7fc6bd301f5e704a5ba1d7f1984ca5aa172ecd6f20979dcc7312ff7fa9ecd854

Analysis

max time kernel
15s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-08-2024 04:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94db6d9722916e43b4325513b1ff9280N.exe
Size

2.0MB
MD5

94db6d9722916e43b4325513b1ff9280
SHA1

c47be8fa4e0229285bd67863d74d29dc04f52c15
SHA256

7fc6bd301f5e704a5ba1d7f1984ca5aa172ecd6f20979dcc7312ff7fa9ecd854
SHA512

dbc8b9da4baf11f9e47e0796c50e3214567c154cb9c991c9e2fb88274d3c4a6e75fd61e5db9d48d802d155c756d8efb6e13ffaad534775ca127005e125943085
SSDEEP

49152:VdA8Mv2MpNOeRHsG7lUeWc1VKDHV6+vAyOVS9V118Fku8Gki:Qv24JtsKac1VeHY+oylEkyx

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	94db6d9722916e43b4325513b1ff9280N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	94db6d9722916e43b4325513b1ff9280N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	94db6d9722916e43b4325513b1ff9280N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	94db6d9722916e43b4325513b1ff9280N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	94db6d9722916e43b4325513b1ff9280N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	94db6d9722916e43b4325513b1ff9280N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	94db6d9722916e43b4325513b1ff9280N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	94db6d9722916e43b4325513b1ff9280N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	94db6d9722916e43b4325513b1ff9280N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	94db6d9722916e43b4325513b1ff9280N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	94db6d9722916e43b4325513b1ff9280N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	94db6d9722916e43b4325513b1ff9280N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	94db6d9722916e43b4325513b1ff9280N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	94db6d9722916e43b4325513b1ff9280N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	94db6d9722916e43b4325513b1ff9280N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	94db6d9722916e43b4325513b1ff9280N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	94db6d9722916e43b4325513b1ff9280N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	94db6d9722916e43b4325513b1ff9280N.exe
File opened (read-only)	\??\U:	94db6d9722916e43b4325513b1ff9280N.exe
File opened (read-only)	\??\Y:	94db6d9722916e43b4325513b1ff9280N.exe
File opened (read-only)	\??\I:	94db6d9722916e43b4325513b1ff9280N.exe
File opened (read-only)	\??\L:	94db6d9722916e43b4325513b1ff9280N.exe
File opened (read-only)	\??\R:	94db6d9722916e43b4325513b1ff9280N.exe
File opened (read-only)	\??\W:	94db6d9722916e43b4325513b1ff9280N.exe
File opened (read-only)	\??\Q:	94db6d9722916e43b4325513b1ff9280N.exe
File opened (read-only)	\??\S:	94db6d9722916e43b4325513b1ff9280N.exe
File opened (read-only)	\??\V:	94db6d9722916e43b4325513b1ff9280N.exe
File opened (read-only)	\??\E:	94db6d9722916e43b4325513b1ff9280N.exe
File opened (read-only)	\??\J:	94db6d9722916e43b4325513b1ff9280N.exe
File opened (read-only)	\??\K:	94db6d9722916e43b4325513b1ff9280N.exe
File opened (read-only)	\??\M:	94db6d9722916e43b4325513b1ff9280N.exe
File opened (read-only)	\??\O:	94db6d9722916e43b4325513b1ff9280N.exe
File opened (read-only)	\??\X:	94db6d9722916e43b4325513b1ff9280N.exe
File opened (read-only)	\??\T:	94db6d9722916e43b4325513b1ff9280N.exe
File opened (read-only)	\??\Z:	94db6d9722916e43b4325513b1ff9280N.exe
File opened (read-only)	\??\A:	94db6d9722916e43b4325513b1ff9280N.exe
File opened (read-only)	\??\B:	94db6d9722916e43b4325513b1ff9280N.exe
File opened (read-only)	\??\G:	94db6d9722916e43b4325513b1ff9280N.exe
File opened (read-only)	\??\H:	94db6d9722916e43b4325513b1ff9280N.exe
File opened (read-only)	\??\N:	94db6d9722916e43b4325513b1ff9280N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\FxsTmp\cum bukkake [free] femdom (Sonja,Tatjana).mpg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\bukkake public (Sylvia).mpeg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\lesbian voyeur glans (Sandy,Karin).mpeg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\horse [bangbus] titts .mpeg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\brasilian horse xxx hidden blondie .avi.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\danish fetish hardcore voyeur glans blondie (Karin).avi.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\lingerie big stockings .zip.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\blowjob catfight femdom .avi.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\System32\DriverStore\Temp\lesbian full movie feet wifey (Janette).zip.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\gay big ash (Sonja,Melissa).mpg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\indian cum lingerie [free] bondage (Christine,Jade).avi.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\SysWOW64\FxsTmp\brasilian action horse sleeping traffic .zip.exe	94db6d9722916e43b4325513b1ff9280N.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\brasilian gang bang trambling lesbian (Tatjana).mpeg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\danish nude fucking hot (!) feet (Sonja,Melissa).mpg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\indian animal gay lesbian glans (Jenna,Jade).mpeg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\danish horse hardcore [bangbus] titts young .mpg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\sperm sleeping fishy .rar.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\brasilian kicking xxx lesbian young .zip.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\italian nude sperm uncut leather (Ashley,Samantha).rar.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Program Files\Common Files\microsoft shared\swedish porn hardcore public (Samantha).mpg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Program Files\dotnet\shared\gay licking .rar.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\danish action beast hidden cock .avi.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\indian handjob fucking uncut titts .avi.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Program Files (x86)\Google\Update\Download\russian beastiality bukkake [milf] sm .avi.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Program Files (x86)\Microsoft\Temp\italian cumshot xxx masturbation (Karin).mpg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Program Files\Microsoft Office\root\Templates\russian handjob hardcore catfight hole latex (Karin).zip.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\tyrkish cumshot fucking [milf] glans shower (Curtney).rar.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\italian kicking fucking uncut upskirt .mpg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\horse masturbation black hairunshaved .mpeg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Program Files (x86)\Google\Temp\japanese animal lesbian girls glans (Anniston,Sarah).mpg.exe	94db6d9722916e43b4325513b1ff9280N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\chinese xxx sleeping hole 50+ (Samantha).mpg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\InputMethod\SHARED\beast hidden bondage (Ashley,Melissa).mpg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\black porn gay hot (!) .mpg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\animal gay [milf] glans balls .mpeg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\asian sperm [free] .avi.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\italian cum lingerie hidden femdom .rar.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_99ddc8ce8d3d6dac\french xxx full movie hole Ôï (Liz).rar.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\assembly\tmp\italian cumshot hardcore lesbian glans stockings (Karin).zip.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\black fetish horse [bangbus] black hairunshaved (Gina,Sarah).rar.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\japanese cumshot fucking catfight .rar.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\norwegian fucking masturbation cock hairy (Karin).rar.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\kicking trambling uncut castration .mpeg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\spanish lingerie [free] titts (Sonja,Janette).mpeg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\asian beast public cock redhair .mpeg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\bukkake uncut glans .zip.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\CbsTemp\lingerie several models 40+ (Anniston,Liz).avi.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\danish porn xxx several models 40+ .rar.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\brasilian handjob fucking catfight .mpg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\horse xxx lesbian (Sarah).avi.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_abfc9db6c377b91f\cumshot lingerie voyeur .avi.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\assembly\temp\indian cumshot gay [bangbus] wifey .mpg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\horse blowjob masturbation glans beautyfull .mpeg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\canadian trambling girls hole latex (Janette).zip.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\beastiality trambling [milf] mature .mpeg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\danish handjob sperm [bangbus] upskirt .mpg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\animal hardcore masturbation glans .zip.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\french xxx voyeur hole young (Jade).rar.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\handjob gay hidden titts YEâPSè& .rar.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\lingerie girls hole leather .mpeg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\gang bang lingerie public shower .mpeg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\indian cum gay hot (!) (Curtney).zip.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\PLA\Templates\danish fetish lesbian licking leather .mpg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\sperm masturbation (Curtney).mpeg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\swedish animal hardcore hidden (Liz).mpeg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\xxx several models cock blondie .mpeg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.1_none_f42978969c79336a\german hardcore licking boots .mpg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\lingerie lesbian titts .mpeg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\animal fucking hot (!) titts (Kathrin,Karin).rar.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\lesbian [bangbus] .mpg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\canadian xxx several models (Samantha).rar.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\black porn lingerie sleeping feet hairy .avi.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\hardcore masturbation hole castration (Sylvia).rar.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\japanese gang bang blowjob full movie bondage .mpeg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\swedish nude fucking sleeping balls .mpg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\spanish hardcore uncut cock blondie .mpg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\beast full movie .zip.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\action gay [milf] feet .mpeg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_9aa486d790131d4e\brasilian kicking hardcore sleeping feet bondage (Jade).mpeg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\Downloaded Program Files\xxx sleeping .zip.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\SoftwareDistribution\Download\russian cum fucking [bangbus] feet leather .mpg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\chinese fucking [milf] .mpg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\french sperm several models feet .mpeg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\chinese hardcore [bangbus] hairy .rar.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\japanese cumshot lesbian masturbation (Sylvia).mpg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\italian porn hardcore [milf] glans blondie (Liz).zip.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\tyrkish action fucking hot (!) stockings (Sonja,Curtney).zip.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\mssrv.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\tyrkish cum bukkake public cock bedroom .avi.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\hardcore [bangbus] cock castration .mpeg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\animal trambling lesbian mistress (Jenna,Curtney).mpeg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\russian fetish beast hot (!) castration (Sonja,Janette).avi.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_8c0b126c198fcf70\french gay [free] cock (Jenna,Melissa).avi.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\canadian hardcore licking cock .mpeg.exe	94db6d9722916e43b4325513b1ff9280N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\german lesbian girls shoes .zip.exe	94db6d9722916e43b4325513b1ff9280N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94db6d9722916e43b4325513b1ff9280N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94db6d9722916e43b4325513b1ff9280N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94db6d9722916e43b4325513b1ff9280N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94db6d9722916e43b4325513b1ff9280N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94db6d9722916e43b4325513b1ff9280N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94db6d9722916e43b4325513b1ff9280N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94db6d9722916e43b4325513b1ff9280N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94db6d9722916e43b4325513b1ff9280N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94db6d9722916e43b4325513b1ff9280N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94db6d9722916e43b4325513b1ff9280N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94db6d9722916e43b4325513b1ff9280N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94db6d9722916e43b4325513b1ff9280N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94db6d9722916e43b4325513b1ff9280N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94db6d9722916e43b4325513b1ff9280N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94db6d9722916e43b4325513b1ff9280N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94db6d9722916e43b4325513b1ff9280N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94db6d9722916e43b4325513b1ff9280N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1468	94db6d9722916e43b4325513b1ff9280N.exe
1468	94db6d9722916e43b4325513b1ff9280N.exe
232	94db6d9722916e43b4325513b1ff9280N.exe
232	94db6d9722916e43b4325513b1ff9280N.exe
1468	94db6d9722916e43b4325513b1ff9280N.exe
1468	94db6d9722916e43b4325513b1ff9280N.exe
808	94db6d9722916e43b4325513b1ff9280N.exe
808	94db6d9722916e43b4325513b1ff9280N.exe
4860	94db6d9722916e43b4325513b1ff9280N.exe
4860	94db6d9722916e43b4325513b1ff9280N.exe
1468	94db6d9722916e43b4325513b1ff9280N.exe
1468	94db6d9722916e43b4325513b1ff9280N.exe
232	94db6d9722916e43b4325513b1ff9280N.exe
232	94db6d9722916e43b4325513b1ff9280N.exe
3184	94db6d9722916e43b4325513b1ff9280N.exe
3184	94db6d9722916e43b4325513b1ff9280N.exe
3168	94db6d9722916e43b4325513b1ff9280N.exe
3168	94db6d9722916e43b4325513b1ff9280N.exe
808	94db6d9722916e43b4325513b1ff9280N.exe
808	94db6d9722916e43b4325513b1ff9280N.exe
916	94db6d9722916e43b4325513b1ff9280N.exe
916	94db6d9722916e43b4325513b1ff9280N.exe
3944	94db6d9722916e43b4325513b1ff9280N.exe
3944	94db6d9722916e43b4325513b1ff9280N.exe
1468	94db6d9722916e43b4325513b1ff9280N.exe
1468	94db6d9722916e43b4325513b1ff9280N.exe
232	94db6d9722916e43b4325513b1ff9280N.exe
232	94db6d9722916e43b4325513b1ff9280N.exe
4860	94db6d9722916e43b4325513b1ff9280N.exe
4860	94db6d9722916e43b4325513b1ff9280N.exe
3908	94db6d9722916e43b4325513b1ff9280N.exe
3908	94db6d9722916e43b4325513b1ff9280N.exe
2160	94db6d9722916e43b4325513b1ff9280N.exe
2160	94db6d9722916e43b4325513b1ff9280N.exe
808	94db6d9722916e43b4325513b1ff9280N.exe
808	94db6d9722916e43b4325513b1ff9280N.exe
3184	94db6d9722916e43b4325513b1ff9280N.exe
3184	94db6d9722916e43b4325513b1ff9280N.exe
2608	94db6d9722916e43b4325513b1ff9280N.exe
2608	94db6d9722916e43b4325513b1ff9280N.exe
1912	94db6d9722916e43b4325513b1ff9280N.exe
1912	94db6d9722916e43b4325513b1ff9280N.exe
232	94db6d9722916e43b4325513b1ff9280N.exe
232	94db6d9722916e43b4325513b1ff9280N.exe
1240	94db6d9722916e43b4325513b1ff9280N.exe
1240	94db6d9722916e43b4325513b1ff9280N.exe
1468	94db6d9722916e43b4325513b1ff9280N.exe
1468	94db6d9722916e43b4325513b1ff9280N.exe
2920	94db6d9722916e43b4325513b1ff9280N.exe
2920	94db6d9722916e43b4325513b1ff9280N.exe
4860	94db6d9722916e43b4325513b1ff9280N.exe
4860	94db6d9722916e43b4325513b1ff9280N.exe
3168	94db6d9722916e43b4325513b1ff9280N.exe
3168	94db6d9722916e43b4325513b1ff9280N.exe
3048	94db6d9722916e43b4325513b1ff9280N.exe
3048	94db6d9722916e43b4325513b1ff9280N.exe
4364	94db6d9722916e43b4325513b1ff9280N.exe
4364	94db6d9722916e43b4325513b1ff9280N.exe
3944	94db6d9722916e43b4325513b1ff9280N.exe
3944	94db6d9722916e43b4325513b1ff9280N.exe
916	94db6d9722916e43b4325513b1ff9280N.exe
916	94db6d9722916e43b4325513b1ff9280N.exe
452	94db6d9722916e43b4325513b1ff9280N.exe
452	94db6d9722916e43b4325513b1ff9280N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 232	1468	94db6d9722916e43b4325513b1ff9280N.exe	89
PID 1468 wrote to memory of 232	1468	94db6d9722916e43b4325513b1ff9280N.exe	89
PID 1468 wrote to memory of 232	1468	94db6d9722916e43b4325513b1ff9280N.exe	89
PID 1468 wrote to memory of 808	1468	94db6d9722916e43b4325513b1ff9280N.exe	92
PID 1468 wrote to memory of 808	1468	94db6d9722916e43b4325513b1ff9280N.exe	92
PID 1468 wrote to memory of 808	1468	94db6d9722916e43b4325513b1ff9280N.exe	92
PID 232 wrote to memory of 4860	232	94db6d9722916e43b4325513b1ff9280N.exe	93
PID 232 wrote to memory of 4860	232	94db6d9722916e43b4325513b1ff9280N.exe	93
PID 232 wrote to memory of 4860	232	94db6d9722916e43b4325513b1ff9280N.exe	93
PID 808 wrote to memory of 3184	808	94db6d9722916e43b4325513b1ff9280N.exe	95
PID 808 wrote to memory of 3184	808	94db6d9722916e43b4325513b1ff9280N.exe	95
PID 808 wrote to memory of 3184	808	94db6d9722916e43b4325513b1ff9280N.exe	95
PID 1468 wrote to memory of 3168	1468	94db6d9722916e43b4325513b1ff9280N.exe	96
PID 1468 wrote to memory of 3168	1468	94db6d9722916e43b4325513b1ff9280N.exe	96
PID 1468 wrote to memory of 3168	1468	94db6d9722916e43b4325513b1ff9280N.exe	96
PID 232 wrote to memory of 3944	232	94db6d9722916e43b4325513b1ff9280N.exe	97
PID 232 wrote to memory of 3944	232	94db6d9722916e43b4325513b1ff9280N.exe	97
PID 232 wrote to memory of 3944	232	94db6d9722916e43b4325513b1ff9280N.exe	97
PID 4860 wrote to memory of 916	4860	94db6d9722916e43b4325513b1ff9280N.exe	98
PID 4860 wrote to memory of 916	4860	94db6d9722916e43b4325513b1ff9280N.exe	98
PID 4860 wrote to memory of 916	4860	94db6d9722916e43b4325513b1ff9280N.exe	98
PID 808 wrote to memory of 3908	808	94db6d9722916e43b4325513b1ff9280N.exe	100
PID 808 wrote to memory of 3908	808	94db6d9722916e43b4325513b1ff9280N.exe	100
PID 808 wrote to memory of 3908	808	94db6d9722916e43b4325513b1ff9280N.exe	100
PID 3184 wrote to memory of 2160	3184	94db6d9722916e43b4325513b1ff9280N.exe	101
PID 3184 wrote to memory of 2160	3184	94db6d9722916e43b4325513b1ff9280N.exe	101
PID 3184 wrote to memory of 2160	3184	94db6d9722916e43b4325513b1ff9280N.exe	101
PID 232 wrote to memory of 2608	232	94db6d9722916e43b4325513b1ff9280N.exe	102
PID 232 wrote to memory of 2608	232	94db6d9722916e43b4325513b1ff9280N.exe	102
PID 232 wrote to memory of 2608	232	94db6d9722916e43b4325513b1ff9280N.exe	102
PID 1468 wrote to memory of 1912	1468	94db6d9722916e43b4325513b1ff9280N.exe	103
PID 1468 wrote to memory of 1912	1468	94db6d9722916e43b4325513b1ff9280N.exe	103
PID 1468 wrote to memory of 1912	1468	94db6d9722916e43b4325513b1ff9280N.exe	103
PID 4860 wrote to memory of 1240	4860	94db6d9722916e43b4325513b1ff9280N.exe	104
PID 4860 wrote to memory of 1240	4860	94db6d9722916e43b4325513b1ff9280N.exe	104
PID 4860 wrote to memory of 1240	4860	94db6d9722916e43b4325513b1ff9280N.exe	104
PID 3168 wrote to memory of 2920	3168	94db6d9722916e43b4325513b1ff9280N.exe	105
PID 3168 wrote to memory of 2920	3168	94db6d9722916e43b4325513b1ff9280N.exe	105
PID 3168 wrote to memory of 2920	3168	94db6d9722916e43b4325513b1ff9280N.exe	105
PID 3944 wrote to memory of 3048	3944	94db6d9722916e43b4325513b1ff9280N.exe	106
PID 3944 wrote to memory of 3048	3944	94db6d9722916e43b4325513b1ff9280N.exe	106
PID 3944 wrote to memory of 3048	3944	94db6d9722916e43b4325513b1ff9280N.exe	106
PID 916 wrote to memory of 4364	916	94db6d9722916e43b4325513b1ff9280N.exe	107
PID 916 wrote to memory of 4364	916	94db6d9722916e43b4325513b1ff9280N.exe	107
PID 916 wrote to memory of 4364	916	94db6d9722916e43b4325513b1ff9280N.exe	107
PID 808 wrote to memory of 452	808	94db6d9722916e43b4325513b1ff9280N.exe	108
PID 808 wrote to memory of 452	808	94db6d9722916e43b4325513b1ff9280N.exe	108
PID 808 wrote to memory of 452	808	94db6d9722916e43b4325513b1ff9280N.exe	108
PID 3184 wrote to memory of 1748	3184	94db6d9722916e43b4325513b1ff9280N.exe	109
PID 3184 wrote to memory of 1748	3184	94db6d9722916e43b4325513b1ff9280N.exe	109
PID 3184 wrote to memory of 1748	3184	94db6d9722916e43b4325513b1ff9280N.exe	109
PID 232 wrote to memory of 1492	232	94db6d9722916e43b4325513b1ff9280N.exe	110
PID 232 wrote to memory of 1492	232	94db6d9722916e43b4325513b1ff9280N.exe	110
PID 232 wrote to memory of 1492	232	94db6d9722916e43b4325513b1ff9280N.exe	110
PID 2160 wrote to memory of 3488	2160	94db6d9722916e43b4325513b1ff9280N.exe	111
PID 2160 wrote to memory of 3488	2160	94db6d9722916e43b4325513b1ff9280N.exe	111
PID 2160 wrote to memory of 3488	2160	94db6d9722916e43b4325513b1ff9280N.exe	111
PID 1468 wrote to memory of 4984	1468	94db6d9722916e43b4325513b1ff9280N.exe	112
PID 1468 wrote to memory of 4984	1468	94db6d9722916e43b4325513b1ff9280N.exe	112
PID 1468 wrote to memory of 4984	1468	94db6d9722916e43b4325513b1ff9280N.exe	112
PID 3908 wrote to memory of 3636	3908	94db6d9722916e43b4325513b1ff9280N.exe	113
PID 3908 wrote to memory of 3636	3908	94db6d9722916e43b4325513b1ff9280N.exe	113
PID 3908 wrote to memory of 3636	3908	94db6d9722916e43b4325513b1ff9280N.exe	113
PID 4860 wrote to memory of 4332	4860	94db6d9722916e43b4325513b1ff9280N.exe	114

C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
"C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
  "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4860
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:916
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4364
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        7⤵
        
        PID:6048
        
        C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        8⤵
        
        PID:10364
        
        C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        8⤵
        
        PID:15196
        
        C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        8⤵
        
        PID:9060
        
        C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        7⤵
        
        PID:6588
        
        C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        8⤵
        
        PID:11056
        
        C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        8⤵
        
        PID:14940
        
        C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        8⤵
        
        PID:17432
        
        C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        7⤵
        
        PID:8516
        
        C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        7⤵
        
        PID:11560
        
        C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        7⤵
        
        PID:14924
        
        C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        7⤵
        
        PID:3312
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:5164
        
        C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        7⤵
        
        PID:10096
        
        C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        7⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        7⤵
        
        PID:18660
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:6460
        
        C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        7⤵
        
        PID:10532
        
        C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        7⤵
        
        PID:15704
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:7944
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:11064
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:15760
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:208
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        7⤵
        
        PID:10340
        
        C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        7⤵
        
        PID:15296
        
        C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        7⤵
        
        PID:17448
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:7688
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:10160
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:15204
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:7712
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:5204
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:10124
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:15316
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:5528
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:6580
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:11008
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:16244
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:8464
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:11764
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:14916
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:864
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1240
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:2780
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:6156
        
        C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        7⤵
        
        PID:10380
        
        C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        7⤵
        
        PID:15188
        
        C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        7⤵
        
        PID:8252
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:7232
        
        C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        7⤵
        
        PID:15636
        
        C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        7⤵
        
        PID:18596
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:9136
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:12384
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:15000
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:8088
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:5188
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:8208
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:11320
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:14884
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:3940
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:6512
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:11048
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:15736
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:8124
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:11032
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:14932
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:17284
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:4332
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:5152
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:10324
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:15212
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:8700
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:7316
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:15588
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:18556
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:9288
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:12204
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:15048
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:8740
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:5244
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:10316
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:15336
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:8200
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:6648
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:11508
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:15260
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:17440
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:8480
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:11520
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:15116
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:5148
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3944
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3048
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:4252
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        7⤵
        
        PID:10356
        
        C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        7⤵
        
        PID:15164
        
        C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        7⤵
        
        PID:8264
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:7560
        
        C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        7⤵
        
        PID:15612
        
        C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        7⤵
        
        PID:2932
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:10436
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:15672
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:5172
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:8396
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:11592
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:15776
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:6468
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:10736
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:15172
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:8412
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:7916
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:10776
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:14948
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:1648
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:2728
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:6076
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:10044
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:224
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:18676
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:7432
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:2836
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:18548
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:9716
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:14784
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:5220
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:10348
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:1640
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:18636
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:6564
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:11808
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:15832
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:8440
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:11800
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:15824
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:18724
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2608
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:3600
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:1844
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:10760
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:15688
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:7348
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:14792
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:18540
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:9152
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:12832
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:17028
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:14968
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:2480
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:5212
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:8216
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:11552
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:15792
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:6624
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:10784
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:15580
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:18668
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:8488
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:11584
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:15816
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:18700
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    PID:1492
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:6120
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:10888
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:15716
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:7440
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:15848
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:18604
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:8776
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:4060
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:3964
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    PID:5268
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:10072
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:15220
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:1840
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    PID:6640
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:11040
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:15744
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:18684
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    PID:8500
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    PID:11532
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    PID:15100
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    PID:1568
- C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
  "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:808
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3184
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2160
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:3488
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:6128
        
        C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        7⤵
        
        PID:10052
        
        C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        7⤵
        
        PID:312
        
        C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        7⤵
        
        PID:8012
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:7240
        
        C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        7⤵
        
        PID:15604
        
        C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        7⤵
        
        PID:18572
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:9124
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:12176
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:15040
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:18628
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:5260
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:10752
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:15680
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:6632
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:11568
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:15784
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:8524
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:12192
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:15032
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:3504
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:1748
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:6136
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:10372
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:15644
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:7224
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:15628
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:18612
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:9176
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:1528
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:15008
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:8568
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:5276
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:10080
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:15236
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:5652
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:6596
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:11816
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:15840
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:8508
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:11872
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:15856
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3908
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:3636
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:6180
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:10768
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:15288
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:5800
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:7660
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:10156
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:15344
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:5548
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:5236
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:9848
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:15252
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:5032
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:6572
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:11016
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:15752
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:8456
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:11336
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:15108
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:9020
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:452
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:6056
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:10028
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:15244
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:17428
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:4884
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:9116
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:12496
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:14984
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:1484
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    PID:5284
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:10444
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:15180
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:18644
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    PID:6616
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:10744
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:15696
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    PID:8472
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    PID:11348
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    PID:15128
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    PID:7872
- C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
  "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3168
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2920
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:4768
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:6148
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:10060
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:2652
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:7328
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:15808
      - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        6⤵
        
        PID:18620
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:9160
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:11684
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:15016
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:7584
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:5196
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:10088
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:13540
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:7784
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:6672
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:11672
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:15800
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:18716
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:8448
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:11328
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:15768
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:18692
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    PID:4992
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:6068
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:8884
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:5000
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:15024
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:17420
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:7208
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:12168
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:15864
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:9168
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:12364
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:14908
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:4772
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    PID:5228
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:9492
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:13000
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:14960
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:4112
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    PID:6656
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:11304
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:15156
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:512
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    PID:8424
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    PID:11312
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    PID:15136
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    PID:508
- C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
  "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1912
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    PID:2840
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:5144
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:10332
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:14892
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:17044
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:7308
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:15620
    - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
        5⤵
        
        PID:18588
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:9144
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:12504
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:14976
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:3352
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    PID:5180
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:8532
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:11664
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:14876
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:17036
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:18580
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    PID:6492
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:10880
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:15728
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:18708
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    PID:7952
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    PID:11024
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    PID:15324
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    PID:8156
- C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
  "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
  2⤵
  PID:4984
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    PID:5436
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:10036
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:15228
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:5564
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    PID:7216
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:15596
  - - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
      "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
      4⤵
      PID:18564
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    PID:9108
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    PID:12404
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    PID:14992
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    PID:4380
- C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
  "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
  2⤵
  PID:5252
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    PID:9856
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    PID:3880
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    PID:18652
- C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
  "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
  2⤵
  PID:6664
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    PID:11296
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    PID:14900
- - C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
    "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
    3⤵
    PID:4872
- C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
  "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
  2⤵
  PID:8432
- C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
  "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
  2⤵
  PID:11576
- C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
  "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
  2⤵
  PID:15080
- C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe
  "C:\Users\Admin\AppData\Local\Temp\94db6d9722916e43b4325513b1ff9280N.exe"
  2⤵
  PID:7644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\brasilian gang bang trambling lesbian (Tatjana).mpeg.exe

Filesize
1.5MB

MD5
c6bde362c43dba4c938e68dffa68d53c

SHA1
909ae25f406c5ce81bbeb46a00419e84cbdd9e3c

SHA256
cd3919f830dd6d69d2a7bffde0c7583ba36f7ecff6f94a88a43a0679a0308e52

SHA512
18670c2bfbcfa71c7c4487f41e73ce2697ee49223d490a3f169a0d4d0d2a8a7605f1ccf7cc25271c40a5bf013c833f71624406527229d7a44e1648fd0acca80e

Download Submit
memory/232-39-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/668-246-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/916-214-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1240-228-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1468-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2160-226-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2608-227-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2920-229-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3048-230-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3168-212-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3772-233-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3908-225-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3944-213-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4364-231-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4572-247-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4860-183-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4884-261-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4992-232-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5144-243-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5152-244-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5172-234-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5180-235-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5188-236-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5212-237-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5228-238-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5236-240-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5244-241-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5252-242-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5276-239-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5436-245-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6180-248-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6460-249-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6468-250-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6492-251-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6512-252-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6572-256-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6588-253-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6616-254-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6624-255-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6640-257-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6648-258-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6664-259-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6672-260-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7208-262-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7216-263-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7224-264-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7308-265-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7328-266-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7348-267-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7440-268-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7560-269-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7660-270-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7688-271-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8216-272-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8424-273-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8432-274-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8440-275-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8448-276-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8456-277-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8464-278-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8472-279-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8480-280-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8488-281-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8776-297-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8884-282-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9108-283-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9116-287-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9124-288-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9136-289-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9144-285-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9152-290-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9160-284-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9176-286-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9492-291-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9716-292-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9848-295-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9856-293-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/10124-296-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/10156-298-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/10160-299-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/10316-302-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/10324-303-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/10340-300-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/10356-301-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/10372-304-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/10760-305-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/10784-306-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/10880-307-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/10888-308-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/11008-309-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/11032-310-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/11040-311-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/11048-312-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/11056-313-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/11296-314-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/11304-315-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download