7446cdc9fc183b63c54cc8dfff4d574e6cc4044e803dafc683440cac7ce8d655

Analysis

max time kernel
15s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50a2a6aa57789deee95e72b504dbbeb0N.exe
Size

1.9MB
MD5

50a2a6aa57789deee95e72b504dbbeb0
SHA1

8663dc347ef6743b2b1b1b1642dde5ab8faec143
SHA256

7446cdc9fc183b63c54cc8dfff4d574e6cc4044e803dafc683440cac7ce8d655
SHA512

3e168a44b68a8ad63f7dcf2c274696b54caca8e8695a04db59335e0b7f826d35562f24bdbe758fcfaf9689e7834e30c863fd53a900fb8f724de183661d70e135
SSDEEP

49152:h5BdJKGVVSmSWnHcCE+o4fZoRzDbHnGMoj0Ow1JfzLmTGrg:/HJKsSZWnHcCEh4qmMJ1JfP4G0

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	50a2a6aa57789deee95e72b504dbbeb0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	50a2a6aa57789deee95e72b504dbbeb0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	50a2a6aa57789deee95e72b504dbbeb0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	50a2a6aa57789deee95e72b504dbbeb0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	50a2a6aa57789deee95e72b504dbbeb0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	50a2a6aa57789deee95e72b504dbbeb0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	50a2a6aa57789deee95e72b504dbbeb0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	50a2a6aa57789deee95e72b504dbbeb0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	50a2a6aa57789deee95e72b504dbbeb0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	50a2a6aa57789deee95e72b504dbbeb0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	50a2a6aa57789deee95e72b504dbbeb0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	50a2a6aa57789deee95e72b504dbbeb0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	50a2a6aa57789deee95e72b504dbbeb0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	50a2a6aa57789deee95e72b504dbbeb0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	50a2a6aa57789deee95e72b504dbbeb0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	50a2a6aa57789deee95e72b504dbbeb0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	50a2a6aa57789deee95e72b504dbbeb0N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	50a2a6aa57789deee95e72b504dbbeb0N.exe
File opened (read-only)	\??\L:	50a2a6aa57789deee95e72b504dbbeb0N.exe
File opened (read-only)	\??\Z:	50a2a6aa57789deee95e72b504dbbeb0N.exe
File opened (read-only)	\??\B:	50a2a6aa57789deee95e72b504dbbeb0N.exe
File opened (read-only)	\??\I:	50a2a6aa57789deee95e72b504dbbeb0N.exe
File opened (read-only)	\??\Q:	50a2a6aa57789deee95e72b504dbbeb0N.exe
File opened (read-only)	\??\R:	50a2a6aa57789deee95e72b504dbbeb0N.exe
File opened (read-only)	\??\U:	50a2a6aa57789deee95e72b504dbbeb0N.exe
File opened (read-only)	\??\Y:	50a2a6aa57789deee95e72b504dbbeb0N.exe
File opened (read-only)	\??\V:	50a2a6aa57789deee95e72b504dbbeb0N.exe
File opened (read-only)	\??\W:	50a2a6aa57789deee95e72b504dbbeb0N.exe
File opened (read-only)	\??\E:	50a2a6aa57789deee95e72b504dbbeb0N.exe
File opened (read-only)	\??\M:	50a2a6aa57789deee95e72b504dbbeb0N.exe
File opened (read-only)	\??\O:	50a2a6aa57789deee95e72b504dbbeb0N.exe
File opened (read-only)	\??\P:	50a2a6aa57789deee95e72b504dbbeb0N.exe
File opened (read-only)	\??\S:	50a2a6aa57789deee95e72b504dbbeb0N.exe
File opened (read-only)	\??\T:	50a2a6aa57789deee95e72b504dbbeb0N.exe
File opened (read-only)	\??\A:	50a2a6aa57789deee95e72b504dbbeb0N.exe
File opened (read-only)	\??\G:	50a2a6aa57789deee95e72b504dbbeb0N.exe
File opened (read-only)	\??\H:	50a2a6aa57789deee95e72b504dbbeb0N.exe
File opened (read-only)	\??\J:	50a2a6aa57789deee95e72b504dbbeb0N.exe
File opened (read-only)	\??\N:	50a2a6aa57789deee95e72b504dbbeb0N.exe
File opened (read-only)	\??\X:	50a2a6aa57789deee95e72b504dbbeb0N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\xxx hardcore several models .mpg.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\SysWOW64\FxsTmp\japanese kicking gay [bangbus] boobs leather .mpeg.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\lesbian animal voyeur (Melissa).mpg.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\british lesbian lingerie [free] .rar.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\porn public ash balls .rar.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\System32\DriverStore\Temp\action horse girls boobs YEâPSè& .avi.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\indian sperm lesbian shower .avi.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\british xxx bukkake girls stockings (Anniston).mpg.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\gay beastiality hidden (Janette,Ashley).avi.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\SysWOW64\FxsTmp\brasilian hardcore horse several models sm .mpeg.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\british cumshot fetish lesbian blondie .mpg.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\malaysia cumshot uncut mature .rar.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Updates\Download\american xxx [bangbus] boobs (Jade,Christine).mpg.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\blowjob trambling masturbation ash (Curtney).rar.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\xxx nude several models fishy .avi.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Program Files (x86)\Google\Temp\hardcore hardcore hot (!) .mpg.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Program Files\Common Files\microsoft shared\cumshot kicking full movie (Sandy).mpg.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Program Files\dotnet\shared\swedish animal trambling lesbian shower .zip.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\spanish sperm porn full movie balls (Melissa).mpeg.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\canadian bukkake horse [milf] young (Janette,Karin).mpeg.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\bukkake beastiality licking (Christine).avi.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Program Files (x86)\Google\Update\Download\italian beastiality animal [free] gorgeoushorny .mpg.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\nude bukkake [milf] ejaculation .rar.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Program Files (x86)\Microsoft\Temp\russian horse hot (!) upskirt .rar.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Program Files\Microsoft Office\root\Templates\british action cumshot voyeur vagina leather .rar.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\norwegian gang bang porn big titts blondie .avi.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\animal big wifey (Melissa).avi.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\brasilian cum full movie (Janette,Janette).rar.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\fetish hot (!) (Sandy).mpeg.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\gang bang cumshot [bangbus] hotel .zip.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\fetish sperm public (Sylvia,Samantha).avi.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_89c0bf1761110f07\porn gay several models wifey .zip.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\japanese cum [milf] titts (Jenna,Melissa).avi.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\nude masturbation .zip.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\italian horse trambling lesbian boobs traffic (Gina,Sandy).mpeg.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_e5c3ad79c4e34ebb\beastiality public boobs swallow (Jade).mpeg.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_5abbd3c4a3f2014c\german cumshot full movie hole granny .mpeg.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_it-it_72a319bf8ee74a9b\animal gang bang several models .mpeg.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\action big granny .mpeg.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\brasilian lingerie uncut leather .rar.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\canadian gang bang bukkake big shower .zip.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\brasilian cumshot licking leather .zip.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\horse animal public pregnant .rar.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_abfc9db6c377b91f\action beast catfight .mpeg.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\mssrv.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\SoftwareDistribution\Download\japanese sperm hardcore full movie cock penetration .mpg.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\fucking voyeur (Samantha).rar.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\gay action several models (Melissa,Sarah).mpeg.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\american fetish handjob [milf] hairy (Anniston).zip.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\blowjob [bangbus] blondie .mpeg.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\norwegian cumshot [milf] .rar.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\hardcore bukkake [free] YEâPSè& .avi.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\british trambling gang bang several models traffic .rar.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\spanish gang bang hot (!) boobs gorgeoushorny .mpg.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\japanese lingerie lesbian upskirt .rar.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_b1ffa0e7b4ed03e2\italian xxx hidden black hairunshaved (Britney,Tatjana).rar.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\russian gang bang uncut sm .rar.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\american porn licking shower .mpeg.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\blowjob cumshot hidden hotel .avi.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\norwegian fetish hardcore big .avi.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\black blowjob hot (!) .rar.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\spanish blowjob full movie fishy .avi.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\black porn licking wifey (Kathrin,Christine).zip.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_8c0b126c198fcf70\canadian sperm licking (Samantha).mpeg.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\cum hot (!) mistress (Curtney,Sandy).mpeg.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\italian sperm animal masturbation circumcision .mpg.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\InputMethod\SHARED\porn hot (!) balls (Liz).rar.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\fucking nude uncut titts redhair .mpeg.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\canadian bukkake [free] vagina .mpg.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\Downloaded Program Files\bukkake licking fishy .avi.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\tyrkish horse horse lesbian hole .mpg.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\canadian handjob hot (!) (Karin,Ashley).mpeg.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_10.0.19041.1_none_ae957c4c35a7bf73\malaysia porn big (Melissa,Sonja).mpg.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\PLA\Templates\russian gang bang sleeping shower .mpeg.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\security\templates\lesbian fucking catfight .avi.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\canadian nude lesbian licking cock granny .avi.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\german lesbian uncut ejaculation .avi.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_e79b400a6df5fd2c\bukkake public femdom (Gina,Liz).mpg.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\cumshot hidden (Karin,Melissa).rar.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_99ddc8ce8d3d6dac\danish action several models shower .avi.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\american blowjob uncut (Sylvia,Sarah).rar.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\chinese cum action uncut .rar.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_14c898cc82025c76\german sperm handjob catfight upskirt (Sandy).mpg.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\horse voyeur (Melissa,Karin).zip.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\trambling bukkake licking lady .mpeg.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\kicking licking high heels (Sonja).zip.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\japanese horse public ash .mpeg.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\japanese trambling girls YEâPSè& .zip.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\cum [free] lady .mpeg.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_de-de_3d077a9cd5de5151\hardcore sleeping .rar.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_en-us_e5f85095c4bc5d16\asian hardcore [bangbus] young .zip.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\fetish [free] blondie (Christine,Sarah).zip.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\tyrkish blowjob [milf] .zip.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\african bukkake fucking public nipples girly (Liz).avi.exe	50a2a6aa57789deee95e72b504dbbeb0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50a2a6aa57789deee95e72b504dbbeb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50a2a6aa57789deee95e72b504dbbeb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50a2a6aa57789deee95e72b504dbbeb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50a2a6aa57789deee95e72b504dbbeb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50a2a6aa57789deee95e72b504dbbeb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50a2a6aa57789deee95e72b504dbbeb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50a2a6aa57789deee95e72b504dbbeb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50a2a6aa57789deee95e72b504dbbeb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50a2a6aa57789deee95e72b504dbbeb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50a2a6aa57789deee95e72b504dbbeb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50a2a6aa57789deee95e72b504dbbeb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50a2a6aa57789deee95e72b504dbbeb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50a2a6aa57789deee95e72b504dbbeb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50a2a6aa57789deee95e72b504dbbeb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50a2a6aa57789deee95e72b504dbbeb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50a2a6aa57789deee95e72b504dbbeb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50a2a6aa57789deee95e72b504dbbeb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50a2a6aa57789deee95e72b504dbbeb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50a2a6aa57789deee95e72b504dbbeb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50a2a6aa57789deee95e72b504dbbeb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50a2a6aa57789deee95e72b504dbbeb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50a2a6aa57789deee95e72b504dbbeb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50a2a6aa57789deee95e72b504dbbeb0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4692	50a2a6aa57789deee95e72b504dbbeb0N.exe
4692	50a2a6aa57789deee95e72b504dbbeb0N.exe
1720	50a2a6aa57789deee95e72b504dbbeb0N.exe
1720	50a2a6aa57789deee95e72b504dbbeb0N.exe
4692	50a2a6aa57789deee95e72b504dbbeb0N.exe
4692	50a2a6aa57789deee95e72b504dbbeb0N.exe
1752	50a2a6aa57789deee95e72b504dbbeb0N.exe
1752	50a2a6aa57789deee95e72b504dbbeb0N.exe
448	50a2a6aa57789deee95e72b504dbbeb0N.exe
448	50a2a6aa57789deee95e72b504dbbeb0N.exe
1720	50a2a6aa57789deee95e72b504dbbeb0N.exe
1720	50a2a6aa57789deee95e72b504dbbeb0N.exe
4692	50a2a6aa57789deee95e72b504dbbeb0N.exe
4692	50a2a6aa57789deee95e72b504dbbeb0N.exe
3136	50a2a6aa57789deee95e72b504dbbeb0N.exe
3136	50a2a6aa57789deee95e72b504dbbeb0N.exe
2200	50a2a6aa57789deee95e72b504dbbeb0N.exe
2200	50a2a6aa57789deee95e72b504dbbeb0N.exe
3904	50a2a6aa57789deee95e72b504dbbeb0N.exe
3904	50a2a6aa57789deee95e72b504dbbeb0N.exe
1752	50a2a6aa57789deee95e72b504dbbeb0N.exe
1752	50a2a6aa57789deee95e72b504dbbeb0N.exe
4028	50a2a6aa57789deee95e72b504dbbeb0N.exe
4028	50a2a6aa57789deee95e72b504dbbeb0N.exe
1720	50a2a6aa57789deee95e72b504dbbeb0N.exe
1720	50a2a6aa57789deee95e72b504dbbeb0N.exe
4692	50a2a6aa57789deee95e72b504dbbeb0N.exe
4692	50a2a6aa57789deee95e72b504dbbeb0N.exe
448	50a2a6aa57789deee95e72b504dbbeb0N.exe
448	50a2a6aa57789deee95e72b504dbbeb0N.exe
1752	50a2a6aa57789deee95e72b504dbbeb0N.exe
1752	50a2a6aa57789deee95e72b504dbbeb0N.exe
1756	50a2a6aa57789deee95e72b504dbbeb0N.exe
1756	50a2a6aa57789deee95e72b504dbbeb0N.exe
1644	50a2a6aa57789deee95e72b504dbbeb0N.exe
1644	50a2a6aa57789deee95e72b504dbbeb0N.exe
1096	50a2a6aa57789deee95e72b504dbbeb0N.exe
1096	50a2a6aa57789deee95e72b504dbbeb0N.exe
5060	50a2a6aa57789deee95e72b504dbbeb0N.exe
5060	50a2a6aa57789deee95e72b504dbbeb0N.exe
3136	50a2a6aa57789deee95e72b504dbbeb0N.exe
3136	50a2a6aa57789deee95e72b504dbbeb0N.exe
1080	50a2a6aa57789deee95e72b504dbbeb0N.exe
1080	50a2a6aa57789deee95e72b504dbbeb0N.exe
4692	50a2a6aa57789deee95e72b504dbbeb0N.exe
4692	50a2a6aa57789deee95e72b504dbbeb0N.exe
2200	50a2a6aa57789deee95e72b504dbbeb0N.exe
2200	50a2a6aa57789deee95e72b504dbbeb0N.exe
2156	50a2a6aa57789deee95e72b504dbbeb0N.exe
2156	50a2a6aa57789deee95e72b504dbbeb0N.exe
1720	50a2a6aa57789deee95e72b504dbbeb0N.exe
1720	50a2a6aa57789deee95e72b504dbbeb0N.exe
448	50a2a6aa57789deee95e72b504dbbeb0N.exe
448	50a2a6aa57789deee95e72b504dbbeb0N.exe
4976	50a2a6aa57789deee95e72b504dbbeb0N.exe
4976	50a2a6aa57789deee95e72b504dbbeb0N.exe
2296	50a2a6aa57789deee95e72b504dbbeb0N.exe
2296	50a2a6aa57789deee95e72b504dbbeb0N.exe
3904	50a2a6aa57789deee95e72b504dbbeb0N.exe
3904	50a2a6aa57789deee95e72b504dbbeb0N.exe
4028	50a2a6aa57789deee95e72b504dbbeb0N.exe
4028	50a2a6aa57789deee95e72b504dbbeb0N.exe
3572	50a2a6aa57789deee95e72b504dbbeb0N.exe
3572	50a2a6aa57789deee95e72b504dbbeb0N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 1720	4692	50a2a6aa57789deee95e72b504dbbeb0N.exe	86
PID 4692 wrote to memory of 1720	4692	50a2a6aa57789deee95e72b504dbbeb0N.exe	86
PID 4692 wrote to memory of 1720	4692	50a2a6aa57789deee95e72b504dbbeb0N.exe	86
PID 1720 wrote to memory of 1752	1720	50a2a6aa57789deee95e72b504dbbeb0N.exe	87
PID 1720 wrote to memory of 1752	1720	50a2a6aa57789deee95e72b504dbbeb0N.exe	87
PID 1720 wrote to memory of 1752	1720	50a2a6aa57789deee95e72b504dbbeb0N.exe	87
PID 4692 wrote to memory of 448	4692	50a2a6aa57789deee95e72b504dbbeb0N.exe	88
PID 4692 wrote to memory of 448	4692	50a2a6aa57789deee95e72b504dbbeb0N.exe	88
PID 4692 wrote to memory of 448	4692	50a2a6aa57789deee95e72b504dbbeb0N.exe	88
PID 1752 wrote to memory of 3136	1752	50a2a6aa57789deee95e72b504dbbeb0N.exe	89
PID 1752 wrote to memory of 3136	1752	50a2a6aa57789deee95e72b504dbbeb0N.exe	89
PID 1752 wrote to memory of 3136	1752	50a2a6aa57789deee95e72b504dbbeb0N.exe	89
PID 1720 wrote to memory of 2200	1720	50a2a6aa57789deee95e72b504dbbeb0N.exe	90
PID 1720 wrote to memory of 2200	1720	50a2a6aa57789deee95e72b504dbbeb0N.exe	90
PID 1720 wrote to memory of 2200	1720	50a2a6aa57789deee95e72b504dbbeb0N.exe	90
PID 4692 wrote to memory of 3904	4692	50a2a6aa57789deee95e72b504dbbeb0N.exe	91
PID 4692 wrote to memory of 3904	4692	50a2a6aa57789deee95e72b504dbbeb0N.exe	91
PID 4692 wrote to memory of 3904	4692	50a2a6aa57789deee95e72b504dbbeb0N.exe	91
PID 448 wrote to memory of 4028	448	50a2a6aa57789deee95e72b504dbbeb0N.exe	92
PID 448 wrote to memory of 4028	448	50a2a6aa57789deee95e72b504dbbeb0N.exe	92
PID 448 wrote to memory of 4028	448	50a2a6aa57789deee95e72b504dbbeb0N.exe	92
PID 1752 wrote to memory of 1644	1752	50a2a6aa57789deee95e72b504dbbeb0N.exe	93
PID 1752 wrote to memory of 1644	1752	50a2a6aa57789deee95e72b504dbbeb0N.exe	93
PID 1752 wrote to memory of 1644	1752	50a2a6aa57789deee95e72b504dbbeb0N.exe	93
PID 3136 wrote to memory of 1756	3136	50a2a6aa57789deee95e72b504dbbeb0N.exe	94
PID 3136 wrote to memory of 1756	3136	50a2a6aa57789deee95e72b504dbbeb0N.exe	94
PID 3136 wrote to memory of 1756	3136	50a2a6aa57789deee95e72b504dbbeb0N.exe	94
PID 4692 wrote to memory of 1080	4692	50a2a6aa57789deee95e72b504dbbeb0N.exe	95
PID 4692 wrote to memory of 1080	4692	50a2a6aa57789deee95e72b504dbbeb0N.exe	95
PID 4692 wrote to memory of 1080	4692	50a2a6aa57789deee95e72b504dbbeb0N.exe	95
PID 2200 wrote to memory of 5060	2200	50a2a6aa57789deee95e72b504dbbeb0N.exe	96
PID 2200 wrote to memory of 5060	2200	50a2a6aa57789deee95e72b504dbbeb0N.exe	96
PID 2200 wrote to memory of 5060	2200	50a2a6aa57789deee95e72b504dbbeb0N.exe	96
PID 1720 wrote to memory of 1096	1720	50a2a6aa57789deee95e72b504dbbeb0N.exe	97
PID 1720 wrote to memory of 1096	1720	50a2a6aa57789deee95e72b504dbbeb0N.exe	97
PID 1720 wrote to memory of 1096	1720	50a2a6aa57789deee95e72b504dbbeb0N.exe	97
PID 448 wrote to memory of 2156	448	50a2a6aa57789deee95e72b504dbbeb0N.exe	98
PID 448 wrote to memory of 2156	448	50a2a6aa57789deee95e72b504dbbeb0N.exe	98
PID 448 wrote to memory of 2156	448	50a2a6aa57789deee95e72b504dbbeb0N.exe	98
PID 3904 wrote to memory of 2296	3904	50a2a6aa57789deee95e72b504dbbeb0N.exe	99
PID 3904 wrote to memory of 2296	3904	50a2a6aa57789deee95e72b504dbbeb0N.exe	99
PID 3904 wrote to memory of 2296	3904	50a2a6aa57789deee95e72b504dbbeb0N.exe	99
PID 4028 wrote to memory of 4976	4028	50a2a6aa57789deee95e72b504dbbeb0N.exe	100
PID 4028 wrote to memory of 4976	4028	50a2a6aa57789deee95e72b504dbbeb0N.exe	100
PID 4028 wrote to memory of 4976	4028	50a2a6aa57789deee95e72b504dbbeb0N.exe	100
PID 1752 wrote to memory of 3572	1752	50a2a6aa57789deee95e72b504dbbeb0N.exe	101
PID 1752 wrote to memory of 3572	1752	50a2a6aa57789deee95e72b504dbbeb0N.exe	101
PID 1752 wrote to memory of 3572	1752	50a2a6aa57789deee95e72b504dbbeb0N.exe	101
PID 3136 wrote to memory of 512	3136	50a2a6aa57789deee95e72b504dbbeb0N.exe	102
PID 3136 wrote to memory of 512	3136	50a2a6aa57789deee95e72b504dbbeb0N.exe	102
PID 3136 wrote to memory of 512	3136	50a2a6aa57789deee95e72b504dbbeb0N.exe	102
PID 4692 wrote to memory of 964	4692	50a2a6aa57789deee95e72b504dbbeb0N.exe	103
PID 4692 wrote to memory of 964	4692	50a2a6aa57789deee95e72b504dbbeb0N.exe	103
PID 4692 wrote to memory of 964	4692	50a2a6aa57789deee95e72b504dbbeb0N.exe	103
PID 2200 wrote to memory of 1136	2200	50a2a6aa57789deee95e72b504dbbeb0N.exe	104
PID 2200 wrote to memory of 1136	2200	50a2a6aa57789deee95e72b504dbbeb0N.exe	104
PID 2200 wrote to memory of 1136	2200	50a2a6aa57789deee95e72b504dbbeb0N.exe	104
PID 1720 wrote to memory of 2288	1720	50a2a6aa57789deee95e72b504dbbeb0N.exe	105
PID 1720 wrote to memory of 2288	1720	50a2a6aa57789deee95e72b504dbbeb0N.exe	105
PID 1720 wrote to memory of 2288	1720	50a2a6aa57789deee95e72b504dbbeb0N.exe	105
PID 448 wrote to memory of 1976	448	50a2a6aa57789deee95e72b504dbbeb0N.exe	106
PID 448 wrote to memory of 1976	448	50a2a6aa57789deee95e72b504dbbeb0N.exe	106
PID 448 wrote to memory of 1976	448	50a2a6aa57789deee95e72b504dbbeb0N.exe	106
PID 1644 wrote to memory of 4556	1644	50a2a6aa57789deee95e72b504dbbeb0N.exe	107

C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
"C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
  "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3136
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1756
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:5880
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        8⤵
        
        PID:8308
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        9⤵
        
        PID:5632
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        9⤵
        
        PID:14408
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        8⤵
        
        PID:11272
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        9⤵
        
        PID:23436
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        8⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        8⤵
        
        PID:17012
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:6836
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        8⤵
        
        PID:16736
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:10112
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        8⤵
        
        PID:23420
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:12464
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:17512
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:7776
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        8⤵
        
        PID:17148
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:10572
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        8⤵
        
        PID:23468
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:9960
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:17028
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:5972
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:11552
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:16924
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:8612
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:16720
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:12260
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:13576
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:14456
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:512
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:5560
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:9000
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        8⤵
        
        PID:16632
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:12512
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:18668
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:6768
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:16752
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:10096
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:22640
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:12440
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:19396
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:3360
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:7720
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:22284
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:10488
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:23012
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:12376
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:19316
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:5996
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:11288
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:23428
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:2224
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:16948
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:8628
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:16672
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:12656
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:19284
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1644
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4556
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:5572
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:8388
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        8⤵
        
        PID:16592
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:12820
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:17324
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:6776
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:16688
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:10104
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:23376
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:12456
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:17480
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:2752
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:7728
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:20152
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:10516
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:4212
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:16900
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:6036
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:12784
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:17364
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:8596
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:19364
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:12252
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:16624
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3572
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:5624
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:8228
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:16128
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:12964
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:11044
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:12244
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:17092
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:7372
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:16520
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:14284
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:10232
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:12400
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:16916
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:2332
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:7960
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:16112
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:12936
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:11036
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:23384
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:3128
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:19248
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:6084
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:12568
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:17108
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:8604
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:22396
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:12688
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:17440
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5060
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2328
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:5852
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:8452
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        8⤵
        
        PID:16180
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        8⤵
        
        PID:13036
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:13048
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:17432
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:7048
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:16552
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:1180
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:9788
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:15660
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:12868
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:12504
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:16884
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:3364
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:7676
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:16156
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:13172
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:10680
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:12352
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:16980
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:6052
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:12600
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:19276
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:8652
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:21240
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:12680
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:19300
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1136
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:5644
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:8252
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:16120
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:13192
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:11256
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:3600
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:16972
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:7080
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:2476
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:14444
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:10120
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:22684
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:12448
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:17456
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:4572
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:7696
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:19388
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:10452
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:22652
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:12392
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:16892
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:6068
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:12632
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:17488
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:8644
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:15852
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:12900
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:12276
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:880
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:13992
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1096
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:648
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:5636
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:8288
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:16560
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:11052
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:22864
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:12236
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:17076
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:6820
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:16568
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:10200
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:23056
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:12408
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:19260
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:2204
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:7668
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:16164
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:22552
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:10560
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:12360
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:16908
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:5988
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:12592
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:19332
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:8548
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:16056
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:13000
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:12704
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:17132
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    PID:2288
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:5688
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:8532
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:17536
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:13040
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:17372
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:6904
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:16536
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:14528
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:10208
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:12904
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:12416
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:17124
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    PID:4916
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:7916
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:2484
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:14448
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:10940
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:23460
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:12328
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:19232
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    PID:6004
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:13068
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:17424
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    PID:8588
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:16704
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    PID:12844
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    PID:18660
- C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
  "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:448
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4028
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4976
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:4980
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:5748
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:8440
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        8⤵
        
        PID:16648
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:12812
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:17348
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:7068
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:16680
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:9820
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:14956
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:10876
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:12496
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:17156
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:2188
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:7976
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:16504
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:22596
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:11000
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:23444
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:12304
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:17084
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:6044
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:12624
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:17060
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:8556
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:16656
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:12720
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:17308
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:5000
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:5776
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:9412
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:16664
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:12520
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:17332
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:7060
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:14556
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:14796
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:10156
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:23536
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:12432
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:19324
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:2540
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:7844
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:19380
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:10664
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:12344
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:16940
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:5980
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:11352
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:22384
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:832
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:17020
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:8620
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:16744
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:12672
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:19216
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2156
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1032
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:5596
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:8460
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:16640
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:12768
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:17316
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:7204
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:19372
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:10172
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:23392
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:12268
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:16956
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:1388
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:7688
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:16172
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:13424
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:10688
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:22668
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:12336
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:16996
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:6028
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:12576
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:19268
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:8580
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:15844
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:12884
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:12664
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:17520
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    PID:1976
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:5788
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:8380
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:19340
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:12760
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:16584
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:14340
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:6844
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:16512
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:3912
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:9972
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:16528
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:22604
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:12480
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:19240
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    PID:4016
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:7660
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:16496
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:14728
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:10496
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:23528
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:12384
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:19404
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    PID:6020
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:12552
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:17100
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    PID:8564
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:16064
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:12968
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    PID:12648
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    PID:19292
- C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
  "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3904
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2296
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1540
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:5468
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:7968
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:16768
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:11020
        
        C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        7⤵
        
        PID:23452
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:12296
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:16988
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:6732
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:17448
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:9964
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:10264
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:12488
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:17472
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:1676
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:8400
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:19348
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:11548
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:11336
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:16932
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:6012
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:12608
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:17504
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:8660
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:20032
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:12584
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:17464
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    PID:4892
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:5680
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:8636
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:16712
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:12712
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:17528
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:7076
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:16376
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:13212
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:10216
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:12424
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:17824
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    PID:4512
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:8276
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:16348
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:13196
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:11248
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:22856
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:2528
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:17340
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    PID:5964
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:11496
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:22632
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:12284
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:17052
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    PID:8540
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:16696
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    PID:12772
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    PID:17356
- C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
  "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1080
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    PID:316
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:5652
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:8572
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:16028
      - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        6⤵
        
        PID:12932
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:12696
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:19308
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:6828
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:16544
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:14356
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:9988
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:19356
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:12472
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:19200
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    PID:2016
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:8220
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:22292
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:10980
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:22676
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:12320
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:17068
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    PID:6076
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:12544
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:17496
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    PID:8668
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:16876
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    PID:12536
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    PID:17036
- C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
  "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:964
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    PID:5492
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:7928
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:16728
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:10776
    - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
        5⤵
        
        PID:22660
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:12312
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:16964
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    PID:6348
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:12640
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:17044
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    PID:8676
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:16760
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    PID:12560
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    PID:19208
- C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
  "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
  2⤵
  PID:1668
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    PID:7872
  - - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
      4⤵
      PID:16576
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    PID:10672
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    PID:12368
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    PID:17004
- C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
  "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
  2⤵
  PID:6060
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    PID:12616
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    PID:19224
- C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
  "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
  2⤵
  PID:8796
- - C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
    3⤵
    PID:17116
- C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
  "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
  2⤵
  PID:12528
- C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe
  "C:\Users\Admin\AppData\Local\Temp\50a2a6aa57789deee95e72b504dbbeb0N.exe"
  2⤵
  PID:17140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\brasilian cum full movie (Janette,Janette).rar.exe

Filesize
274KB

MD5
347782472101cd30695ca773d07a39f9

SHA1
3cc8125b9a8aaf95e82cce93c64c6d5891f0fec1

SHA256
a8e7aab8af777d30c6bc87143524f559040c6c7136cfe2cfe554386d81cd9b9a

SHA512
1b00cf0ef5aa8f6fb621cc6949f6d2b4bd81e1c965f6ec3727aeef2639e0b022673a4c15ce51f5bce032f585ad9c83eeba47ffcc8e94b65c100d52ed5e8a1c21

Download Submit
C:\debug.txt

Filesize
146B

MD5
61c2a889bdcdd82d89da728448478b58

SHA1
159cf17673ecddb4e749350550931ee1ae781259

SHA256
8d177a632e652f2fe940feac7e796c61ff13f7cd8a25a18a89e47f788f9fc1ec

SHA512
a4aa7b212d9725b30b346db14a8f4909fddfe1e82a1d8c6b7700eea1f6b68f69c235a140feaa992efbbafbbeaa5bd940dfd5714477d1ec21f5ecbae886088aa4

Download Submit