2764ec18ad6d5fe9dbfb2e00bc8d7c0fd335d0d6188a4b090195c8c50e202e79

Analysis

max time kernel
11s
max time network
5s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-08-2024 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4948596f36fe7e77bdf03cd4c1285190N.exe
Size

1.4MB
MD5

4948596f36fe7e77bdf03cd4c1285190
SHA1

5bd75198679a43683ce7cff3b905866ac0b84edc
SHA256

2764ec18ad6d5fe9dbfb2e00bc8d7c0fd335d0d6188a4b090195c8c50e202e79
SHA512

83a06811c2dbd67ccddc83f2736d0a698ed1813c01cf5b65af5dbb104391429f3e22e91b4ba1a1a01c7d9814f65044b9d1789312ac44845f74eee701a2b22d0d
SSDEEP

24576:oWtj7OmiAJgxtC8jyC8svKrFiFObZjZXZlxrb/5UCv83DBT9cyrnSA/1/xN:V8mDetC8jWGE9BHxrb/5Uc83Dx9bxN

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	4948596f36fe7e77bdf03cd4c1285190N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	4948596f36fe7e77bdf03cd4c1285190N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	4948596f36fe7e77bdf03cd4c1285190N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	4948596f36fe7e77bdf03cd4c1285190N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	4948596f36fe7e77bdf03cd4c1285190N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	4948596f36fe7e77bdf03cd4c1285190N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	4948596f36fe7e77bdf03cd4c1285190N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	4948596f36fe7e77bdf03cd4c1285190N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	4948596f36fe7e77bdf03cd4c1285190N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	4948596f36fe7e77bdf03cd4c1285190N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	4948596f36fe7e77bdf03cd4c1285190N.exe
File opened (read-only)	\??\M:	4948596f36fe7e77bdf03cd4c1285190N.exe
File opened (read-only)	\??\P:	4948596f36fe7e77bdf03cd4c1285190N.exe
File opened (read-only)	\??\R:	4948596f36fe7e77bdf03cd4c1285190N.exe
File opened (read-only)	\??\X:	4948596f36fe7e77bdf03cd4c1285190N.exe
File opened (read-only)	\??\Z:	4948596f36fe7e77bdf03cd4c1285190N.exe
File opened (read-only)	\??\E:	4948596f36fe7e77bdf03cd4c1285190N.exe
File opened (read-only)	\??\K:	4948596f36fe7e77bdf03cd4c1285190N.exe
File opened (read-only)	\??\S:	4948596f36fe7e77bdf03cd4c1285190N.exe
File opened (read-only)	\??\U:	4948596f36fe7e77bdf03cd4c1285190N.exe
File opened (read-only)	\??\G:	4948596f36fe7e77bdf03cd4c1285190N.exe
File opened (read-only)	\??\H:	4948596f36fe7e77bdf03cd4c1285190N.exe
File opened (read-only)	\??\J:	4948596f36fe7e77bdf03cd4c1285190N.exe
File opened (read-only)	\??\O:	4948596f36fe7e77bdf03cd4c1285190N.exe
File opened (read-only)	\??\Q:	4948596f36fe7e77bdf03cd4c1285190N.exe
File opened (read-only)	\??\T:	4948596f36fe7e77bdf03cd4c1285190N.exe
File opened (read-only)	\??\V:	4948596f36fe7e77bdf03cd4c1285190N.exe
File opened (read-only)	\??\A:	4948596f36fe7e77bdf03cd4c1285190N.exe
File opened (read-only)	\??\B:	4948596f36fe7e77bdf03cd4c1285190N.exe
File opened (read-only)	\??\I:	4948596f36fe7e77bdf03cd4c1285190N.exe
File opened (read-only)	\??\N:	4948596f36fe7e77bdf03cd4c1285190N.exe
File opened (read-only)	\??\W:	4948596f36fe7e77bdf03cd4c1285190N.exe
File opened (read-only)	\??\Y:	4948596f36fe7e77bdf03cd4c1285190N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\System32\LogFiles\Fax\Incoming\japanese handjob blowjob big feet traffic (Samantha).mpg.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\american handjob fucking [bangbus] glans .rar.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\japanese beastiality sperm hot (!) (Melissa).mpeg.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\lesbian masturbation (Karin).rar.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\trambling licking glans shoes .mpeg.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\SysWOW64\FxsTmp\trambling catfight glans .rar.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\russian animal lingerie hot (!) (Samantha).mpeg.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\swedish handjob hardcore lesbian feet .avi.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\danish cum xxx catfight mistress .zip.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\System32\DriverStore\Temp\tyrkish nude hardcore licking bondage (Ashley,Liz).rar.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\SysWOW64\FxsTmp\animal horse sleeping feet ash (Samantha).mpeg.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\japanese cum gay uncut feet fishy .mpeg.exe	4948596f36fe7e77bdf03cd4c1285190N.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Templates\trambling licking glans leather .zip.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\japanese porn horse licking penetration .zip.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\danish kicking xxx sleeping stockings .mpeg.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\tyrkish horse lingerie masturbation hole .mpg.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Program Files\Common Files\microsoft shared\black kicking trambling uncut feet redhair (Sylvia).zip.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Program Files\dotnet\shared\italian kicking sperm girls circumcision .zip.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\indian cumshot blowjob girls glans .mpeg.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\american handjob fucking full movie feet mature (Samantha).rar.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Program Files (x86)\Microsoft\Temp\brasilian animal blowjob full movie glans blondie .rar.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\tyrkish action bukkake licking balls .avi.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\danish gang bang blowjob public ejaculation .mpeg.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\japanese gang bang beast hot (!) titts traffic (Melissa).mpeg.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\danish fetish hardcore hidden (Samantha).mpg.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\brasilian horse hardcore hot (!) hole upskirt (Sarah).avi.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Program Files (x86)\Google\Temp\italian beastiality trambling lesbian hole blondie (Janette).zip.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Program Files (x86)\Google\Update\Download\lingerie public (Tatjana).zip.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\russian porn bukkake hidden young .zip.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\russian gang bang beast [bangbus] 50+ .rar.exe	4948596f36fe7e77bdf03cd4c1285190N.exe

Drops file in Windows directory 49 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\japanese cumshot lesbian uncut titts bondage .zip.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\spanish horse [free] glans shoes (Tatjana).avi.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\canadian sperm public glans .zip.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\bukkake public hole femdom .rar.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\horse hardcore [bangbus] wifey .mpg.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\fucking hidden boots (Jenna,Sylvia).avi.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\Downloaded Program Files\american handjob xxx big hole swallow .mpeg.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\fucking licking cock leather .mpeg.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\american fetish beast lesbian cock .zip.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\bukkake voyeur .zip.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\russian porn beast lesbian (Samantha).rar.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\hardcore hidden hotel .mpg.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\CbsTemp\danish horse beast licking .mpeg.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\PLA\Templates\brasilian horse gay public .mpeg.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\american fetish hardcore hot (!) glans boots .mpg.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\german hardcore girls feet lady (Liz).zip.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\asian hardcore voyeur .mpeg.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\brasilian cum gay hidden titts swallow .mpg.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\blowjob lesbian feet pregnant (Jade).mpeg.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\norwegian blowjob [free] penetration (Kathrin,Curtney).zip.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\japanese action hardcore public young .avi.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\brasilian handjob fucking big (Liz).mpeg.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\russian cum beast girls 40+ .zip.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\indian action fucking hot (!) upskirt (Gina,Jade).zip.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\fetish trambling big cock fishy .mpeg.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\assembly\temp\blowjob [bangbus] balls .rar.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\italian cum sperm licking .avi.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\handjob trambling masturbation glans leather (Sylvia).avi.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\spanish gay lesbian feet (Christine,Curtney).rar.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\lesbian lesbian beautyfull .zip.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\lesbian licking leather .mpeg.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\italian fetish beast big sweet .mpeg.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\canadian sperm big .mpg.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\chinese sperm several models .avi.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\security\templates\italian horse horse full movie hole ash .mpg.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\cumshot bukkake big gorgeoushorny .avi.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\mssrv.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\tyrkish gang bang gay masturbation hole femdom .mpeg.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\InputMethod\SHARED\swedish horse gay voyeur (Sarah).mpg.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\chinese beast [free] (Curtney).mpeg.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\beast licking glans bedroom .rar.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\assembly\tmp\indian fetish sperm sleeping .zip.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\tyrkish kicking horse hidden fishy .avi.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\beastiality bukkake big .zip.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\malaysia hardcore voyeur .zip.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\SoftwareDistribution\Download\blowjob sleeping hole ejaculation .mpg.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\trambling several models 50+ .rar.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\cumshot lesbian licking YEâPSè& .zip.exe	4948596f36fe7e77bdf03cd4c1285190N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\black nude horse big (Curtney).rar.exe	4948596f36fe7e77bdf03cd4c1285190N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4948596f36fe7e77bdf03cd4c1285190N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4948596f36fe7e77bdf03cd4c1285190N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4948596f36fe7e77bdf03cd4c1285190N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4948596f36fe7e77bdf03cd4c1285190N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4948596f36fe7e77bdf03cd4c1285190N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4948596f36fe7e77bdf03cd4c1285190N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4948596f36fe7e77bdf03cd4c1285190N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4948596f36fe7e77bdf03cd4c1285190N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4948596f36fe7e77bdf03cd4c1285190N.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
1668	4948596f36fe7e77bdf03cd4c1285190N.exe
1668	4948596f36fe7e77bdf03cd4c1285190N.exe
4384	4948596f36fe7e77bdf03cd4c1285190N.exe
4384	4948596f36fe7e77bdf03cd4c1285190N.exe
1668	4948596f36fe7e77bdf03cd4c1285190N.exe
1668	4948596f36fe7e77bdf03cd4c1285190N.exe
1636	4948596f36fe7e77bdf03cd4c1285190N.exe
1636	4948596f36fe7e77bdf03cd4c1285190N.exe
1392	4948596f36fe7e77bdf03cd4c1285190N.exe
1392	4948596f36fe7e77bdf03cd4c1285190N.exe
1668	4948596f36fe7e77bdf03cd4c1285190N.exe
1668	4948596f36fe7e77bdf03cd4c1285190N.exe
4384	4948596f36fe7e77bdf03cd4c1285190N.exe
4384	4948596f36fe7e77bdf03cd4c1285190N.exe
4008	4948596f36fe7e77bdf03cd4c1285190N.exe
4008	4948596f36fe7e77bdf03cd4c1285190N.exe
1668	4948596f36fe7e77bdf03cd4c1285190N.exe
1668	4948596f36fe7e77bdf03cd4c1285190N.exe
4540	4948596f36fe7e77bdf03cd4c1285190N.exe
4540	4948596f36fe7e77bdf03cd4c1285190N.exe
2776	4948596f36fe7e77bdf03cd4c1285190N.exe
2776	4948596f36fe7e77bdf03cd4c1285190N.exe
4384	4948596f36fe7e77bdf03cd4c1285190N.exe
4384	4948596f36fe7e77bdf03cd4c1285190N.exe
3908	4948596f36fe7e77bdf03cd4c1285190N.exe
3908	4948596f36fe7e77bdf03cd4c1285190N.exe
1636	4948596f36fe7e77bdf03cd4c1285190N.exe
1636	4948596f36fe7e77bdf03cd4c1285190N.exe
1392	4948596f36fe7e77bdf03cd4c1285190N.exe
1392	4948596f36fe7e77bdf03cd4c1285190N.exe
1952	4948596f36fe7e77bdf03cd4c1285190N.exe
1952	4948596f36fe7e77bdf03cd4c1285190N.exe
1668	4948596f36fe7e77bdf03cd4c1285190N.exe
4208	4948596f36fe7e77bdf03cd4c1285190N.exe
4208	4948596f36fe7e77bdf03cd4c1285190N.exe
1668	4948596f36fe7e77bdf03cd4c1285190N.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 4384	1668	4948596f36fe7e77bdf03cd4c1285190N.exe	84
PID 1668 wrote to memory of 4384	1668	4948596f36fe7e77bdf03cd4c1285190N.exe	84
PID 1668 wrote to memory of 4384	1668	4948596f36fe7e77bdf03cd4c1285190N.exe	84
PID 1668 wrote to memory of 1636	1668	4948596f36fe7e77bdf03cd4c1285190N.exe	85
PID 1668 wrote to memory of 1636	1668	4948596f36fe7e77bdf03cd4c1285190N.exe	85
PID 1668 wrote to memory of 1636	1668	4948596f36fe7e77bdf03cd4c1285190N.exe	85
PID 4384 wrote to memory of 1392	4384	4948596f36fe7e77bdf03cd4c1285190N.exe	86
PID 4384 wrote to memory of 1392	4384	4948596f36fe7e77bdf03cd4c1285190N.exe	86
PID 4384 wrote to memory of 1392	4384	4948596f36fe7e77bdf03cd4c1285190N.exe	86
PID 1668 wrote to memory of 4008	1668	4948596f36fe7e77bdf03cd4c1285190N.exe	87
PID 1668 wrote to memory of 4008	1668	4948596f36fe7e77bdf03cd4c1285190N.exe	87
PID 1668 wrote to memory of 4008	1668	4948596f36fe7e77bdf03cd4c1285190N.exe	87
PID 4384 wrote to memory of 4540	4384	4948596f36fe7e77bdf03cd4c1285190N.exe	88
PID 4384 wrote to memory of 4540	4384	4948596f36fe7e77bdf03cd4c1285190N.exe	88
PID 4384 wrote to memory of 4540	4384	4948596f36fe7e77bdf03cd4c1285190N.exe	88
PID 1636 wrote to memory of 2776	1636	4948596f36fe7e77bdf03cd4c1285190N.exe	89
PID 1636 wrote to memory of 2776	1636	4948596f36fe7e77bdf03cd4c1285190N.exe	89
PID 1636 wrote to memory of 2776	1636	4948596f36fe7e77bdf03cd4c1285190N.exe	89
PID 1392 wrote to memory of 3908	1392	4948596f36fe7e77bdf03cd4c1285190N.exe	90
PID 1392 wrote to memory of 3908	1392	4948596f36fe7e77bdf03cd4c1285190N.exe	90
PID 1392 wrote to memory of 3908	1392	4948596f36fe7e77bdf03cd4c1285190N.exe	90
PID 1668 wrote to memory of 1952	1668	4948596f36fe7e77bdf03cd4c1285190N.exe	91
PID 1668 wrote to memory of 1952	1668	4948596f36fe7e77bdf03cd4c1285190N.exe	91
PID 1668 wrote to memory of 1952	1668	4948596f36fe7e77bdf03cd4c1285190N.exe	91
PID 4008 wrote to memory of 4208	4008	4948596f36fe7e77bdf03cd4c1285190N.exe	92
PID 4008 wrote to memory of 4208	4008	4948596f36fe7e77bdf03cd4c1285190N.exe	92
PID 4008 wrote to memory of 4208	4008	4948596f36fe7e77bdf03cd4c1285190N.exe	92
PID 4384 wrote to memory of 4864	4384	4948596f36fe7e77bdf03cd4c1285190N.exe	93
PID 4384 wrote to memory of 4864	4384	4948596f36fe7e77bdf03cd4c1285190N.exe	93
PID 4384 wrote to memory of 4864	4384	4948596f36fe7e77bdf03cd4c1285190N.exe	93
PID 4540 wrote to memory of 4896	4540	4948596f36fe7e77bdf03cd4c1285190N.exe	94
PID 4540 wrote to memory of 4896	4540	4948596f36fe7e77bdf03cd4c1285190N.exe	94
PID 4540 wrote to memory of 4896	4540	4948596f36fe7e77bdf03cd4c1285190N.exe	94
PID 1636 wrote to memory of 3536	1636	4948596f36fe7e77bdf03cd4c1285190N.exe	95
PID 1636 wrote to memory of 3536	1636	4948596f36fe7e77bdf03cd4c1285190N.exe	95
PID 1636 wrote to memory of 3536	1636	4948596f36fe7e77bdf03cd4c1285190N.exe	95
PID 1392 wrote to memory of 1992	1392	4948596f36fe7e77bdf03cd4c1285190N.exe	96
PID 1392 wrote to memory of 1992	1392	4948596f36fe7e77bdf03cd4c1285190N.exe	96
PID 1392 wrote to memory of 1992	1392	4948596f36fe7e77bdf03cd4c1285190N.exe	96
PID 2776 wrote to memory of 4472	2776	4948596f36fe7e77bdf03cd4c1285190N.exe	97
PID 2776 wrote to memory of 4472	2776	4948596f36fe7e77bdf03cd4c1285190N.exe	97
PID 2776 wrote to memory of 4472	2776	4948596f36fe7e77bdf03cd4c1285190N.exe	97
PID 3908 wrote to memory of 412	3908	4948596f36fe7e77bdf03cd4c1285190N.exe	98
PID 3908 wrote to memory of 412	3908	4948596f36fe7e77bdf03cd4c1285190N.exe	98
PID 3908 wrote to memory of 412	3908	4948596f36fe7e77bdf03cd4c1285190N.exe	98
PID 1952 wrote to memory of 2548	1952	4948596f36fe7e77bdf03cd4c1285190N.exe	99
PID 1952 wrote to memory of 2548	1952	4948596f36fe7e77bdf03cd4c1285190N.exe	99
PID 1952 wrote to memory of 2548	1952	4948596f36fe7e77bdf03cd4c1285190N.exe	99

C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
"C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
  "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1392
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3908
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:412
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        7⤵
        
        PID:5836
        
        C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        8⤵
        
        PID:11908
        
        C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        8⤵
        
        PID:17100
        
        C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        7⤵
        
        PID:7516
        
        C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        8⤵
        
        PID:16012
        
        C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        7⤵
        
        PID:10160
        
        C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        7⤵
        
        PID:14276
        
        C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        7⤵
        
        PID:12164
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:5364
        
        C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        7⤵
        
        PID:8724
        
        C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        7⤵
        
        PID:12188
        
        C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        7⤵
        
        PID:18072
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:7108
        
        C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        7⤵
        
        PID:15876
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:9472
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:12876
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:17164
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:3796
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:5740
        
        C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        7⤵
        
        PID:9508
        
        C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        7⤵
        
        PID:12892
        
        C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        7⤵
        
        PID:7768
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:7368
        
        C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        7⤵
        
        PID:16104
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:9988
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:13832
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:19324
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:5148
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:7436
        
        C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        7⤵
        
        PID:15988
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:10128
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:13716
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:19256
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:6696
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:15424
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:20244
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:9124
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:12428
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:1508
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:1992
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:720
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:5812
        
        C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        7⤵
        
        PID:11396
        
        C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        7⤵
        
        PID:16900
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:7684
        
        C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        7⤵
        
        PID:16004
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:10260
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:14448
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:19532
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:5488
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:8836
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:12224
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:18116
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:7116
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:15052
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:20128
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:9604
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:13216
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:18988
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:3924
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:5844
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:11700
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:16968
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:7640
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:15996
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:10224
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:14292
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:12240
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:2992
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:7100
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:16028
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:9524
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:12868
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:7332
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:6444
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:15432
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:20252
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:8832
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:12232
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:18100
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4540
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:4896
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:3128
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:5752
        
        C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        7⤵
        
        PID:10668
        
        C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        7⤵
        
        PID:15776
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:7424
        
        C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        7⤵
        
        PID:15980
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:10152
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:13840
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:19432
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:5408
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:9088
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:12212
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:18108
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:7124
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:15100
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:20188
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:9804
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:13084
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:18652
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:4616
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:5336
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:8436
        
        C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        7⤵
        
        PID:18320
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:11884
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:17064
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:6928
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:15132
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:20176
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:9436
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:12492
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:4380
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:4464
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:6552
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:13488
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:19188
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:9132
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:12508
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:3284
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:1116
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:13244
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:18872
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:8372
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:3988
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:11792
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:17008
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    PID:4864
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:2388
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:5804
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:11388
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:16876
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:7524
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:15964
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:10184
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:13808
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:19308
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:5236
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:7396
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:15860
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:10136
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:13800
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:19300
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:6904
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:15164
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:20212
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:9540
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:12968
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:8004
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    PID:3068
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:5228
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:7412
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:15868
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:10144
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:13732
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:19264
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:6688
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:15084
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:20152
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:8652
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:11984
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:12256
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:18252
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    PID:1548
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:6592
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:15196
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:20196
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:8976
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:12304
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:18376
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    PID:6284
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:12204
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:17992
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    PID:8392
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:7300
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    PID:11804
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    PID:17016
- C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
  "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:4472
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:4772
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:5792
        
        C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        7⤵
        
        PID:10676
        
        C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        7⤵
        
        PID:3720
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:7544
        
        C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        7⤵
        
        PID:16848
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:10196
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:14256
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:2080
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:5480
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:8940
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:8896
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:18328
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:7132
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:15616
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:9612
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:13076
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:18516
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:856
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:5564
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:9340
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:12652
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:7360
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:7188
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:15464
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:20364
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:9752
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:12976
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:7856
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:5140
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:8304
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:7492
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:11708
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:17092
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:6720
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:15076
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:20144
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:8948
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:12296
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:18360
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    PID:3536
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:4456
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:5856
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:12108
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:17448
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:7672
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:15972
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:10176
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:13824
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:19316
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:5344
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:8716
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:12196
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:18012
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:6936
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:15092
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:20168
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:9516
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:12900
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:8012
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    PID:2108
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:5416
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:8904
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:12264
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:18352
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:7092
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:15240
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:20236
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:9532
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:12908
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:7736
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    PID:1308
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:6536
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:15060
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:20136
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:8968
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:12324
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:3516
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    PID:6100
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:13584
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:19076
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    PID:8064
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:17000
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    PID:11260
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    PID:16548
- C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
  "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4008
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4208
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:3496
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:5504
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:9072
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:1928
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:18368
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:7140
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:15604
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:8996
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:9740
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:13816
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:11448
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:1656
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:6896
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:15444
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:20276
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:9864
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:13092
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:18880
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:6424
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:14316
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:12468
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:8660
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:19440
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:12156
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:17776
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    PID:4436
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:5156
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:7404
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:15956
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:10120
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:13724
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:19248
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:6672
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:15068
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:20160
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:9100
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:12484
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:5880
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    PID:2552
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:6608
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:15156
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:20220
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:8932
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:12272
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:18344
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    PID:6092
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:11944
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:17132
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    PID:8076
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:17124
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    PID:11300
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    PID:16556
- C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
  "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    PID:2548
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:3112
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:6744
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:15188
      - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        6⤵
        
        PID:20204
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:9108
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:12500
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:18260
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:6108
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:11896
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:17116
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:8180
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:17836
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:11672
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:16992
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    PID:4048
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:6304
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:12924
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:18524
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:8588
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:11468
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:12008
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:17356
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    PID:5932
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:11588
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:16984
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    PID:7648
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:16020
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    PID:10308
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    PID:14396
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    PID:19500
- C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
  "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
  2⤵
  PID:1596
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    PID:1276
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:6388
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:3700
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:18336
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:8708
    - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
        5⤵
        
        PID:3220
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:12168
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:17912
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    PID:5964
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:11716
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:16976
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    PID:7656
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:16200
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    PID:10660
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    PID:15756
- C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
  "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
  2⤵
  PID:2280
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    PID:6432
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:12916
  - - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
      "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
      4⤵
      PID:7908
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    PID:9080
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    PID:12436
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    PID:7572
- C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
  "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
  2⤵
  PID:5908
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    PID:11916
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    PID:17108
- C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
  "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
  2⤵
  PID:7664
- - C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
    "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
    3⤵
    PID:16192
- C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
  "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
  2⤵
  PID:10168
- C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
  "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
  2⤵
  PID:13792
- C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe
  "C:\Users\Admin\AppData\Local\Temp\4948596f36fe7e77bdf03cd4c1285190N.exe"
  2⤵
  PID:19292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\japanese porn horse licking penetration .zip.exe

Filesize
1.6MB

MD5
029ea17caaa94658d8086984807dd8c0

SHA1
f191ecdc5bf362b2be6c8be9a3904b59dd6b3062

SHA256
1d05816c3fb348ce7f390869f4eaf3c4e52ad213b1995c7e7a5298bd5d05b4bc

SHA512
62d902aa5746513695cb334476ffc7ed625d67bf0cb91cef26be107bd4bfc0617a086242db1f3e1cf243073177312366960bda76ef64d91e6675e2784a40209f

Download Submit