d493533fc222a5e6ab2fd8d17dd5099213090bf307647e8d50c9cfe51f9f3584

Analysis

max time kernel
12s
max time network
14s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 03:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b57b59d8bf8c07140174a2a5a9acb10N.exe
Size

624KB
MD5

4b57b59d8bf8c07140174a2a5a9acb10
SHA1

5c9ed70c715999fb7056a2e135b2abab96b7059c
SHA256

d493533fc222a5e6ab2fd8d17dd5099213090bf307647e8d50c9cfe51f9f3584
SHA512

4c76f86bd979697d6b9c0c69dd79421ddb382b6f52d9b476d3e79d5bea904fb30890639ffe9b355175db22f4b70afc4e88d735d9c51827e0c8693c8666c6b2eb
SSDEEP

12288:dXCNi9Bi6CyTvvl2ywehL8Y/6Wq1+e1aJa3e/I2eIrYJT0I6za+XLdi5C:oWi/yz8ywehL8Y/6V/aJa3e/LeAYJT0n

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Control Panel\International\Geo\Nation	4b57b59d8bf8c07140174a2a5a9acb10N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Control Panel\International\Geo\Nation	4b57b59d8bf8c07140174a2a5a9acb10N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Control Panel\International\Geo\Nation	4b57b59d8bf8c07140174a2a5a9acb10N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Control Panel\International\Geo\Nation	4b57b59d8bf8c07140174a2a5a9acb10N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Control Panel\International\Geo\Nation	4b57b59d8bf8c07140174a2a5a9acb10N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Control Panel\International\Geo\Nation	4b57b59d8bf8c07140174a2a5a9acb10N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Control Panel\International\Geo\Nation	4b57b59d8bf8c07140174a2a5a9acb10N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Control Panel\International\Geo\Nation	4b57b59d8bf8c07140174a2a5a9acb10N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Control Panel\International\Geo\Nation	4b57b59d8bf8c07140174a2a5a9acb10N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Control Panel\International\Geo\Nation	4b57b59d8bf8c07140174a2a5a9acb10N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Control Panel\International\Geo\Nation	4b57b59d8bf8c07140174a2a5a9acb10N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	4b57b59d8bf8c07140174a2a5a9acb10N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File opened (read-only)	\??\G:	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File opened (read-only)	\??\J:	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File opened (read-only)	\??\L:	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File opened (read-only)	\??\V:	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File opened (read-only)	\??\M:	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File opened (read-only)	\??\O:	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File opened (read-only)	\??\Q:	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File opened (read-only)	\??\T:	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File opened (read-only)	\??\U:	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File opened (read-only)	\??\Y:	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File opened (read-only)	\??\W:	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File opened (read-only)	\??\Z:	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File opened (read-only)	\??\E:	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File opened (read-only)	\??\H:	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File opened (read-only)	\??\K:	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File opened (read-only)	\??\N:	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File opened (read-only)	\??\P:	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File opened (read-only)	\??\R:	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File opened (read-only)	\??\B:	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File opened (read-only)	\??\I:	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File opened (read-only)	\??\S:	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File opened (read-only)	\??\X:	4b57b59d8bf8c07140174a2a5a9acb10N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\black gang bang lingerie big Œã .rar.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\horse sleeping hole castration (Janette).avi.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\indian beastiality lesbian [bangbus] cock sweet (Sarah).zip.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\american fetish bukkake full movie feet (Christine,Tatjana).mpg.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\SysWOW64\FxsTmp\horse [bangbus] cock 40+ .avi.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\hardcore hot (!) shower .zip.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\japanese fetish lesbian voyeur .rar.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\swedish gang bang lingerie masturbation .rar.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\SysWOW64\FxsTmp\danish animal fucking masturbation cock traffic (Melissa).zip.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\gay masturbation swallow (Sandy,Tatjana).rar.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\danish kicking horse uncut .avi.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\System32\DriverStore\Temp\fucking big 40+ .zip.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\russian horse gay big .mpeg.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Program Files\dotnet\shared\american cumshot fucking hot (!) .avi.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\russian animal horse voyeur feet (Jenna,Jade).rar.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\indian fetish trambling big .avi.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\blowjob catfight titts Ôï .mpg.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\blowjob masturbation glans gorgeoushorny .avi.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\bukkake girls (Janette).rar.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\beast [milf] .avi.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\spanish lingerie uncut .zip.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\japanese beastiality beast girls feet latex .rar.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Program Files (x86)\Google\Temp\danish cumshot trambling licking boots .mpeg.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Program Files (x86)\Google\Update\Download\lingerie hidden titts boots .mpeg.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\russian handjob blowjob full movie .mpeg.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\fucking several models ash .zip.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\danish cum sperm sleeping castration .mpeg.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\bukkake catfight .mpeg.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Program Files\Microsoft Office\root\Templates\tyrkish animal bukkake public beautyfull .mpg.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Program Files (x86)\Microsoft\Temp\black animal trambling [bangbus] hairy (Ashley,Samantha).mpeg.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe

Drops file in Windows directory 38 IoCs

description	ioc	Process
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\sperm [bangbus] hole girly (Liz).mpg.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\SoftwareDistribution\Download\japanese animal horse girls bedroom .zip.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\american gang bang horse public feet bedroom (Liz).mpeg.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\gay hot (!) gorgeoushorny .rar.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\Downloaded Program Files\bukkake girls .mpg.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\fucking several models glans .avi.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\security\templates\horse public cock 50+ (Jade).avi.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\tyrkish kicking lingerie lesbian hole .mpeg.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\japanese cum bukkake uncut glans 40+ .rar.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\kicking fucking licking feet .rar.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\spanish fucking lesbian ash (Kathrin,Curtney).mpg.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\CbsTemp\tyrkish fetish trambling full movie boots (Kathrin,Karin).mpeg.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\tyrkish nude xxx [milf] .mpg.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\italian animal blowjob licking titts bondage .avi.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\sperm [milf] .mpeg.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\japanese handjob lesbian [milf] hole .mpg.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\assembly\temp\russian beastiality beast big glans redhair .rar.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\italian horse gay lesbian feet granny (Karin).avi.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\nude beast masturbation upskirt .avi.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\mssrv.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\brasilian horse sperm lesbian circumcision (Christine,Jade).mpg.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\brasilian gang bang hardcore sleeping hole .mpg.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\malaysia hardcore catfight (Sylvia).avi.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\assembly\tmp\indian beastiality blowjob full movie (Karin).zip.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\PLA\Templates\lingerie big (Curtney).avi.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\danish horse horse public .mpg.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\xxx masturbation upskirt .mpg.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\indian beastiality hardcore several models .rar.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\tyrkish porn hardcore hot (!) young .avi.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\trambling girls redhair .avi.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\italian beastiality beast masturbation cock .rar.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\russian nude beast uncut shower .avi.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\black handjob horse [bangbus] mature (Britney,Samantha).rar.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\sperm uncut cock ash .zip.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\trambling voyeur titts bedroom .avi.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\american nude hardcore [milf] beautyfull .avi.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\american handjob fucking [milf] titts circumcision .zip.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe
File created	C:\Windows\InputMethod\SHARED\russian cum gay full movie circumcision .rar.exe	4b57b59d8bf8c07140174a2a5a9acb10N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b57b59d8bf8c07140174a2a5a9acb10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b57b59d8bf8c07140174a2a5a9acb10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b57b59d8bf8c07140174a2a5a9acb10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b57b59d8bf8c07140174a2a5a9acb10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b57b59d8bf8c07140174a2a5a9acb10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b57b59d8bf8c07140174a2a5a9acb10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b57b59d8bf8c07140174a2a5a9acb10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b57b59d8bf8c07140174a2a5a9acb10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b57b59d8bf8c07140174a2a5a9acb10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b57b59d8bf8c07140174a2a5a9acb10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b57b59d8bf8c07140174a2a5a9acb10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b57b59d8bf8c07140174a2a5a9acb10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b57b59d8bf8c07140174a2a5a9acb10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b57b59d8bf8c07140174a2a5a9acb10N.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
2172	4b57b59d8bf8c07140174a2a5a9acb10N.exe
2172	4b57b59d8bf8c07140174a2a5a9acb10N.exe
4972	4b57b59d8bf8c07140174a2a5a9acb10N.exe
4972	4b57b59d8bf8c07140174a2a5a9acb10N.exe
2172	4b57b59d8bf8c07140174a2a5a9acb10N.exe
2172	4b57b59d8bf8c07140174a2a5a9acb10N.exe
1964	4b57b59d8bf8c07140174a2a5a9acb10N.exe
1964	4b57b59d8bf8c07140174a2a5a9acb10N.exe
2172	4b57b59d8bf8c07140174a2a5a9acb10N.exe
2172	4b57b59d8bf8c07140174a2a5a9acb10N.exe
2580	4b57b59d8bf8c07140174a2a5a9acb10N.exe
2580	4b57b59d8bf8c07140174a2a5a9acb10N.exe
4972	4b57b59d8bf8c07140174a2a5a9acb10N.exe
4972	4b57b59d8bf8c07140174a2a5a9acb10N.exe
4936	4b57b59d8bf8c07140174a2a5a9acb10N.exe
4936	4b57b59d8bf8c07140174a2a5a9acb10N.exe
2172	4b57b59d8bf8c07140174a2a5a9acb10N.exe
2172	4b57b59d8bf8c07140174a2a5a9acb10N.exe
1964	4b57b59d8bf8c07140174a2a5a9acb10N.exe
1964	4b57b59d8bf8c07140174a2a5a9acb10N.exe
1516	4b57b59d8bf8c07140174a2a5a9acb10N.exe
1516	4b57b59d8bf8c07140174a2a5a9acb10N.exe
4328	4b57b59d8bf8c07140174a2a5a9acb10N.exe
4328	4b57b59d8bf8c07140174a2a5a9acb10N.exe
4972	4b57b59d8bf8c07140174a2a5a9acb10N.exe
4972	4b57b59d8bf8c07140174a2a5a9acb10N.exe
3204	4b57b59d8bf8c07140174a2a5a9acb10N.exe
3204	4b57b59d8bf8c07140174a2a5a9acb10N.exe
2580	4b57b59d8bf8c07140174a2a5a9acb10N.exe
2580	4b57b59d8bf8c07140174a2a5a9acb10N.exe
1596	4b57b59d8bf8c07140174a2a5a9acb10N.exe
1596	4b57b59d8bf8c07140174a2a5a9acb10N.exe
1852	4b57b59d8bf8c07140174a2a5a9acb10N.exe
1852	4b57b59d8bf8c07140174a2a5a9acb10N.exe
2172	4b57b59d8bf8c07140174a2a5a9acb10N.exe
2172	4b57b59d8bf8c07140174a2a5a9acb10N.exe
4936	4b57b59d8bf8c07140174a2a5a9acb10N.exe
4936	4b57b59d8bf8c07140174a2a5a9acb10N.exe
2872	4b57b59d8bf8c07140174a2a5a9acb10N.exe
2872	4b57b59d8bf8c07140174a2a5a9acb10N.exe
1964	4b57b59d8bf8c07140174a2a5a9acb10N.exe
1964	4b57b59d8bf8c07140174a2a5a9acb10N.exe
3348	4b57b59d8bf8c07140174a2a5a9acb10N.exe
3348	4b57b59d8bf8c07140174a2a5a9acb10N.exe
4972	4b57b59d8bf8c07140174a2a5a9acb10N.exe
4972	4b57b59d8bf8c07140174a2a5a9acb10N.exe
2332	4b57b59d8bf8c07140174a2a5a9acb10N.exe
2332	4b57b59d8bf8c07140174a2a5a9acb10N.exe
4316	4b57b59d8bf8c07140174a2a5a9acb10N.exe
4316	4b57b59d8bf8c07140174a2a5a9acb10N.exe
1516	4b57b59d8bf8c07140174a2a5a9acb10N.exe
1516	4b57b59d8bf8c07140174a2a5a9acb10N.exe
2580	4b57b59d8bf8c07140174a2a5a9acb10N.exe
2580	4b57b59d8bf8c07140174a2a5a9acb10N.exe
1204	4b57b59d8bf8c07140174a2a5a9acb10N.exe
1204	4b57b59d8bf8c07140174a2a5a9acb10N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 4972	2172	4b57b59d8bf8c07140174a2a5a9acb10N.exe	86
PID 2172 wrote to memory of 4972	2172	4b57b59d8bf8c07140174a2a5a9acb10N.exe	86
PID 2172 wrote to memory of 4972	2172	4b57b59d8bf8c07140174a2a5a9acb10N.exe	86
PID 2172 wrote to memory of 1964	2172	4b57b59d8bf8c07140174a2a5a9acb10N.exe	87
PID 2172 wrote to memory of 1964	2172	4b57b59d8bf8c07140174a2a5a9acb10N.exe	87
PID 2172 wrote to memory of 1964	2172	4b57b59d8bf8c07140174a2a5a9acb10N.exe	87
PID 4972 wrote to memory of 2580	4972	4b57b59d8bf8c07140174a2a5a9acb10N.exe	88
PID 4972 wrote to memory of 2580	4972	4b57b59d8bf8c07140174a2a5a9acb10N.exe	88
PID 4972 wrote to memory of 2580	4972	4b57b59d8bf8c07140174a2a5a9acb10N.exe	88
PID 2172 wrote to memory of 4936	2172	4b57b59d8bf8c07140174a2a5a9acb10N.exe	89
PID 2172 wrote to memory of 4936	2172	4b57b59d8bf8c07140174a2a5a9acb10N.exe	89
PID 2172 wrote to memory of 4936	2172	4b57b59d8bf8c07140174a2a5a9acb10N.exe	89
PID 1964 wrote to memory of 1516	1964	4b57b59d8bf8c07140174a2a5a9acb10N.exe	90
PID 1964 wrote to memory of 1516	1964	4b57b59d8bf8c07140174a2a5a9acb10N.exe	90
PID 1964 wrote to memory of 1516	1964	4b57b59d8bf8c07140174a2a5a9acb10N.exe	90
PID 4972 wrote to memory of 4328	4972	4b57b59d8bf8c07140174a2a5a9acb10N.exe	91
PID 4972 wrote to memory of 4328	4972	4b57b59d8bf8c07140174a2a5a9acb10N.exe	91
PID 4972 wrote to memory of 4328	4972	4b57b59d8bf8c07140174a2a5a9acb10N.exe	91
PID 2580 wrote to memory of 3204	2580	4b57b59d8bf8c07140174a2a5a9acb10N.exe	92
PID 2580 wrote to memory of 3204	2580	4b57b59d8bf8c07140174a2a5a9acb10N.exe	92
PID 2580 wrote to memory of 3204	2580	4b57b59d8bf8c07140174a2a5a9acb10N.exe	92
PID 2172 wrote to memory of 1596	2172	4b57b59d8bf8c07140174a2a5a9acb10N.exe	93
PID 2172 wrote to memory of 1596	2172	4b57b59d8bf8c07140174a2a5a9acb10N.exe	93
PID 2172 wrote to memory of 1596	2172	4b57b59d8bf8c07140174a2a5a9acb10N.exe	93
PID 4936 wrote to memory of 1852	4936	4b57b59d8bf8c07140174a2a5a9acb10N.exe	94
PID 4936 wrote to memory of 1852	4936	4b57b59d8bf8c07140174a2a5a9acb10N.exe	94
PID 4936 wrote to memory of 1852	4936	4b57b59d8bf8c07140174a2a5a9acb10N.exe	94
PID 1964 wrote to memory of 2872	1964	4b57b59d8bf8c07140174a2a5a9acb10N.exe	95
PID 1964 wrote to memory of 2872	1964	4b57b59d8bf8c07140174a2a5a9acb10N.exe	95
PID 1964 wrote to memory of 2872	1964	4b57b59d8bf8c07140174a2a5a9acb10N.exe	95
PID 4972 wrote to memory of 3348	4972	4b57b59d8bf8c07140174a2a5a9acb10N.exe	96
PID 4972 wrote to memory of 3348	4972	4b57b59d8bf8c07140174a2a5a9acb10N.exe	96
PID 4972 wrote to memory of 3348	4972	4b57b59d8bf8c07140174a2a5a9acb10N.exe	96
PID 1516 wrote to memory of 2332	1516	4b57b59d8bf8c07140174a2a5a9acb10N.exe	97
PID 1516 wrote to memory of 2332	1516	4b57b59d8bf8c07140174a2a5a9acb10N.exe	97
PID 1516 wrote to memory of 2332	1516	4b57b59d8bf8c07140174a2a5a9acb10N.exe	97
PID 2580 wrote to memory of 4316	2580	4b57b59d8bf8c07140174a2a5a9acb10N.exe	98
PID 2580 wrote to memory of 4316	2580	4b57b59d8bf8c07140174a2a5a9acb10N.exe	98
PID 2580 wrote to memory of 4316	2580	4b57b59d8bf8c07140174a2a5a9acb10N.exe	98
PID 4328 wrote to memory of 1816	4328	4b57b59d8bf8c07140174a2a5a9acb10N.exe	99
PID 4328 wrote to memory of 1816	4328	4b57b59d8bf8c07140174a2a5a9acb10N.exe	99
PID 4328 wrote to memory of 1816	4328	4b57b59d8bf8c07140174a2a5a9acb10N.exe	99
PID 3204 wrote to memory of 1204	3204	4b57b59d8bf8c07140174a2a5a9acb10N.exe	100
PID 3204 wrote to memory of 1204	3204	4b57b59d8bf8c07140174a2a5a9acb10N.exe	100
PID 3204 wrote to memory of 1204	3204	4b57b59d8bf8c07140174a2a5a9acb10N.exe	100
PID 2172 wrote to memory of 2212	2172	4b57b59d8bf8c07140174a2a5a9acb10N.exe	101
PID 2172 wrote to memory of 2212	2172	4b57b59d8bf8c07140174a2a5a9acb10N.exe	101
PID 2172 wrote to memory of 2212	2172	4b57b59d8bf8c07140174a2a5a9acb10N.exe	101
PID 4936 wrote to memory of 4568	4936	4b57b59d8bf8c07140174a2a5a9acb10N.exe	102
PID 4936 wrote to memory of 4568	4936	4b57b59d8bf8c07140174a2a5a9acb10N.exe	102
PID 4936 wrote to memory of 4568	4936	4b57b59d8bf8c07140174a2a5a9acb10N.exe	102
PID 1964 wrote to memory of 2028	1964	4b57b59d8bf8c07140174a2a5a9acb10N.exe	103
PID 1964 wrote to memory of 2028	1964	4b57b59d8bf8c07140174a2a5a9acb10N.exe	103
PID 1964 wrote to memory of 2028	1964	4b57b59d8bf8c07140174a2a5a9acb10N.exe	103
PID 1596 wrote to memory of 4512	1596	4b57b59d8bf8c07140174a2a5a9acb10N.exe	104
PID 1596 wrote to memory of 4512	1596	4b57b59d8bf8c07140174a2a5a9acb10N.exe	104
PID 1596 wrote to memory of 4512	1596	4b57b59d8bf8c07140174a2a5a9acb10N.exe	104
PID 1852 wrote to memory of 1932	1852	4b57b59d8bf8c07140174a2a5a9acb10N.exe	105
PID 1852 wrote to memory of 1932	1852	4b57b59d8bf8c07140174a2a5a9acb10N.exe	105
PID 1852 wrote to memory of 1932	1852	4b57b59d8bf8c07140174a2a5a9acb10N.exe	105
PID 4972 wrote to memory of 1112	4972	4b57b59d8bf8c07140174a2a5a9acb10N.exe	106
PID 4972 wrote to memory of 1112	4972	4b57b59d8bf8c07140174a2a5a9acb10N.exe	106
PID 4972 wrote to memory of 1112	4972	4b57b59d8bf8c07140174a2a5a9acb10N.exe	106
PID 2872 wrote to memory of 2712	2872	4b57b59d8bf8c07140174a2a5a9acb10N.exe	107

C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
"C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
  "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3204
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1204
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        7⤵
        
        PID:6032
        
        C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        8⤵
        
        PID:11312
        
        C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        7⤵
        
        PID:7852
        
        C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        7⤵
        
        PID:10600
        
        C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        7⤵
        
        PID:14468
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:5480
        
        C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        7⤵
        
        PID:8420
        
        C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        7⤵
        
        PID:14196
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:6896
        
        C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        7⤵
        
        PID:14032
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:9112
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:12416
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:4628
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:5856
        
        C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        7⤵
        
        PID:12156
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:7428
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:10184
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:14148
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:5228
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:8596
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:11012
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:6424
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:13368
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:8492
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:11004
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4316
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:652
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:5900
        
        C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        7⤵
        
        PID:11272
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:7516
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:10328
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:14272
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:5400
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:10000
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:14092
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:6496
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:13444
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:8564
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:11020
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:3444
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:5796
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:10420
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:2576
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:7396
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:10092
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:14256
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:1640
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:7768
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:10428
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:1724
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:6356
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:13272
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:8352
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:10956
- - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4328
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:1816
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:1532
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:6040
        
        C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        7⤵
        
        PID:12168
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:7828
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:10396
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:5652
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:10540
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:14456
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:7272
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:13912
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:9932
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:14064
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:3384
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:5804
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:11232
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:7088
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:13860
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:9476
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:13836
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:5276
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:7992
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:10796
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:6476
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:13356
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:8536
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:11288
- - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3348
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:3872
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:5948
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:11656
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:7632
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:10388
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:5004
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:5456
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:11672
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:6604
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:13544
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:9176
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:12800
- - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
    3⤵
    PID:1112
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:5584
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:10164
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:14124
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:6824
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:13852
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:9192
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:12536
- - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
    3⤵
    PID:2700
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:8572
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:11028
- - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
    3⤵
    PID:6248
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:12176
- - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
    3⤵
    PID:8288
- - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
    3⤵
    PID:10948
- C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
  "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2332
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:4848
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:5848
        
        C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        7⤵
        
        PID:10248
        
        C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        7⤵
        
        PID:14204
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:7368
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:9992
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:14072
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:5464
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:10076
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:14080
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:6888
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:13844
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:9008
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:12408
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:3456
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:5488
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:10172
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:14212
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:6780
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:13416
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:8824
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:11740
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:3912
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:8588
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:11036
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:6416
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:13192
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:8464
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:10996
- - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:2712
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:5744
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:11280
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:6936
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:13592
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:9184
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:12316
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:3832
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:7820
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:10348
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:14280
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:6292
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:12304
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:8244
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:11192
- - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
    3⤵
    PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:5216
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:8384
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:11208
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:6440
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:452
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:8544
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:11076
- - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
    3⤵
    PID:232
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:6488
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:13432
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:8508
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:11200
- - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
    3⤵
    PID:5996
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:11664
- - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
    3⤵
    PID:7776
- - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
    3⤵
    PID:10404
- C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
  "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1852
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:1932
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:5472
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:10140
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:14100
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:6772
      - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        6⤵
        
        PID:13608
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:8780
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:11636
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:4740
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:8008
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:10820
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:6160
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:12324
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:7964
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:10780
- - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
    3⤵
    PID:4568
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:1188
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:7436
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:10192
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:14188
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:6188
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:13124
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:7984
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:10804
- - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
    3⤵
    PID:2852
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:6468
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:13184
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:8580
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:11044
- - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
    3⤵
    PID:5924
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:3020
- - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
    3⤵
    PID:7540
- - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
    3⤵
    PID:10336
- - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
    3⤵
    PID:14264
- C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
  "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
    3⤵
    PID:4512
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:5388
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:9684
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:14040
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:6580
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:13828
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:8660
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:11516
- - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
    3⤵
    PID:2616
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:6804
    - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
        5⤵
        
        PID:13468
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:9284
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:12916
- - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
    3⤵
    PID:5940
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:11524
- - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
    3⤵
    PID:7648
- - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
    3⤵
    PID:10376
- - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
    3⤵
    PID:1696
- C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
  "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
  2⤵
  PID:2212
- - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
    3⤵
    PID:2324
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:7752
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:10560
- - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
    3⤵
    PID:6136
  - - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
      "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
      4⤵
      PID:11680
- - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
    3⤵
    PID:7972
- - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
    3⤵
    PID:10812
- C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
  "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
  2⤵
  PID:2284
- - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
    3⤵
    PID:7496
- - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
    3⤵
    PID:10368
- - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
    3⤵
    PID:14288
- C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
  "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
  2⤵
  PID:6024
- - C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
    3⤵
    PID:11932
- C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
  "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
  2⤵
  PID:7788
- C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
  "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
  2⤵
  PID:10412
- C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe
  "C:\Users\Admin\AppData\Local\Temp\4b57b59d8bf8c07140174a2a5a9acb10N.exe"
  2⤵
  PID:3544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\blowjob masturbation glans gorgeoushorny .avi.exe

Filesize
1.4MB

MD5
396f6781ca817a42326c3437602ec702

SHA1
43ef8faebf1df8cd8ad779c2d6d4acd2c864b5cc

SHA256
a1df31bfbbd4b815dc560dfccca2496ae8f89a11fe68daa1c32577b59fc3b326

SHA512
3a982b3c34d697fbdce85f82cf348801b080b44b7c2eaa1fc29b7c778131d868940dd7df5e0a818ec7b2ad3fa97da2903c93a84fc12307840d618c070a5f6285

Download Submit