ee1df8e6168ac9f70e5d236e088e6d0acb713b08a5a4c554da076a97d3d633e3

Analysis

max time kernel
11s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 11:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

91ba5d921ec4bc4bedd386d548b2aee0N.exe
Size

1.6MB
MD5

91ba5d921ec4bc4bedd386d548b2aee0
SHA1

883743c54ea1a2c48cc3c39ee7c78841c4f366dc
SHA256

ee1df8e6168ac9f70e5d236e088e6d0acb713b08a5a4c554da076a97d3d633e3
SHA512

334c286057aaedeb5e651f23d91cc00e68f96b0e9967a34dc34bc509357afb718f9cfc6aa80b7b888c9b18bba91ff2d319590440654ec0908fc759225dfb074f
SSDEEP

49152:VVaZ9HxfSWrcvIX7y3V2C3ZgKPnnMckCGpfL2:k9SWMIsVTPnMcNJ

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	91ba5d921ec4bc4bedd386d548b2aee0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	91ba5d921ec4bc4bedd386d548b2aee0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	91ba5d921ec4bc4bedd386d548b2aee0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	91ba5d921ec4bc4bedd386d548b2aee0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	91ba5d921ec4bc4bedd386d548b2aee0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	91ba5d921ec4bc4bedd386d548b2aee0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	91ba5d921ec4bc4bedd386d548b2aee0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	91ba5d921ec4bc4bedd386d548b2aee0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	91ba5d921ec4bc4bedd386d548b2aee0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	91ba5d921ec4bc4bedd386d548b2aee0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	91ba5d921ec4bc4bedd386d548b2aee0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	91ba5d921ec4bc4bedd386d548b2aee0N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File opened (read-only)	\??\V:	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File opened (read-only)	\??\W:	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File opened (read-only)	\??\X:	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File opened (read-only)	\??\E:	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File opened (read-only)	\??\G:	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File opened (read-only)	\??\I:	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File opened (read-only)	\??\N:	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File opened (read-only)	\??\O:	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File opened (read-only)	\??\Q:	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File opened (read-only)	\??\S:	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File opened (read-only)	\??\B:	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File opened (read-only)	\??\J:	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File opened (read-only)	\??\L:	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File opened (read-only)	\??\T:	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File opened (read-only)	\??\U:	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File opened (read-only)	\??\Z:	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File opened (read-only)	\??\A:	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File opened (read-only)	\??\M:	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File opened (read-only)	\??\P:	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File opened (read-only)	\??\R:	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File opened (read-only)	\??\Y:	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File opened (read-only)	\??\K:	91ba5d921ec4bc4bedd386d548b2aee0N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\lingerie girls young .zip.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\swedish porn blowjob hot (!) wifey .mpg.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\blowjob hidden (Sarah).rar.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\System32\DriverStore\Temp\xxx licking titts shoes .mpg.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\japanese cum sperm sleeping black hairunshaved (Sandy,Jade).mpeg.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\gay [free] hole sweet (Melissa).avi.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\sperm girls (Sarah).rar.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\SysWOW64\FxsTmp\asian lingerie [milf] (Karin).zip.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\SysWOW64\FxsTmp\russian kicking sperm several models (Sarah).zip.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\trambling hidden young .zip.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\trambling licking femdom .mpeg.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\hardcore lesbian young .rar.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\indian handjob beast catfight hole .zip.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\italian cum fucking hot (!) .avi.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\horse catfight cock .zip.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\italian action trambling masturbation .avi.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\xxx uncut leather .mpeg.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Program Files\Common Files\microsoft shared\brasilian fetish lesbian public pregnant .mpg.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\xxx [bangbus] femdom .mpg.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\swedish cum fucking hidden granny .mpg.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\blowjob hot (!) granny .avi.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\beast sleeping cock (Anniston,Tatjana).mpeg.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\swedish porn bukkake lesbian black hairunshaved .zip.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\black fetish gay [bangbus] titts hairy .rar.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Program Files\Microsoft Office\root\Templates\swedish nude gay hidden feet traffic (Karin).mpeg.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Program Files (x86)\Google\Temp\hardcore several models .rar.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Program Files (x86)\Google\Update\Download\trambling uncut (Jade).mpg.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Program Files\dotnet\shared\indian nude fucking [free] (Karin).mpeg.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\american fetish fucking hidden penetration .mpeg.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Program Files (x86)\Microsoft\Temp\fucking masturbation granny .mpeg.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\american animal trambling [bangbus] hairy .rar.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\swedish kicking beast [bangbus] hole .mpeg.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\xxx [free] feet .mpg.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\hardcore full movie .mpg.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\swedish gang bang gay licking cock (Kathrin,Liz).zip.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\horse sperm hot (!) high heels .avi.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\horse beast hot (!) glans .avi.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\canadian bukkake hot (!) boots .mpeg.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\Downloaded Program Files\blowjob voyeur (Melissa).zip.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\danish porn hardcore catfight shower .rar.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\indian animal lingerie hot (!) castration .rar.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\norwegian blowjob big (Samantha).avi.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\action gay voyeur gorgeoushorny .zip.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\trambling masturbation cock ejaculation .zip.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\lingerie girls .mpeg.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\malaysia beast uncut circumcision .rar.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\tyrkish cumshot xxx uncut ejaculation .zip.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_9aa486d790131d4e\sperm voyeur .zip.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\tyrkish porn hardcore licking .mpg.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\assembly\temp\swedish beastiality sperm licking cock blondie (Tatjana).zip.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\brasilian cumshot trambling full movie feet .rar.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\cum gay [free] hole swallow .rar.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\swedish beastiality horse voyeur (Curtney).mpeg.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\fetish xxx girls circumcision .avi.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\british fucking sleeping titts .zip.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\canadian bukkake hidden (Sarah).avi.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\chinese sperm masturbation feet .mpg.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\bukkake hot (!) .mpg.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\assembly\tmp\beast full movie (Melissa).mpeg.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\InputMethod\SHARED\russian horse lingerie girls penetration .zip.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\gay sleeping feet bondage .avi.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\french trambling sleeping granny .mpeg.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\security\templates\tyrkish cum fucking full movie hole mature .mpg.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\indian beastiality fucking lesbian .mpeg.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\spanish lingerie uncut glans .zip.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\japanese beastiality fucking licking feet sweet (Karin).rar.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\asian hardcore several models glans ejaculation (Curtney).rar.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\xxx big gorgeoushorny (Sonja,Sylvia).mpg.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\russian handjob gay [bangbus] (Karin).mpeg.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\black action lingerie licking .zip.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\russian action bukkake lesbian feet penetration .rar.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\russian porn horse uncut cock young .mpeg.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\nude hardcore masturbation .mpg.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\norwegian xxx [free] .rar.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\gay [free] (Sylvia).rar.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\fucking lesbian feet upskirt .mpeg.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\bukkake several models glans .zip.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\american nude lingerie [milf] stockings .zip.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\brasilian handjob hardcore masturbation glans (Anniston,Sarah).rar.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\lingerie big .mpg.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\german beast [free] glans gorgeoushorny (Tatjana).zip.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\cum gay big leather .rar.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\canadian lingerie hidden redhair .rar.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\kicking gay sleeping feet .mpg.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\SoftwareDistribution\Download\brasilian cumshot horse [milf] (Liz).mpg.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\black handjob fucking full movie .rar.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\tyrkish porn xxx several models glans .zip.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\beastiality lesbian licking (Janette).mpg.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\sperm hidden .avi.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\mssrv.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\indian animal trambling voyeur cock .avi.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\hardcore [bangbus] young .rar.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\german blowjob hidden .mpeg.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\black gang bang gay [milf] .rar.exe	91ba5d921ec4bc4bedd386d548b2aee0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	91ba5d921ec4bc4bedd386d548b2aee0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	91ba5d921ec4bc4bedd386d548b2aee0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	91ba5d921ec4bc4bedd386d548b2aee0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	91ba5d921ec4bc4bedd386d548b2aee0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	91ba5d921ec4bc4bedd386d548b2aee0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	91ba5d921ec4bc4bedd386d548b2aee0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	91ba5d921ec4bc4bedd386d548b2aee0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	91ba5d921ec4bc4bedd386d548b2aee0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	91ba5d921ec4bc4bedd386d548b2aee0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	91ba5d921ec4bc4bedd386d548b2aee0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	91ba5d921ec4bc4bedd386d548b2aee0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	91ba5d921ec4bc4bedd386d548b2aee0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	91ba5d921ec4bc4bedd386d548b2aee0N.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
4312	91ba5d921ec4bc4bedd386d548b2aee0N.exe
4312	91ba5d921ec4bc4bedd386d548b2aee0N.exe
212	91ba5d921ec4bc4bedd386d548b2aee0N.exe
212	91ba5d921ec4bc4bedd386d548b2aee0N.exe
4312	91ba5d921ec4bc4bedd386d548b2aee0N.exe
4312	91ba5d921ec4bc4bedd386d548b2aee0N.exe
1908	91ba5d921ec4bc4bedd386d548b2aee0N.exe
1908	91ba5d921ec4bc4bedd386d548b2aee0N.exe
4052	91ba5d921ec4bc4bedd386d548b2aee0N.exe
4052	91ba5d921ec4bc4bedd386d548b2aee0N.exe
4312	91ba5d921ec4bc4bedd386d548b2aee0N.exe
4312	91ba5d921ec4bc4bedd386d548b2aee0N.exe
212	91ba5d921ec4bc4bedd386d548b2aee0N.exe
212	91ba5d921ec4bc4bedd386d548b2aee0N.exe
4460	91ba5d921ec4bc4bedd386d548b2aee0N.exe
4460	91ba5d921ec4bc4bedd386d548b2aee0N.exe
1704	91ba5d921ec4bc4bedd386d548b2aee0N.exe
1704	91ba5d921ec4bc4bedd386d548b2aee0N.exe
1908	91ba5d921ec4bc4bedd386d548b2aee0N.exe
1908	91ba5d921ec4bc4bedd386d548b2aee0N.exe
4312	91ba5d921ec4bc4bedd386d548b2aee0N.exe
4312	91ba5d921ec4bc4bedd386d548b2aee0N.exe
2820	91ba5d921ec4bc4bedd386d548b2aee0N.exe
2820	91ba5d921ec4bc4bedd386d548b2aee0N.exe
2232	91ba5d921ec4bc4bedd386d548b2aee0N.exe
2232	91ba5d921ec4bc4bedd386d548b2aee0N.exe
212	91ba5d921ec4bc4bedd386d548b2aee0N.exe
212	91ba5d921ec4bc4bedd386d548b2aee0N.exe
4052	91ba5d921ec4bc4bedd386d548b2aee0N.exe
4052	91ba5d921ec4bc4bedd386d548b2aee0N.exe
2100	91ba5d921ec4bc4bedd386d548b2aee0N.exe
2100	91ba5d921ec4bc4bedd386d548b2aee0N.exe
4060	91ba5d921ec4bc4bedd386d548b2aee0N.exe
4060	91ba5d921ec4bc4bedd386d548b2aee0N.exe
1908	91ba5d921ec4bc4bedd386d548b2aee0N.exe
1908	91ba5d921ec4bc4bedd386d548b2aee0N.exe
1652	91ba5d921ec4bc4bedd386d548b2aee0N.exe
1652	91ba5d921ec4bc4bedd386d548b2aee0N.exe
4312	91ba5d921ec4bc4bedd386d548b2aee0N.exe
4312	91ba5d921ec4bc4bedd386d548b2aee0N.exe
4460	91ba5d921ec4bc4bedd386d548b2aee0N.exe
4460	91ba5d921ec4bc4bedd386d548b2aee0N.exe
2088	91ba5d921ec4bc4bedd386d548b2aee0N.exe
2088	91ba5d921ec4bc4bedd386d548b2aee0N.exe
4696	91ba5d921ec4bc4bedd386d548b2aee0N.exe
4696	91ba5d921ec4bc4bedd386d548b2aee0N.exe
2076	91ba5d921ec4bc4bedd386d548b2aee0N.exe
2076	91ba5d921ec4bc4bedd386d548b2aee0N.exe
212	91ba5d921ec4bc4bedd386d548b2aee0N.exe
212	91ba5d921ec4bc4bedd386d548b2aee0N.exe
4052	91ba5d921ec4bc4bedd386d548b2aee0N.exe
1704	91ba5d921ec4bc4bedd386d548b2aee0N.exe
1704	91ba5d921ec4bc4bedd386d548b2aee0N.exe
4052	91ba5d921ec4bc4bedd386d548b2aee0N.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 4312 wrote to memory of 212	4312	91ba5d921ec4bc4bedd386d548b2aee0N.exe	87
PID 4312 wrote to memory of 212	4312	91ba5d921ec4bc4bedd386d548b2aee0N.exe	87
PID 4312 wrote to memory of 212	4312	91ba5d921ec4bc4bedd386d548b2aee0N.exe	87
PID 4312 wrote to memory of 1908	4312	91ba5d921ec4bc4bedd386d548b2aee0N.exe	88
PID 4312 wrote to memory of 1908	4312	91ba5d921ec4bc4bedd386d548b2aee0N.exe	88
PID 4312 wrote to memory of 1908	4312	91ba5d921ec4bc4bedd386d548b2aee0N.exe	88
PID 212 wrote to memory of 4052	212	91ba5d921ec4bc4bedd386d548b2aee0N.exe	89
PID 212 wrote to memory of 4052	212	91ba5d921ec4bc4bedd386d548b2aee0N.exe	89
PID 212 wrote to memory of 4052	212	91ba5d921ec4bc4bedd386d548b2aee0N.exe	89
PID 1908 wrote to memory of 4460	1908	91ba5d921ec4bc4bedd386d548b2aee0N.exe	94
PID 1908 wrote to memory of 4460	1908	91ba5d921ec4bc4bedd386d548b2aee0N.exe	94
PID 1908 wrote to memory of 4460	1908	91ba5d921ec4bc4bedd386d548b2aee0N.exe	94
PID 4312 wrote to memory of 1704	4312	91ba5d921ec4bc4bedd386d548b2aee0N.exe	95
PID 4312 wrote to memory of 1704	4312	91ba5d921ec4bc4bedd386d548b2aee0N.exe	95
PID 4312 wrote to memory of 1704	4312	91ba5d921ec4bc4bedd386d548b2aee0N.exe	95
PID 212 wrote to memory of 2820	212	91ba5d921ec4bc4bedd386d548b2aee0N.exe	96
PID 212 wrote to memory of 2820	212	91ba5d921ec4bc4bedd386d548b2aee0N.exe	96
PID 212 wrote to memory of 2820	212	91ba5d921ec4bc4bedd386d548b2aee0N.exe	96
PID 4052 wrote to memory of 2232	4052	91ba5d921ec4bc4bedd386d548b2aee0N.exe	97
PID 4052 wrote to memory of 2232	4052	91ba5d921ec4bc4bedd386d548b2aee0N.exe	97
PID 4052 wrote to memory of 2232	4052	91ba5d921ec4bc4bedd386d548b2aee0N.exe	97
PID 4460 wrote to memory of 4060	4460	91ba5d921ec4bc4bedd386d548b2aee0N.exe	98
PID 4460 wrote to memory of 4060	4460	91ba5d921ec4bc4bedd386d548b2aee0N.exe	98
PID 4460 wrote to memory of 4060	4460	91ba5d921ec4bc4bedd386d548b2aee0N.exe	98
PID 1908 wrote to memory of 2100	1908	91ba5d921ec4bc4bedd386d548b2aee0N.exe	99
PID 1908 wrote to memory of 2100	1908	91ba5d921ec4bc4bedd386d548b2aee0N.exe	99
PID 1908 wrote to memory of 2100	1908	91ba5d921ec4bc4bedd386d548b2aee0N.exe	99
PID 4312 wrote to memory of 1652	4312	91ba5d921ec4bc4bedd386d548b2aee0N.exe	100
PID 4312 wrote to memory of 1652	4312	91ba5d921ec4bc4bedd386d548b2aee0N.exe	100
PID 4312 wrote to memory of 1652	4312	91ba5d921ec4bc4bedd386d548b2aee0N.exe	100
PID 212 wrote to memory of 2088	212	91ba5d921ec4bc4bedd386d548b2aee0N.exe	102
PID 212 wrote to memory of 2088	212	91ba5d921ec4bc4bedd386d548b2aee0N.exe	102
PID 212 wrote to memory of 2088	212	91ba5d921ec4bc4bedd386d548b2aee0N.exe	102
PID 4052 wrote to memory of 2076	4052	91ba5d921ec4bc4bedd386d548b2aee0N.exe	103
PID 4052 wrote to memory of 2076	4052	91ba5d921ec4bc4bedd386d548b2aee0N.exe	103
PID 4052 wrote to memory of 2076	4052	91ba5d921ec4bc4bedd386d548b2aee0N.exe	103
PID 1704 wrote to memory of 4696	1704	91ba5d921ec4bc4bedd386d548b2aee0N.exe	101
PID 1704 wrote to memory of 4696	1704	91ba5d921ec4bc4bedd386d548b2aee0N.exe	101
PID 1704 wrote to memory of 4696	1704	91ba5d921ec4bc4bedd386d548b2aee0N.exe	101
PID 2820 wrote to memory of 1628	2820	91ba5d921ec4bc4bedd386d548b2aee0N.exe	105
PID 2820 wrote to memory of 1628	2820	91ba5d921ec4bc4bedd386d548b2aee0N.exe	105
PID 2820 wrote to memory of 1628	2820	91ba5d921ec4bc4bedd386d548b2aee0N.exe	105
PID 2232 wrote to memory of 3676	2232	91ba5d921ec4bc4bedd386d548b2aee0N.exe	106
PID 2232 wrote to memory of 3676	2232	91ba5d921ec4bc4bedd386d548b2aee0N.exe	106
PID 2232 wrote to memory of 3676	2232	91ba5d921ec4bc4bedd386d548b2aee0N.exe	106
PID 1908 wrote to memory of 1524	1908	91ba5d921ec4bc4bedd386d548b2aee0N.exe	107
PID 1908 wrote to memory of 1524	1908	91ba5d921ec4bc4bedd386d548b2aee0N.exe	107
PID 1908 wrote to memory of 1524	1908	91ba5d921ec4bc4bedd386d548b2aee0N.exe	107
PID 4460 wrote to memory of 3988	4460	91ba5d921ec4bc4bedd386d548b2aee0N.exe	109
PID 4460 wrote to memory of 3988	4460	91ba5d921ec4bc4bedd386d548b2aee0N.exe	109
PID 4460 wrote to memory of 3988	4460	91ba5d921ec4bc4bedd386d548b2aee0N.exe	109
PID 4312 wrote to memory of 4292	4312	91ba5d921ec4bc4bedd386d548b2aee0N.exe	108
PID 4312 wrote to memory of 4292	4312	91ba5d921ec4bc4bedd386d548b2aee0N.exe	108
PID 4312 wrote to memory of 4292	4312	91ba5d921ec4bc4bedd386d548b2aee0N.exe	108
PID 2100 wrote to memory of 440	2100	91ba5d921ec4bc4bedd386d548b2aee0N.exe	110
PID 2100 wrote to memory of 440	2100	91ba5d921ec4bc4bedd386d548b2aee0N.exe	110
PID 2100 wrote to memory of 440	2100	91ba5d921ec4bc4bedd386d548b2aee0N.exe	110
PID 212 wrote to memory of 520	212	91ba5d921ec4bc4bedd386d548b2aee0N.exe	111
PID 212 wrote to memory of 520	212	91ba5d921ec4bc4bedd386d548b2aee0N.exe	111
PID 212 wrote to memory of 520	212	91ba5d921ec4bc4bedd386d548b2aee0N.exe	111

C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
"C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4312
- C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
  "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4052
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2232
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:3676
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:6376
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        8⤵
        
        PID:10380
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        9⤵
        
        PID:22912
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        8⤵
        
        PID:14832
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        8⤵
        
        PID:20968
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:8140
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        8⤵
        
        PID:17104
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        8⤵
        
        PID:13976
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:10816
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:15940
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:9884
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:5920
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:10084
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        8⤵
        
        PID:22720
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:14292
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:20044
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:7564
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:15920
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:9756
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:10496
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:23404
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:14892
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:21764
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:384
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:5576
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:9812
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        8⤵
        
        PID:21776
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:14284
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:20036
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:7832
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:16068
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:10160
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:11020
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:24228
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:15440
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:8032
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:5584
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:8640
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:18872
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:12044
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:17168
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:10660
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:7252
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:13904
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:19908
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:9792
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:21612
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:14036
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:20020
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2076
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:5040
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:6284
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:10076
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        8⤵
        
        PID:21660
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:14028
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:20004
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:8152
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:16976
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:14548
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:11284
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:15976
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:10296
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:5948
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:9148
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:20844
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:13300
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:18804
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:7652
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:14728
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:20728
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:10540
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:22952
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:14952
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:8224
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:4068
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:5408
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:9820
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:20852
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:14260
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:20060
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:7724
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:15032
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:22004
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:10628
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:13956
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:15048
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:22052
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:5480
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:8076
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:17088
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:23676
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:10528
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:15604
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:8920
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:7244
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:13388
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:19504
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:9844
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:3228
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:13984
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:20068
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:1628
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:3748
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:6292
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:10372
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        8⤵
        
        PID:22920
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:14800
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:21404
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:8160
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:17016
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:12080
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:11360
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:15984
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:10228
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:5936
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:9452
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:20876
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:13648
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:19676
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:7644
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:14744
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:21412
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:10548
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:13892
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:14584
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:6816
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:3640
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:6004
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:9784
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:21876
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:13992
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:19964
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:7668
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:15648
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:9408
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:10568
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:776
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:15192
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:22440
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:5444
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:7584
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:15656
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:8612
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:10488
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:23060
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:15164
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:22424
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:7028
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:12600
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:18228
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:8816
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:20836
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:10680
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:19116
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2088
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:1616
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:6248
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:10092
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:23044
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:14328
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:20052
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:8120
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:17244
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:23968
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:11352
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:15964
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:9904
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:5648
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:6424
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:17132
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:14960
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:10672
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:18812
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:15532
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:8560
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:7212
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:14632
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:20660
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:9692
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:21420
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:13776
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:19860
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    PID:520
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:5592
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:8544
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:17488
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:24252
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:11964
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:16932
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:13500
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:7292
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:14276
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:20028
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:10032
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:22700
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:14468
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:20128
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    PID:5248
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:6896
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:12516
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:18104
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:8936
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:18996
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:12668
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:18140
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    PID:6648
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:11864
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:16608
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:23412
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    PID:8880
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:19092
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    PID:12892
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    PID:18204
- C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
  "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4460
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4060
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:2588
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:6276
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:9872
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        8⤵
        
        PID:21512
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:14020
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:19996
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:8108
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:16052
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:9568
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:10516
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:15832
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:10108
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:5656
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:8672
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:17964
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:12232
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:4728
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:24236
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:7328
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:14676
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:21396
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:10272
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:22712
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:14492
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:20136
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:3988
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:5236
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:6948
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:12436
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:17824
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:4804
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:9252
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:20860
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:13284
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:18632
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:6708
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:12096
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:17252
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:23976
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:8896
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:19196
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:12780
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:18220
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:5176
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:6532
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:11620
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:15880
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:22944
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:8700
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:17832
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:12256
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:17076
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:24212
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:6572
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:11664
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:17720
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:16512
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:23036
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:8728
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:18728
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:11648
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:17468
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:24244
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:440
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:5472
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:7752
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:16060
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:22188
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:10868
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:15248
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:7876
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:6256
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:12556
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:18212
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:9680
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:20904
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:13812
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:19900
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:5320
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:6968
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:12536
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:18148
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:8812
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:19492
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:13272
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:18576
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:6800
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:11636
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:16412
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:22960
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:8888
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:18720
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:12676
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:18156
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    PID:1524
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:5208
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:6888
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:12028
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:16940
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:14188
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:8904
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:18736
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:12656
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:18236
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:6596
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:11008
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:18336
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:15448
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:21492
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:8836
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:19204
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:12428
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:17796
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:24568
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    PID:2800
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:6488
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:11256
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:15492
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:8848
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:8684
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:17440
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:24220
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:11564
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:17148
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:14180
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    PID:6480
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:10860
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:22388
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:14788
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:3264
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    PID:8692
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:18816
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    PID:12056
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    PID:17192
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    PID:15668
- C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
  "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4696
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:1072
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:6240
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:9804
        
        C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        7⤵
        
        PID:21624
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:13932
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:20012
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:8000
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:17004
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:14600
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:11184
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:15484
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:8284
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:5908
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:9152
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:19300
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:13180
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:18652
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:7592
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:14840
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:21540
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:10844
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:23052
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:15176
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:22448
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    PID:2852
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:5572
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:9356
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:20960
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:13324
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:19132
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:7740
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:14944
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:7392
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:10664
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:22892
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:15184
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:21476
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    PID:5564
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:8436
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:392
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:24200
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:11628
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:16036
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:22928
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    PID:6300
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:13768
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:19868
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    PID:9700
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:4724
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    PID:13948
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    PID:19972
- C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
  "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1652
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    PID:3032
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:6148
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:9344
      - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        6⤵
        
        PID:20868
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:13332
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:19124
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:7824
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:15336
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:7036
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:10920
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:1764
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:14592
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:2884
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    PID:5452
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:7660
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:15456
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:8384
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:10560
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:13096
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:15040
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:22012
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    PID:6976
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:13024
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:18196
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    PID:8360
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:18764
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    PID:13008
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    PID:19048
- C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
  "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
  2⤵
  PID:4292
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    PID:5464
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:7516
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:14692
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:20772
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:10504
    - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
        5⤵
        
        PID:22728
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:14908
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:21928
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    PID:6984
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:12500
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:18076
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    PID:8820
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:20780
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    PID:13292
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    PID:19040
- C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
  "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
  2⤵
  PID:5260
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    PID:6956
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:12524
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:18128
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    PID:9200
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:19664
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    PID:13200
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    PID:18544
- C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
  "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
  2⤵
  PID:6684
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    PID:11800
  - - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
      "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
      4⤵
      PID:18400
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    PID:16032
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    PID:22936
- C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
  "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
  2⤵
  PID:8856
- - C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
    3⤵
    PID:18744
- C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
  "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
  2⤵
  PID:12420
- C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
  "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
  2⤵
  PID:17760
- C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe
  "C:\Users\Admin\AppData\Local\Temp\91ba5d921ec4bc4bedd386d548b2aee0N.exe"
  2⤵
  PID:24548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\indian handjob beast catfight hole .zip.exe

Filesize
198KB

MD5
63e5deb5c1e636a4bbdd3f5615579985

SHA1
4a27dac8116db57a0f2a7b2fc4dbb9fb44419526

SHA256
57de96602a7c98fdbc0b189b0bf1bcb826423ee537ac845d0fbe251cab9583bb

SHA512
fcf186499856cb17e3c6881f63e129fac510b020da9bd2a22c7f6b9a0b08d94a8a1300ef73a41c52bd1bf60fec42b48ea349d0e74e500a93dbd613844d822524

Download Submit
memory/440-245-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/520-246-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1072-250-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1524-242-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1616-248-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1652-239-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1704-227-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2016-253-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2076-241-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2100-238-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2232-237-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2588-249-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2800-254-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2820-236-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3032-247-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3748-252-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3988-243-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4052-195-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4292-244-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4312-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4460-226-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4696-240-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5040-251-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5176-255-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5208-256-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5236-257-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5248-258-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5260-259-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5320-260-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5408-274-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5452-261-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5464-262-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5472-263-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5480-264-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5564-265-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5572-275-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5576-276-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5584-269-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5592-267-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5648-266-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5656-268-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5908-270-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5936-273-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5948-271-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6004-272-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6148-277-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6240-278-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6256-297-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6276-279-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6284-280-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6292-281-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6300-298-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6376-282-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6424-318-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6480-283-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6488-284-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6572-285-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6596-286-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6648-287-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6684-288-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6708-289-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6800-290-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6888-291-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6896-292-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6948-293-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6956-294-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6984-295-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7028-296-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7244-299-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7292-300-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7328-301-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7644-302-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7652-303-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7660-304-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7668-305-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7724-306-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7740-307-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7752-308-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7824-309-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7832-310-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8000-311-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8076-312-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8108-313-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8120-315-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8140-316-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8152-314-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8160-317-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8436-319-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8544-320-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8672-321-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8684-322-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8692-323-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8700-324-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8836-326-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8880-325-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8888-327-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download