5b16479a9db37b040e22d65551aa3c2d057e347c012d652460196e380483c687

Analysis

max time kernel
11s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 03:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c972714802cdfd78fe47189077a0ca70N.exe
Size

1.1MB
MD5

c972714802cdfd78fe47189077a0ca70
SHA1

6e9d7561e8a4f16a6ab9cc296ac6c2254d31696f
SHA256

5b16479a9db37b040e22d65551aa3c2d057e347c012d652460196e380483c687
SHA512

02b28b69e7309e9a8980d9644c32ba4099834edc0892e655cd35beaf37eddcf84706c61448bdfe6cb438cf092f537c9a81249c6ee1047e1848560424f982b3d3
SSDEEP

24576:oWIbUCI9YqzNv0PwnLRJXOKfoN6qn7jebBKGi4k7w:VI4VMP2Fg2cXCBIw

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	c972714802cdfd78fe47189077a0ca70N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	c972714802cdfd78fe47189077a0ca70N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	c972714802cdfd78fe47189077a0ca70N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	c972714802cdfd78fe47189077a0ca70N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	c972714802cdfd78fe47189077a0ca70N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	c972714802cdfd78fe47189077a0ca70N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	c972714802cdfd78fe47189077a0ca70N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	c972714802cdfd78fe47189077a0ca70N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	c972714802cdfd78fe47189077a0ca70N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	c972714802cdfd78fe47189077a0ca70N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	c972714802cdfd78fe47189077a0ca70N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	c972714802cdfd78fe47189077a0ca70N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	c972714802cdfd78fe47189077a0ca70N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	c972714802cdfd78fe47189077a0ca70N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	c972714802cdfd78fe47189077a0ca70N.exe
File opened (read-only)	\??\I:	c972714802cdfd78fe47189077a0ca70N.exe
File opened (read-only)	\??\J:	c972714802cdfd78fe47189077a0ca70N.exe
File opened (read-only)	\??\W:	c972714802cdfd78fe47189077a0ca70N.exe
File opened (read-only)	\??\E:	c972714802cdfd78fe47189077a0ca70N.exe
File opened (read-only)	\??\O:	c972714802cdfd78fe47189077a0ca70N.exe
File opened (read-only)	\??\V:	c972714802cdfd78fe47189077a0ca70N.exe
File opened (read-only)	\??\X:	c972714802cdfd78fe47189077a0ca70N.exe
File opened (read-only)	\??\M:	c972714802cdfd78fe47189077a0ca70N.exe
File opened (read-only)	\??\B:	c972714802cdfd78fe47189077a0ca70N.exe
File opened (read-only)	\??\H:	c972714802cdfd78fe47189077a0ca70N.exe
File opened (read-only)	\??\L:	c972714802cdfd78fe47189077a0ca70N.exe
File opened (read-only)	\??\N:	c972714802cdfd78fe47189077a0ca70N.exe
File opened (read-only)	\??\R:	c972714802cdfd78fe47189077a0ca70N.exe
File opened (read-only)	\??\Y:	c972714802cdfd78fe47189077a0ca70N.exe
File opened (read-only)	\??\Z:	c972714802cdfd78fe47189077a0ca70N.exe
File opened (read-only)	\??\A:	c972714802cdfd78fe47189077a0ca70N.exe
File opened (read-only)	\??\P:	c972714802cdfd78fe47189077a0ca70N.exe
File opened (read-only)	\??\Q:	c972714802cdfd78fe47189077a0ca70N.exe
File opened (read-only)	\??\S:	c972714802cdfd78fe47189077a0ca70N.exe
File opened (read-only)	\??\T:	c972714802cdfd78fe47189077a0ca70N.exe
File opened (read-only)	\??\U:	c972714802cdfd78fe47189077a0ca70N.exe
File opened (read-only)	\??\K:	c972714802cdfd78fe47189077a0ca70N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\FxsTmp\russian action catfight .avi.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\tyrkish horse [milf] (Samantha).rar.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\animal sleeping legs redhair .mpeg.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\black bukkake cum [milf] latex .mpg.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\System32\DriverStore\Temp\horse [milf] ash young (Sonja).rar.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\SysWOW64\FxsTmp\asian bukkake hidden (Britney).mpg.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\hardcore lesbian licking (Jade,Samantha).avi.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\beastiality licking titts high heels .zip.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\bukkake voyeur .zip.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\xxx catfight .avi.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\chinese handjob lesbian upskirt (Jenna).zip.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\handjob catfight boots (Janette).mpg.exe	c972714802cdfd78fe47189077a0ca70N.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\lingerie hot (!) .mpg.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Program Files\Common Files\microsoft shared\russian horse horse public penetration (Tatjana).rar.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\malaysia cum [free] hole (Karin,Jade).mpeg.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\gay sperm licking .avi.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\spanish trambling cumshot uncut swallow (Anniston).mpg.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\spanish sperm lesbian hole 50+ (Jenna,Anniston).mpeg.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\fucking cumshot several models mature .mpeg.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\american kicking sperm full movie high heels (Melissa).mpeg.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Program Files\dotnet\shared\black horse kicking sleeping .avi.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Program Files\Microsoft Office\root\Templates\norwegian nude hot (!) boobs balls .zip.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\french lingerie fucking catfight cock redhair .avi.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\canadian blowjob animal sleeping legs .avi.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\french porn [bangbus] titts .mpg.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\chinese lingerie big vagina granny .avi.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\malaysia gay blowjob hidden (Samantha,Ashley).zip.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Program Files (x86)\Google\Update\Download\black xxx action [milf] wifey (Sandy).avi.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\blowjob animal catfight .rar.exe	c972714802cdfd78fe47189077a0ca70N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\japanese beastiality [milf] .avi.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\african beastiality [milf] feet .mpg.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\horse girls .zip.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_14c898cc82025c76\malaysia hardcore gay full movie lady .mpeg.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\assembly\tmp\canadian beastiality uncut hairy (Jenna).zip.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\british action bukkake public circumcision .zip.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fd7349c396c417ae\porn gang bang sleeping sm (Curtney,Sandy).avi.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_5af076e0a3cb0fa7\chinese blowjob fucking [free] wifey .avi.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_it-it_72a319bf8ee74a9b\xxx uncut swallow .mpg.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\lingerie voyeur ash wifey (Gina,Anniston).rar.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\kicking uncut cock girly .rar.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\american trambling porn girls upskirt (Samantha,Britney).avi.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_b1ffa0e7b4ed03e2\norwegian lingerie beast masturbation .mpeg.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\french horse [bangbus] boots .zip.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\russian sperm lesbian feet ejaculation .rar.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\lingerie voyeur (Gina).avi.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\asian beastiality porn girls mistress (Anniston).mpg.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\swedish horse gay masturbation .zip.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\african beastiality action full movie nipples wifey .zip.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\french lesbian public sm .zip.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\japanese blowjob big glans (Gina).avi.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\spanish handjob [free] black hairunshaved .rar.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\african fetish beast several models circumcision .avi.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\canadian horse licking mistress .rar.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\gay [bangbus] cock (Liz).avi.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\russian handjob lesbian shoes .mpg.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\gay cum [bangbus] .rar.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\malaysia fucking girls .avi.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\african blowjob hardcore full movie latex .mpeg.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_89c0bf1761110f07\italian xxx hardcore voyeur leather .rar.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\blowjob action hot (!) nipples .rar.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\indian trambling cum hot (!) mistress .mpeg.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\japanese fucking big balls .rar.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\german porn hidden boobs ¼ë (Jade).mpg.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\brasilian bukkake blowjob [bangbus] hairy .avi.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_e79b400a6df5fd2c\american horse licking .rar.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_en-us_e5f85095c4bc5d16\italian porn uncut mature (Liz,Tatjana).rar.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_10.0.19041.1_none_bd731e5b85dd203e\danish hardcore uncut (Gina).mpg.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\german porn public .avi.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\asian porn voyeur wifey (Ashley,Janette).zip.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\beastiality girls traffic .mpg.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\russian action hidden nipples (Melissa).avi.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_e5c3ad79c4e34ebb\swedish cumshot public .avi.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_887b2378b7b5651d\malaysia horse trambling masturbation legs upskirt (Tatjana,Sonja).rar.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\black horse blowjob voyeur feet (Christine,Kathrin).avi.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\canadian porn trambling public .zip.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\danish lesbian sleeping feet (Anniston,Melissa).mpg.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\japanese cumshot nude catfight .mpg.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\action full movie blondie (Ashley).mpeg.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\gang bang kicking catfight upskirt .zip.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\french cumshot cum masturbation redhair .avi.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\german trambling trambling masturbation vagina upskirt (Sylvia,Britney).avi.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\danish hardcore blowjob [free] ash (Kathrin,Melissa).avi.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\bukkake trambling lesbian granny .rar.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\asian hardcore kicking sleeping .mpg.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\blowjob lesbian full movie sm .avi.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\CbsTemp\sperm horse [bangbus] feet .rar.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\african lesbian several models femdom .zip.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\beast cum girls blondie .mpg.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\beast gay full movie nipples redhair .zip.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\chinese lingerie animal girls mature (Sonja).rar.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\african lingerie beastiality public lady .mpg.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\italian cumshot [free] glans (Jenna,Sandy).mpeg.exe	c972714802cdfd78fe47189077a0ca70N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\swedish lingerie masturbation upskirt .rar.exe	c972714802cdfd78fe47189077a0ca70N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c972714802cdfd78fe47189077a0ca70N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c972714802cdfd78fe47189077a0ca70N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c972714802cdfd78fe47189077a0ca70N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c972714802cdfd78fe47189077a0ca70N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c972714802cdfd78fe47189077a0ca70N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c972714802cdfd78fe47189077a0ca70N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c972714802cdfd78fe47189077a0ca70N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c972714802cdfd78fe47189077a0ca70N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c972714802cdfd78fe47189077a0ca70N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c972714802cdfd78fe47189077a0ca70N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c972714802cdfd78fe47189077a0ca70N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c972714802cdfd78fe47189077a0ca70N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c972714802cdfd78fe47189077a0ca70N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c972714802cdfd78fe47189077a0ca70N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c972714802cdfd78fe47189077a0ca70N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c972714802cdfd78fe47189077a0ca70N.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
2172	c972714802cdfd78fe47189077a0ca70N.exe
2172	c972714802cdfd78fe47189077a0ca70N.exe
4244	c972714802cdfd78fe47189077a0ca70N.exe
4244	c972714802cdfd78fe47189077a0ca70N.exe
2172	c972714802cdfd78fe47189077a0ca70N.exe
2172	c972714802cdfd78fe47189077a0ca70N.exe
3420	c972714802cdfd78fe47189077a0ca70N.exe
3420	c972714802cdfd78fe47189077a0ca70N.exe
4464	c972714802cdfd78fe47189077a0ca70N.exe
4464	c972714802cdfd78fe47189077a0ca70N.exe
4244	c972714802cdfd78fe47189077a0ca70N.exe
4244	c972714802cdfd78fe47189077a0ca70N.exe
2172	c972714802cdfd78fe47189077a0ca70N.exe
2172	c972714802cdfd78fe47189077a0ca70N.exe
760	c972714802cdfd78fe47189077a0ca70N.exe
760	c972714802cdfd78fe47189077a0ca70N.exe
3012	c972714802cdfd78fe47189077a0ca70N.exe
3012	c972714802cdfd78fe47189077a0ca70N.exe
3804	c972714802cdfd78fe47189077a0ca70N.exe
3804	c972714802cdfd78fe47189077a0ca70N.exe
4244	c972714802cdfd78fe47189077a0ca70N.exe
3184	c972714802cdfd78fe47189077a0ca70N.exe
4244	c972714802cdfd78fe47189077a0ca70N.exe
3184	c972714802cdfd78fe47189077a0ca70N.exe
2172	c972714802cdfd78fe47189077a0ca70N.exe
2172	c972714802cdfd78fe47189077a0ca70N.exe
3420	c972714802cdfd78fe47189077a0ca70N.exe
3420	c972714802cdfd78fe47189077a0ca70N.exe
4464	c972714802cdfd78fe47189077a0ca70N.exe
4464	c972714802cdfd78fe47189077a0ca70N.exe
4060	c972714802cdfd78fe47189077a0ca70N.exe
4060	c972714802cdfd78fe47189077a0ca70N.exe
760	c972714802cdfd78fe47189077a0ca70N.exe
760	c972714802cdfd78fe47189077a0ca70N.exe
1164	c972714802cdfd78fe47189077a0ca70N.exe
1164	c972714802cdfd78fe47189077a0ca70N.exe
4244	c972714802cdfd78fe47189077a0ca70N.exe
4244	c972714802cdfd78fe47189077a0ca70N.exe
3280	c972714802cdfd78fe47189077a0ca70N.exe
3280	c972714802cdfd78fe47189077a0ca70N.exe
2172	c972714802cdfd78fe47189077a0ca70N.exe
2172	c972714802cdfd78fe47189077a0ca70N.exe
3420	c972714802cdfd78fe47189077a0ca70N.exe
3420	c972714802cdfd78fe47189077a0ca70N.exe
4464	c972714802cdfd78fe47189077a0ca70N.exe
1848	c972714802cdfd78fe47189077a0ca70N.exe
4464	c972714802cdfd78fe47189077a0ca70N.exe
1848	c972714802cdfd78fe47189077a0ca70N.exe
4704	c972714802cdfd78fe47189077a0ca70N.exe
4704	c972714802cdfd78fe47189077a0ca70N.exe
220	c972714802cdfd78fe47189077a0ca70N.exe
220	c972714802cdfd78fe47189077a0ca70N.exe
3456	c972714802cdfd78fe47189077a0ca70N.exe
3456	c972714802cdfd78fe47189077a0ca70N.exe
3344	c972714802cdfd78fe47189077a0ca70N.exe
3344	c972714802cdfd78fe47189077a0ca70N.exe
3012	c972714802cdfd78fe47189077a0ca70N.exe
3012	c972714802cdfd78fe47189077a0ca70N.exe
3184	c972714802cdfd78fe47189077a0ca70N.exe
3184	c972714802cdfd78fe47189077a0ca70N.exe
3804	c972714802cdfd78fe47189077a0ca70N.exe
3804	c972714802cdfd78fe47189077a0ca70N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 4244	2172	c972714802cdfd78fe47189077a0ca70N.exe	89
PID 2172 wrote to memory of 4244	2172	c972714802cdfd78fe47189077a0ca70N.exe	89
PID 2172 wrote to memory of 4244	2172	c972714802cdfd78fe47189077a0ca70N.exe	89
PID 4244 wrote to memory of 3420	4244	c972714802cdfd78fe47189077a0ca70N.exe	92
PID 4244 wrote to memory of 3420	4244	c972714802cdfd78fe47189077a0ca70N.exe	92
PID 4244 wrote to memory of 3420	4244	c972714802cdfd78fe47189077a0ca70N.exe	92
PID 2172 wrote to memory of 4464	2172	c972714802cdfd78fe47189077a0ca70N.exe	93
PID 2172 wrote to memory of 4464	2172	c972714802cdfd78fe47189077a0ca70N.exe	93
PID 2172 wrote to memory of 4464	2172	c972714802cdfd78fe47189077a0ca70N.exe	93
PID 4244 wrote to memory of 760	4244	c972714802cdfd78fe47189077a0ca70N.exe	95
PID 4244 wrote to memory of 760	4244	c972714802cdfd78fe47189077a0ca70N.exe	95
PID 4244 wrote to memory of 760	4244	c972714802cdfd78fe47189077a0ca70N.exe	95
PID 2172 wrote to memory of 3012	2172	c972714802cdfd78fe47189077a0ca70N.exe	96
PID 2172 wrote to memory of 3012	2172	c972714802cdfd78fe47189077a0ca70N.exe	96
PID 2172 wrote to memory of 3012	2172	c972714802cdfd78fe47189077a0ca70N.exe	96
PID 3420 wrote to memory of 3184	3420	c972714802cdfd78fe47189077a0ca70N.exe	97
PID 3420 wrote to memory of 3184	3420	c972714802cdfd78fe47189077a0ca70N.exe	97
PID 3420 wrote to memory of 3184	3420	c972714802cdfd78fe47189077a0ca70N.exe	97
PID 4464 wrote to memory of 3804	4464	c972714802cdfd78fe47189077a0ca70N.exe	98
PID 4464 wrote to memory of 3804	4464	c972714802cdfd78fe47189077a0ca70N.exe	98
PID 4464 wrote to memory of 3804	4464	c972714802cdfd78fe47189077a0ca70N.exe	98
PID 760 wrote to memory of 4060	760	c972714802cdfd78fe47189077a0ca70N.exe	99
PID 760 wrote to memory of 4060	760	c972714802cdfd78fe47189077a0ca70N.exe	99
PID 760 wrote to memory of 4060	760	c972714802cdfd78fe47189077a0ca70N.exe	99
PID 4244 wrote to memory of 1164	4244	c972714802cdfd78fe47189077a0ca70N.exe	100
PID 4244 wrote to memory of 1164	4244	c972714802cdfd78fe47189077a0ca70N.exe	100
PID 4244 wrote to memory of 1164	4244	c972714802cdfd78fe47189077a0ca70N.exe	100
PID 2172 wrote to memory of 4704	2172	c972714802cdfd78fe47189077a0ca70N.exe	102
PID 2172 wrote to memory of 4704	2172	c972714802cdfd78fe47189077a0ca70N.exe	102
PID 2172 wrote to memory of 4704	2172	c972714802cdfd78fe47189077a0ca70N.exe	102
PID 3420 wrote to memory of 3280	3420	c972714802cdfd78fe47189077a0ca70N.exe	103
PID 3420 wrote to memory of 3280	3420	c972714802cdfd78fe47189077a0ca70N.exe	103
PID 3420 wrote to memory of 3280	3420	c972714802cdfd78fe47189077a0ca70N.exe	103
PID 4464 wrote to memory of 1848	4464	c972714802cdfd78fe47189077a0ca70N.exe	104
PID 4464 wrote to memory of 1848	4464	c972714802cdfd78fe47189077a0ca70N.exe	104
PID 4464 wrote to memory of 1848	4464	c972714802cdfd78fe47189077a0ca70N.exe	104
PID 3012 wrote to memory of 3456	3012	c972714802cdfd78fe47189077a0ca70N.exe	105
PID 3012 wrote to memory of 3456	3012	c972714802cdfd78fe47189077a0ca70N.exe	105
PID 3012 wrote to memory of 3456	3012	c972714802cdfd78fe47189077a0ca70N.exe	105
PID 3184 wrote to memory of 220	3184	c972714802cdfd78fe47189077a0ca70N.exe	106
PID 3184 wrote to memory of 220	3184	c972714802cdfd78fe47189077a0ca70N.exe	106
PID 3184 wrote to memory of 220	3184	c972714802cdfd78fe47189077a0ca70N.exe	106
PID 3804 wrote to memory of 3344	3804	c972714802cdfd78fe47189077a0ca70N.exe	107
PID 3804 wrote to memory of 3344	3804	c972714802cdfd78fe47189077a0ca70N.exe	107
PID 3804 wrote to memory of 3344	3804	c972714802cdfd78fe47189077a0ca70N.exe	107
PID 760 wrote to memory of 1052	760	c972714802cdfd78fe47189077a0ca70N.exe	108
PID 760 wrote to memory of 1052	760	c972714802cdfd78fe47189077a0ca70N.exe	108
PID 760 wrote to memory of 1052	760	c972714802cdfd78fe47189077a0ca70N.exe	108
PID 4060 wrote to memory of 4708	4060	c972714802cdfd78fe47189077a0ca70N.exe	109
PID 4060 wrote to memory of 4708	4060	c972714802cdfd78fe47189077a0ca70N.exe	109
PID 4060 wrote to memory of 4708	4060	c972714802cdfd78fe47189077a0ca70N.exe	109
PID 4244 wrote to memory of 3740	4244	c972714802cdfd78fe47189077a0ca70N.exe	110
PID 4244 wrote to memory of 3740	4244	c972714802cdfd78fe47189077a0ca70N.exe	110
PID 4244 wrote to memory of 3740	4244	c972714802cdfd78fe47189077a0ca70N.exe	110
PID 2172 wrote to memory of 4460	2172	c972714802cdfd78fe47189077a0ca70N.exe	111
PID 2172 wrote to memory of 4460	2172	c972714802cdfd78fe47189077a0ca70N.exe	111
PID 2172 wrote to memory of 4460	2172	c972714802cdfd78fe47189077a0ca70N.exe	111
PID 3420 wrote to memory of 4416	3420	c972714802cdfd78fe47189077a0ca70N.exe	112
PID 3420 wrote to memory of 4416	3420	c972714802cdfd78fe47189077a0ca70N.exe	112
PID 3420 wrote to memory of 4416	3420	c972714802cdfd78fe47189077a0ca70N.exe	112
PID 4464 wrote to memory of 3100	4464	c972714802cdfd78fe47189077a0ca70N.exe	113
PID 4464 wrote to memory of 3100	4464	c972714802cdfd78fe47189077a0ca70N.exe	113
PID 4464 wrote to memory of 3100	4464	c972714802cdfd78fe47189077a0ca70N.exe	113
PID 3012 wrote to memory of 1972	3012	c972714802cdfd78fe47189077a0ca70N.exe	114

C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
"C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
  "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4244
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3420
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3184
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:220
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        7⤵
        
        PID:6136
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        8⤵
        
        PID:12160
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        8⤵
        
        PID:15860
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        7⤵
        
        PID:7236
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        8⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        7⤵
        
        PID:9784
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        8⤵
        
        PID:16452
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        7⤵
        
        PID:12088
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        7⤵
        
        PID:15636
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:5176
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        7⤵
        
        PID:9412
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        8⤵
        
        PID:17040
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        7⤵
        
        PID:12016
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        7⤵
        
        PID:15660
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:6568
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        7⤵
        
        PID:12216
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        7⤵
        
        PID:16172
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:8668
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        7⤵
        
        PID:18464
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:12000
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:15548
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:3700
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:6120
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        7⤵
        
        PID:11848
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        7⤵
        
        PID:14948
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        7⤵
        
        PID:14444
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:7548
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        7⤵
        
        PID:18508
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:10568
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:11880
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:16180
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:5224
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:8728
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        7⤵
        
        PID:18392
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:12104
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:15652
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:6624
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:12704
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:17032
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:8488
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:18384
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:12280
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:15796
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3280
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:2336
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:6220
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        7⤵
        
        PID:10600
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        7⤵
        
        PID:11864
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        7⤵
        
        PID:15152
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        7⤵
        
        PID:15964
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:7452
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        7⤵
        
        PID:1720
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:10044
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        7⤵
        
        PID:13836
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        7⤵
        
        PID:4056
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:11928
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:15172
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:16520
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:5208
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:9056
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        7⤵
        
        PID:2612
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:11984
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:15540
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:6552
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:14292
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:18532
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:8660
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:7712
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:9996
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:15808
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:4416
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:5480
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:10740
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:14116
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:2200
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:7260
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:19276
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:9792
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:19572
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:11936
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:15436
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:5248
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:9420
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:3668
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:12008
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:15676
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:6520
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:12744
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:2860
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:8844
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:8568
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:12048
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:16376
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:760
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4060
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:4708
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:6072
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        7⤵
        
        PID:9880
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        8⤵
        
        PID:20328
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        7⤵
        
        PID:11896
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        7⤵
        
        PID:15580
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:7556
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        7⤵
        
        PID:18476
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:10332
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:11888
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:15556
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:5264
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:9632
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        7⤵
        
        PID:20096
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:11968
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:15588
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:6592
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:12176
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:15828
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:8420
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:7708
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:12120
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:16116
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:1052
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:2196
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:10944
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:14124
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:944
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:7244
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:18484
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:9624
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:6200
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:12064
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:15596
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:5280
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:9432
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:19136
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:12040
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:15612
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:6512
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:12720
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:16964
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:7616
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:18448
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:12240
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:15780
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1164
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:1900
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:6056
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:9136
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        7⤵
        
        PID:18424
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:11808
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:15020
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:15744
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:6460
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:17516
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:9608
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:20112
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:11840
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:15012
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:16028
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:5192
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:6488
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:12232
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:15892
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:7856
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:20128
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:10632
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:12432
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:16124
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:6544
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:12728
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:17008
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:8640
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:18280
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:12272
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:16076
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    PID:3740
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:6128
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:12200
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:16108
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:7532
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:18524
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:10020
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:4628
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:11904
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:15228
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:15184
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    PID:5272
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:9220
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:20104
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:11792
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:15144
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:16040
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    PID:6600
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:12208
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:15844
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    PID:8444
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:17524
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    PID:12264
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    PID:15788
- C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
  "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4464
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3804
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3344
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:2520
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:6064
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        7⤵
        
        PID:10384
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        7⤵
        
        PID:11800
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        7⤵
        
        PID:14940
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        7⤵
        
        PID:6904
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:6760
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        7⤵
        
        PID:17704
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:9668
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        7⤵
        
        PID:4232
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:11824
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:15188
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:15912
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:5160
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:8820
        
        C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        7⤵
        
        PID:18824
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:11960
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:15572
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:6632
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:12752
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:16980
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:8684
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:7628
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:4776
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:15940
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:1412
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:6404
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:10920
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:14756
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:11776
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:7564
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:2764
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:10576
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:11872
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:15136
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:15804
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:5216
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:8804
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:9468
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:11856
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:15196
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:15888
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:6528
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:14076
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:1980
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:8648
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:18492
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:1944
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:16680
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1848
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:216
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:6088
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:10624
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:13876
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:18288
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:6764
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:18816
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:9800
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:17340
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:11832
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:15028
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:15868
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:5184
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:9064
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:5096
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:11976
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:15564
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:6576
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:12224
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:15836
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:8692
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:4488
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:12128
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:15668
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    PID:3100
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:6096
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:10936
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:17292
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:14768
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:12316
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:7172
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:18440
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:9660
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:20120
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:12072
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:16188
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    PID:5256
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:9928
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:17048
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:11920
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:15764
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    PID:6584
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:12736
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:17332
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    PID:8436
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:12768
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    PID:12256
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    PID:15852
- C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
  "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3456
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:1948
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:6080
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:12192
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:15772
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:7180
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:14864
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:9772
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:17064
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:12080
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:14524
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:5168
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:9016
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:18408
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:11952
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:15212
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:16280
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:6560
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:12136
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:15932
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:8584
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:18456
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:12168
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:16204
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    PID:1972
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:6048
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:10132
      - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        6⤵
        
        PID:2820
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:11912
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:15428
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:6752
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:19144
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:9600
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:20080
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:11992
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:16196
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    PID:5232
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:9500
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:17412
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:12032
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:15604
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    PID:6616
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:14312
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:11760
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    PID:8428
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:11720
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    PID:12248
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    PID:16688
- C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
  "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4704
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    PID:5056
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:6148
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:12184
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:16956
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:7252
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:18536
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:9616
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:18416
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:12056
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:1904
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    PID:5200
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:10928
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:14776
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:13896
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    PID:6536
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:12460
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:16988
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    PID:8704
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:12300
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    PID:12112
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    PID:15628
- C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
  "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
  2⤵
  PID:4460
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    PID:6016
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:9404
    - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
        5⤵
        
        PID:16436
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:11816
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:15220
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:16216
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    PID:6356
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:18500
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    PID:9440
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:20148
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    PID:12024
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    PID:15620
- C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
  "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
  2⤵
  PID:5240
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    PID:9364
  - - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
      "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
      4⤵
      PID:20136
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    PID:11944
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    PID:15420
- C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
  "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
  2⤵
  PID:6608
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    PID:12712
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    PID:16972
- C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
  "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
  2⤵
  PID:8676
- - C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
    "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
    3⤵
    PID:16424
- C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
  "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
  2⤵
  PID:12096
- C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe
  "C:\Users\Admin\AppData\Local\Temp\c972714802cdfd78fe47189077a0ca70N.exe"
  2⤵
  PID:15644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\malaysia cum [free] hole (Karin,Jade).mpeg.exe

Filesize
1.7MB

MD5
226777a71d37cb2e306838a245f7dba3

SHA1
a5bd4bc3579cafd15e526ac23688e4595ec198e5

SHA256
697e733f32945d3aebce4509ec910604b45eafc198daf085c7730d44f280f245

SHA512
e5ff9c0bd05d3b33d9099799a44da325d5eaa093e952cff0e13c5116b40334582966d16d55aa9cfb88ccdbe257c2cb8e8d38ea8fb83ba02e351a1cc911902d0b

Download Submit
memory/220-190-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/760-184-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1052-192-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1164-188-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1412-195-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1900-196-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1948-198-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2172-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2196-208-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2336-194-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2520-199-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3012-185-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3280-189-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3344-191-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3420-156-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3740-193-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3804-186-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4060-187-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4244-45-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4464-157-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5056-197-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5192-200-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5256-201-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5272-202-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5480-207-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6016-203-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6056-204-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6064-205-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6120-206-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6128-210-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6136-211-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6148-209-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6220-212-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6356-222-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6404-213-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6512-218-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6560-214-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6568-215-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6576-219-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6584-220-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6592-216-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6600-217-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6632-221-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6752-223-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6760-224-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6764-225-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7172-226-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7180-227-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7236-229-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7244-228-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7260-230-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7452-231-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7616-232-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8444-233-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8584-235-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8640-236-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8648-237-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8660-238-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8676-240-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8684-241-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8692-242-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8728-239-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8820-243-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8844-244-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9016-245-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9056-246-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9136-247-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9404-248-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9412-249-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9432-250-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9500-251-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9616-252-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9624-255-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9632-256-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9660-253-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9668-254-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9772-257-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9784-258-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9792-259-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9800-260-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9880-264-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/10020-261-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/10044-262-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/10132-263-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/10332-265-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/10384-266-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/10624-267-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/10632-268-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/10740-269-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/10920-270-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/10928-271-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/10944-272-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/11816-274-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/11856-275-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/11880-276-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/11896-273-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download