:7676
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:14676
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:10464
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:13564
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:18364
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:5696
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:12420
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:17648
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:6100
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:12548
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:17640
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:7668
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:15952
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:10408
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:15112
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1132
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:5128
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:5840
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:12816
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:16412
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:5300
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:12180
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:17604
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:7732
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:13412
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:18032
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:10828
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:13588
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:18244
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:5800
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:11732
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:18208
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:17060
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:6136
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:14344
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:7908
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:15580
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:11440
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:16520
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3536
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:5532
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:11600
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:17376
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:6052
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:14636
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:7724
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:16076
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:10920
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:16512
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    PID:5384
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:13180
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    PID:5988
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:15168
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    PID:7716
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:14448
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    PID:10616
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    PID:15864
- C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
  "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1508
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:5244
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:5904
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:16092
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:6168
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:11700
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:16396
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:7808
      - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        6⤵
        
        PID:15552
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:10652
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:14004
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:5912
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:12564
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:17276
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:6176
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:12692
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:17628
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:7880
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:3012
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:10668
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:13572
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:18348
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    PID:3764
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:5628
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:11864
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:17252
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:6076
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:12064
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:16924
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:7636
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:15944
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:10204
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:14956
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    PID:5588
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:15560
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    PID:6068
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:12100
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:18216
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:17052
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    PID:7612
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:15468
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    PID:10112
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    PID:13748
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    PID:18744
- C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
  "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2632
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    PID:4868
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:5816
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:12360
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:5236
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:12380
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:17368
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:8112
    - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
        5⤵
        
        PID:12540
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:11432
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:15856
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    PID:5752
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:15624
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    PID:6120
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:12232
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:16112
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    PID:7684
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:12844
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:17740
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    PID:10428
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    PID:13808
- C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
  "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4348
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    PID:5508
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:12128
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:16120
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    PID:6004
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:8344
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    PID:7532
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:12896
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:18328
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    PID:11308
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    PID:16448
- C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
  "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
  2⤵
  PID:5392
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    PID:11620
  - - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
      "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
      4⤵
      PID:18372
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    PID:15936
- C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
  "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
  2⤵
  PID:5996
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    PID:12048
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    PID:17076
- C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
  "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
  2⤵
  PID:7652
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    PID:13800
- - C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
    3⤵
    PID:18660
- C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
  "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
  2⤵
  PID:9512
- C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
  "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
  2⤵
  PID:12556
- C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe
  "C:\Users\Admin\AppData\Local\Temp\d5a0ded12bb4556f852b84938135b540N.exe"
  2⤵
  PID:16380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\swedish cum xxx licking lady (Britney,Tatjana).mpg.exe

Filesize
202KB

MD5
45101d2f10e2494c34d6c5439a1144e9

SHA1
e19d40943ab369d6a7654f601095841f467b5f55

SHA256
0330b34780dd75cbe183f1e1885c0eecf9b6e13dc0443137036f182fbc18cb64

SHA512
79996a1050b296140390d6b35fc6e15b8953df892e28e329e52389068b1d6252745623f3ac343fdcdcf69b7b004cf34e1af35fa2f0124343a57b226d7f8fe6eb

Download Submit