0982de57433c5b061aae3fa9f52f16a8ab9963ada8f7e17d3509c707b2e2f1e6

Analysis

max time kernel
13s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 18:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8d4364cd070227dd6893e6e7cd8d4570N.exe
Size

834KB
MD5

8d4364cd070227dd6893e6e7cd8d4570
SHA1

98f8dd66600d2cb880d212152dd27ccfadd7d40d
SHA256

0982de57433c5b061aae3fa9f52f16a8ab9963ada8f7e17d3509c707b2e2f1e6
SHA512

aa9e51b7a802d536b76c8227870acc2d607ac57579f68f4edd2aea51fc32f1346c7a5449f76efec2c97de896cb24eb61b9f252dc815f53b79c661b9cd35c45c5
SSDEEP

12288:OWji9BRCpdFxfiWBO5yaxOoLKwo+wSCQjKAkbtzquzFbQRQIOm6vDkK2IqwXQBSE:CAlxffkxR+wb2AaquRsLOm6vDk9Brb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	8d4364cd070227dd6893e6e7cd8d4570N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	8d4364cd070227dd6893e6e7cd8d4570N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	8d4364cd070227dd6893e6e7cd8d4570N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	8d4364cd070227dd6893e6e7cd8d4570N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	8d4364cd070227dd6893e6e7cd8d4570N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	8d4364cd070227dd6893e6e7cd8d4570N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	8d4364cd070227dd6893e6e7cd8d4570N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	8d4364cd070227dd6893e6e7cd8d4570N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	8d4364cd070227dd6893e6e7cd8d4570N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	8d4364cd070227dd6893e6e7cd8d4570N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	8d4364cd070227dd6893e6e7cd8d4570N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	8d4364cd070227dd6893e6e7cd8d4570N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	8d4364cd070227dd6893e6e7cd8d4570N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	8d4364cd070227dd6893e6e7cd8d4570N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	8d4364cd070227dd6893e6e7cd8d4570N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	8d4364cd070227dd6893e6e7cd8d4570N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	8d4364cd070227dd6893e6e7cd8d4570N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	8d4364cd070227dd6893e6e7cd8d4570N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	8d4364cd070227dd6893e6e7cd8d4570N.exe
File opened (read-only)	\??\Q:	8d4364cd070227dd6893e6e7cd8d4570N.exe
File opened (read-only)	\??\S:	8d4364cd070227dd6893e6e7cd8d4570N.exe
File opened (read-only)	\??\V:	8d4364cd070227dd6893e6e7cd8d4570N.exe
File opened (read-only)	\??\Z:	8d4364cd070227dd6893e6e7cd8d4570N.exe
File opened (read-only)	\??\A:	8d4364cd070227dd6893e6e7cd8d4570N.exe
File opened (read-only)	\??\G:	8d4364cd070227dd6893e6e7cd8d4570N.exe
File opened (read-only)	\??\H:	8d4364cd070227dd6893e6e7cd8d4570N.exe
File opened (read-only)	\??\L:	8d4364cd070227dd6893e6e7cd8d4570N.exe
File opened (read-only)	\??\M:	8d4364cd070227dd6893e6e7cd8d4570N.exe
File opened (read-only)	\??\N:	8d4364cd070227dd6893e6e7cd8d4570N.exe
File opened (read-only)	\??\T:	8d4364cd070227dd6893e6e7cd8d4570N.exe
File opened (read-only)	\??\W:	8d4364cd070227dd6893e6e7cd8d4570N.exe
File opened (read-only)	\??\Y:	8d4364cd070227dd6893e6e7cd8d4570N.exe
File opened (read-only)	\??\I:	8d4364cd070227dd6893e6e7cd8d4570N.exe
File opened (read-only)	\??\J:	8d4364cd070227dd6893e6e7cd8d4570N.exe
File opened (read-only)	\??\R:	8d4364cd070227dd6893e6e7cd8d4570N.exe
File opened (read-only)	\??\U:	8d4364cd070227dd6893e6e7cd8d4570N.exe
File opened (read-only)	\??\B:	8d4364cd070227dd6893e6e7cd8d4570N.exe
File opened (read-only)	\??\K:	8d4364cd070227dd6893e6e7cd8d4570N.exe
File opened (read-only)	\??\O:	8d4364cd070227dd6893e6e7cd8d4570N.exe
File opened (read-only)	\??\P:	8d4364cd070227dd6893e6e7cd8d4570N.exe
File opened (read-only)	\??\X:	8d4364cd070227dd6893e6e7cd8d4570N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\FxsTmp\trambling horse [bangbus] titts mistress (Anniston).mpeg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\indian trambling [milf] black hairunshaved (Gina,Jade).zip.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\horse full movie circumcision .avi.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\bukkake public circumcision .mpeg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\german bukkake catfight ash (Sandy).mpeg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\russian action hidden latex (Janette).rar.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\System32\DriverStore\Temp\xxx uncut feet pregnant .rar.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\sperm handjob [milf] vagina traffic .mpeg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\SysWOW64\FxsTmp\tyrkish kicking fucking several models vagina ejaculation (Sonja,Gina).avi.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\fucking beast uncut stockings .mpeg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\american porn hidden lady (Sonja).zip.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\french lesbian sperm girls gorgeoushorny .rar.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\danish blowjob [free] swallow .rar.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Program Files\dotnet\shared\indian horse gay full movie glans ejaculation (Jade).mpg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\sperm lesbian blondie (Curtney,Gina).mpeg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\danish gay beast lesbian boobs 50+ .mpg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Program Files (x86)\Google\Temp\norwegian beast [milf] cock castration .mpeg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Program Files\Microsoft Office\root\Templates\beast cumshot catfight .mpeg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\beast [milf] latex .avi.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\malaysia hardcore beast girls glans shoes .mpeg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\african gang bang horse [milf] wifey (Liz).mpg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\sperm voyeur titts .rar.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\lingerie uncut wifey (Sonja,Sylvia).mpeg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\lingerie lesbian swallow .zip.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\beast public stockings (Ashley,Anniston).rar.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\fucking fucking hot (!) .mpg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\fetish nude voyeur feet .mpeg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\porn action [milf] mistress .mpg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Program Files (x86)\Google\Update\Download\american cum cumshot big .avi.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Program Files (x86)\Microsoft\Temp\asian trambling full movie (Sandy,Sylvia).mpeg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\indian horse lesbian [free] (Melissa).zip.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\american lesbian public .rar.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\action licking vagina swallow (Tatjana).mpg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\blowjob [milf] cock .rar.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_10.0.19041.1_none_bd731e5b85dd203e\norwegian sperm public .avi.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\hardcore nude full movie Ôï (Sylvia,Curtney).mpg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_e79b400a6df5fd2c\blowjob cumshot hidden .rar.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\american sperm licking glans boots .avi.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\african cumshot big YEâPSè& .mpeg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\american trambling lingerie [free] beautyfull .avi.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\asian fucking sperm sleeping .mpg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\brasilian cumshot hot (!) .rar.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\spanish beastiality [free] (Janette,Janette).avi.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\horse sperm several models .mpg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\CbsTemp\norwegian sperm public legs .mpg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\indian xxx action hidden stockings .avi.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\german kicking hot (!) glans pregnant (Liz).zip.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\hardcore gay [bangbus] vagina penetration .mpeg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\animal masturbation bedroom .rar.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\italian beastiality kicking hot (!) castration .rar.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\british nude lesbian hidden fishy (Karin,Jade).mpg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\assembly\tmp\black action hot (!) pregnant .zip.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\spanish trambling lingerie uncut titts blondie (Anniston).zip.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_10.0.19041.1_none_a3d9a07cf2290837\asian handjob sleeping boobs .avi.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\Downloaded Program Files\action sleeping .rar.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\black horse animal hot (!) vagina YEâPSè& (Jenna).rar.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\black hardcore several models (Karin).rar.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\tyrkish animal catfight .mpg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\spanish gay cumshot voyeur legs .mpg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\japanese beast masturbation .mpg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\american gang bang uncut castration (Sonja).avi.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\bukkake masturbation (Ashley,Kathrin).avi.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\japanese xxx sleeping castration (Gina).zip.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\lesbian uncut titts sweet (Jenna,Anniston).avi.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\american blowjob porn voyeur 40+ (Sonja).avi.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\porn big fishy .zip.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\InputMethod\SHARED\malaysia hardcore beastiality hot (!) traffic (Sonja,Liz).mpeg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\asian trambling catfight titts .mpg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\action [free] hole 50+ .mpeg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\horse several models cock bedroom .rar.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\german porn animal public .mpg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\beastiality hot (!) .avi.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\brasilian action fucking hot (!) (Jenna,Sylvia).mpg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_99ddc8ce8d3d6dac\japanese gang bang fucking sleeping ejaculation .zip.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\spanish gay licking .rar.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\trambling [bangbus] young .avi.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\sperm sleeping high heels .avi.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\british hardcore beastiality big gorgeoushorny .zip.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\handjob masturbation bondage .mpg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fd7349c396c417ae\blowjob cum lesbian vagina .zip.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_89c0bf1761110f07\asian blowjob full movie (Liz).zip.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\tyrkish lesbian kicking masturbation .rar.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\japanese gang bang lesbian 40+ .mpg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\british trambling lingerie public feet lady (Tatjana).zip.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\french trambling full movie glans swallow .rar.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_9aa486d790131d4e\french horse action lesbian young .mpg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\lingerie [bangbus] leather .mpeg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\hardcore sleeping titts ash .mpeg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\brasilian cum gang bang lesbian sm .zip.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\canadian animal gay [free] glans (Sylvia).mpg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\spanish action sperm [milf] leather .mpeg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\cum [bangbus] glans stockings .mpeg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\beastiality hardcore hot (!) blondie (Samantha).avi.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\italian handjob [milf] cock redhair .mpg.exe	8d4364cd070227dd6893e6e7cd8d4570N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d4364cd070227dd6893e6e7cd8d4570N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d4364cd070227dd6893e6e7cd8d4570N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d4364cd070227dd6893e6e7cd8d4570N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d4364cd070227dd6893e6e7cd8d4570N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d4364cd070227dd6893e6e7cd8d4570N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d4364cd070227dd6893e6e7cd8d4570N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d4364cd070227dd6893e6e7cd8d4570N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d4364cd070227dd6893e6e7cd8d4570N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d4364cd070227dd6893e6e7cd8d4570N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d4364cd070227dd6893e6e7cd8d4570N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d4364cd070227dd6893e6e7cd8d4570N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d4364cd070227dd6893e6e7cd8d4570N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d4364cd070227dd6893e6e7cd8d4570N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d4364cd070227dd6893e6e7cd8d4570N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d4364cd070227dd6893e6e7cd8d4570N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d4364cd070227dd6893e6e7cd8d4570N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d4364cd070227dd6893e6e7cd8d4570N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d4364cd070227dd6893e6e7cd8d4570N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d4364cd070227dd6893e6e7cd8d4570N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d4364cd070227dd6893e6e7cd8d4570N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d4364cd070227dd6893e6e7cd8d4570N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d4364cd070227dd6893e6e7cd8d4570N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d4364cd070227dd6893e6e7cd8d4570N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3304	8d4364cd070227dd6893e6e7cd8d4570N.exe
3304	8d4364cd070227dd6893e6e7cd8d4570N.exe
3188	8d4364cd070227dd6893e6e7cd8d4570N.exe
3188	8d4364cd070227dd6893e6e7cd8d4570N.exe
3304	8d4364cd070227dd6893e6e7cd8d4570N.exe
3304	8d4364cd070227dd6893e6e7cd8d4570N.exe
4692	8d4364cd070227dd6893e6e7cd8d4570N.exe
4692	8d4364cd070227dd6893e6e7cd8d4570N.exe
4068	8d4364cd070227dd6893e6e7cd8d4570N.exe
4068	8d4364cd070227dd6893e6e7cd8d4570N.exe
3188	8d4364cd070227dd6893e6e7cd8d4570N.exe
3188	8d4364cd070227dd6893e6e7cd8d4570N.exe
3304	8d4364cd070227dd6893e6e7cd8d4570N.exe
3304	8d4364cd070227dd6893e6e7cd8d4570N.exe
2904	8d4364cd070227dd6893e6e7cd8d4570N.exe
2904	8d4364cd070227dd6893e6e7cd8d4570N.exe
2244	8d4364cd070227dd6893e6e7cd8d4570N.exe
2244	8d4364cd070227dd6893e6e7cd8d4570N.exe
904	8d4364cd070227dd6893e6e7cd8d4570N.exe
904	8d4364cd070227dd6893e6e7cd8d4570N.exe
3188	8d4364cd070227dd6893e6e7cd8d4570N.exe
3188	8d4364cd070227dd6893e6e7cd8d4570N.exe
4692	8d4364cd070227dd6893e6e7cd8d4570N.exe
4692	8d4364cd070227dd6893e6e7cd8d4570N.exe
3304	8d4364cd070227dd6893e6e7cd8d4570N.exe
3304	8d4364cd070227dd6893e6e7cd8d4570N.exe
1932	8d4364cd070227dd6893e6e7cd8d4570N.exe
1932	8d4364cd070227dd6893e6e7cd8d4570N.exe
4068	8d4364cd070227dd6893e6e7cd8d4570N.exe
4068	8d4364cd070227dd6893e6e7cd8d4570N.exe
2800	8d4364cd070227dd6893e6e7cd8d4570N.exe
2800	8d4364cd070227dd6893e6e7cd8d4570N.exe
4636	8d4364cd070227dd6893e6e7cd8d4570N.exe
4636	8d4364cd070227dd6893e6e7cd8d4570N.exe
116	8d4364cd070227dd6893e6e7cd8d4570N.exe
116	8d4364cd070227dd6893e6e7cd8d4570N.exe
3304	8d4364cd070227dd6893e6e7cd8d4570N.exe
3304	8d4364cd070227dd6893e6e7cd8d4570N.exe
4692	8d4364cd070227dd6893e6e7cd8d4570N.exe
4692	8d4364cd070227dd6893e6e7cd8d4570N.exe
4204	8d4364cd070227dd6893e6e7cd8d4570N.exe
4204	8d4364cd070227dd6893e6e7cd8d4570N.exe
3188	8d4364cd070227dd6893e6e7cd8d4570N.exe
3188	8d4364cd070227dd6893e6e7cd8d4570N.exe
2904	8d4364cd070227dd6893e6e7cd8d4570N.exe
2904	8d4364cd070227dd6893e6e7cd8d4570N.exe
4800	8d4364cd070227dd6893e6e7cd8d4570N.exe
4800	8d4364cd070227dd6893e6e7cd8d4570N.exe
4068	8d4364cd070227dd6893e6e7cd8d4570N.exe
4068	8d4364cd070227dd6893e6e7cd8d4570N.exe
3496	8d4364cd070227dd6893e6e7cd8d4570N.exe
3496	8d4364cd070227dd6893e6e7cd8d4570N.exe
3476	8d4364cd070227dd6893e6e7cd8d4570N.exe
3476	8d4364cd070227dd6893e6e7cd8d4570N.exe
904	8d4364cd070227dd6893e6e7cd8d4570N.exe
904	8d4364cd070227dd6893e6e7cd8d4570N.exe
3232	8d4364cd070227dd6893e6e7cd8d4570N.exe
3232	8d4364cd070227dd6893e6e7cd8d4570N.exe
2244	8d4364cd070227dd6893e6e7cd8d4570N.exe
2244	8d4364cd070227dd6893e6e7cd8d4570N.exe
1932	8d4364cd070227dd6893e6e7cd8d4570N.exe
1932	8d4364cd070227dd6893e6e7cd8d4570N.exe
1488	8d4364cd070227dd6893e6e7cd8d4570N.exe
1488	8d4364cd070227dd6893e6e7cd8d4570N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3304 wrote to memory of 3188	3304	8d4364cd070227dd6893e6e7cd8d4570N.exe	87
PID 3304 wrote to memory of 3188	3304	8d4364cd070227dd6893e6e7cd8d4570N.exe	87
PID 3304 wrote to memory of 3188	3304	8d4364cd070227dd6893e6e7cd8d4570N.exe	87
PID 3188 wrote to memory of 4692	3188	8d4364cd070227dd6893e6e7cd8d4570N.exe	90
PID 3188 wrote to memory of 4692	3188	8d4364cd070227dd6893e6e7cd8d4570N.exe	90
PID 3188 wrote to memory of 4692	3188	8d4364cd070227dd6893e6e7cd8d4570N.exe	90
PID 3304 wrote to memory of 4068	3304	8d4364cd070227dd6893e6e7cd8d4570N.exe	91
PID 3304 wrote to memory of 4068	3304	8d4364cd070227dd6893e6e7cd8d4570N.exe	91
PID 3304 wrote to memory of 4068	3304	8d4364cd070227dd6893e6e7cd8d4570N.exe	91
PID 3188 wrote to memory of 2904	3188	8d4364cd070227dd6893e6e7cd8d4570N.exe	94
PID 3188 wrote to memory of 2904	3188	8d4364cd070227dd6893e6e7cd8d4570N.exe	94
PID 3188 wrote to memory of 2904	3188	8d4364cd070227dd6893e6e7cd8d4570N.exe	94
PID 4692 wrote to memory of 2244	4692	8d4364cd070227dd6893e6e7cd8d4570N.exe	95
PID 4692 wrote to memory of 2244	4692	8d4364cd070227dd6893e6e7cd8d4570N.exe	95
PID 4692 wrote to memory of 2244	4692	8d4364cd070227dd6893e6e7cd8d4570N.exe	95
PID 3304 wrote to memory of 904	3304	8d4364cd070227dd6893e6e7cd8d4570N.exe	96
PID 3304 wrote to memory of 904	3304	8d4364cd070227dd6893e6e7cd8d4570N.exe	96
PID 3304 wrote to memory of 904	3304	8d4364cd070227dd6893e6e7cd8d4570N.exe	96
PID 4068 wrote to memory of 1932	4068	8d4364cd070227dd6893e6e7cd8d4570N.exe	97
PID 4068 wrote to memory of 1932	4068	8d4364cd070227dd6893e6e7cd8d4570N.exe	97
PID 4068 wrote to memory of 1932	4068	8d4364cd070227dd6893e6e7cd8d4570N.exe	97
PID 4692 wrote to memory of 2800	4692	8d4364cd070227dd6893e6e7cd8d4570N.exe	99
PID 4692 wrote to memory of 2800	4692	8d4364cd070227dd6893e6e7cd8d4570N.exe	99
PID 4692 wrote to memory of 2800	4692	8d4364cd070227dd6893e6e7cd8d4570N.exe	99
PID 3304 wrote to memory of 116	3304	8d4364cd070227dd6893e6e7cd8d4570N.exe	100
PID 3304 wrote to memory of 116	3304	8d4364cd070227dd6893e6e7cd8d4570N.exe	100
PID 3304 wrote to memory of 116	3304	8d4364cd070227dd6893e6e7cd8d4570N.exe	100
PID 3188 wrote to memory of 4636	3188	8d4364cd070227dd6893e6e7cd8d4570N.exe	101
PID 3188 wrote to memory of 4636	3188	8d4364cd070227dd6893e6e7cd8d4570N.exe	101
PID 3188 wrote to memory of 4636	3188	8d4364cd070227dd6893e6e7cd8d4570N.exe	101
PID 2904 wrote to memory of 4204	2904	8d4364cd070227dd6893e6e7cd8d4570N.exe	102
PID 2904 wrote to memory of 4204	2904	8d4364cd070227dd6893e6e7cd8d4570N.exe	102
PID 2904 wrote to memory of 4204	2904	8d4364cd070227dd6893e6e7cd8d4570N.exe	102
PID 4068 wrote to memory of 4800	4068	8d4364cd070227dd6893e6e7cd8d4570N.exe	103
PID 4068 wrote to memory of 4800	4068	8d4364cd070227dd6893e6e7cd8d4570N.exe	103
PID 4068 wrote to memory of 4800	4068	8d4364cd070227dd6893e6e7cd8d4570N.exe	103
PID 904 wrote to memory of 3496	904	8d4364cd070227dd6893e6e7cd8d4570N.exe	104
PID 904 wrote to memory of 3496	904	8d4364cd070227dd6893e6e7cd8d4570N.exe	104
PID 904 wrote to memory of 3496	904	8d4364cd070227dd6893e6e7cd8d4570N.exe	104
PID 2244 wrote to memory of 3476	2244	8d4364cd070227dd6893e6e7cd8d4570N.exe	105
PID 2244 wrote to memory of 3476	2244	8d4364cd070227dd6893e6e7cd8d4570N.exe	105
PID 2244 wrote to memory of 3476	2244	8d4364cd070227dd6893e6e7cd8d4570N.exe	105
PID 1932 wrote to memory of 3232	1932	8d4364cd070227dd6893e6e7cd8d4570N.exe	106
PID 1932 wrote to memory of 3232	1932	8d4364cd070227dd6893e6e7cd8d4570N.exe	106
PID 1932 wrote to memory of 3232	1932	8d4364cd070227dd6893e6e7cd8d4570N.exe	106
PID 3304 wrote to memory of 4036	3304	8d4364cd070227dd6893e6e7cd8d4570N.exe	108
PID 3304 wrote to memory of 4036	3304	8d4364cd070227dd6893e6e7cd8d4570N.exe	108
PID 3304 wrote to memory of 4036	3304	8d4364cd070227dd6893e6e7cd8d4570N.exe	108
PID 4692 wrote to memory of 1488	4692	8d4364cd070227dd6893e6e7cd8d4570N.exe	109
PID 4692 wrote to memory of 1488	4692	8d4364cd070227dd6893e6e7cd8d4570N.exe	109
PID 4692 wrote to memory of 1488	4692	8d4364cd070227dd6893e6e7cd8d4570N.exe	109
PID 3188 wrote to memory of 3364	3188	8d4364cd070227dd6893e6e7cd8d4570N.exe	110
PID 3188 wrote to memory of 3364	3188	8d4364cd070227dd6893e6e7cd8d4570N.exe	110
PID 3188 wrote to memory of 3364	3188	8d4364cd070227dd6893e6e7cd8d4570N.exe	110
PID 4636 wrote to memory of 4628	4636	8d4364cd070227dd6893e6e7cd8d4570N.exe	111
PID 4636 wrote to memory of 4628	4636	8d4364cd070227dd6893e6e7cd8d4570N.exe	111
PID 4636 wrote to memory of 4628	4636	8d4364cd070227dd6893e6e7cd8d4570N.exe	111
PID 2904 wrote to memory of 4008	2904	8d4364cd070227dd6893e6e7cd8d4570N.exe	112
PID 2904 wrote to memory of 4008	2904	8d4364cd070227dd6893e6e7cd8d4570N.exe	112
PID 2904 wrote to memory of 4008	2904	8d4364cd070227dd6893e6e7cd8d4570N.exe	112
PID 4068 wrote to memory of 2368	4068	8d4364cd070227dd6893e6e7cd8d4570N.exe	113
PID 4068 wrote to memory of 2368	4068	8d4364cd070227dd6893e6e7cd8d4570N.exe	113
PID 4068 wrote to memory of 2368	4068	8d4364cd070227dd6893e6e7cd8d4570N.exe	113
PID 2800 wrote to memory of 2560	2800	8d4364cd070227dd6893e6e7cd8d4570N.exe	114

C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
"C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
  "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3188
- - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4692
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2244
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3476
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:5140
        
        C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        7⤵
        
        PID:6896
        
        C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        8⤵
        
        PID:13072
        
        C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        7⤵
        
        PID:9884
        
        C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        7⤵
        
        PID:12500
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:5684
        
        C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        7⤵
        
        PID:10916
        
        C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        7⤵
        
        PID:13776
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:7160
        
        C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        7⤵
        
        PID:13284
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:9600
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:13244
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:3164
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:6688
        
        C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        7⤵
        
        PID:12884
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:8524
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:9656
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:13188
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:5740
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:8452
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:9544
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:12112
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:7596
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:11188
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:14860
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:9752
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:13180
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2560
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:6036
        
        C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        7⤵
        
        PID:12828
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:7612
        
        C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        7⤵
        
        PID:12812
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:9760
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:12508
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:5336
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:6864
        
        C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        7⤵
        
        PID:12776
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:8760
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:9536
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:12336
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:5628
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:8560
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:9624
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:13140
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:7304
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:12244
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:9784
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:13212
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1488
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:5368
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:6704
        
        C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        7⤵
        
        PID:13088
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:8772
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:9616
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:12344
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:5612
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:8444
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:9664
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:12860
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:7144
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:13112
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:9832
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:13276
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:5244
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:6780
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:12852
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:9900
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:13004
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:5668
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:10304
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:13320
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:7400
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:12384
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:9704
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:13204
- - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4204
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:448
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:6856
        
        C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        7⤵
        
        PID:13148
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:8656
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:9632
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:12352
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:5700
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:9848
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:12796
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:7280
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:12360
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:9728
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:12392
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4008
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:5992
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:13104
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:7588
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:9768
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:13236
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:5384
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:6696
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:12844
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:8516
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:9648
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:12328
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:5620
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:9816
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:12996
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:7152
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:13300
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:9840
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:12988
- - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4636
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4628
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:6508
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:13080
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:8152
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:9552
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:12312
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:5324
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:6804
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:13252
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:9960
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:13308
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:5636
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:8780
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:9576
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:13268
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:7336
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:13352
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:9696
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:12408
- - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3364
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:5752
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:8532
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:9640
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:13600
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:7620
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:9720
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:13888
- - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
    3⤵
    PID:5260
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:6752
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:12868
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:9916
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:212
- - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
    3⤵
    PID:5652
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:9908
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:13164
- - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
    3⤵
    PID:7604
- - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
    3⤵
    PID:9776
- - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
    3⤵
    PID:12820
- C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
  "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4068
- - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3232
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:5164
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:6848
        
        C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        7⤵
        
        PID:12876
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:8856
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:9520
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:3596
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:5676
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:9876
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:13172
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:7312
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:12368
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:9800
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:13196
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:3212
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:6876
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:13048
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:8736
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:9592
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:12296
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:5716
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:13344
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:7296
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:12252
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:9792
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:12804
- - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4800
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:1912
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:6768
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:13056
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:8812
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:9568
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:12304
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:5708
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:9892
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:13260
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:7252
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:9808
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:13328
- - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2368
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:6288
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:13096
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:8060
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:9680
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:13120
- - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
    3⤵
    PID:5296
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:6796
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:13292
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:9944
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:13156
- - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
    3⤵
    PID:5660
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:9924
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:13220
- - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
    3⤵
    PID:7344
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:12160
- - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
    3⤵
    PID:9560
- - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
    3⤵
    PID:4300
- C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
  "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3496
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:3728
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:6728
      - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        6⤵
        
        PID:13336
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:8752
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:9608
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:12520
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:5692
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:11156
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:14868
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:7240
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:12228
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:9824
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:12544
- - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
    3⤵
    PID:2264
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:6576
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:13064
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:8408
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:9672
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:12640
- - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
    3⤵
    PID:5732
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:10908
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:1532
- - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
    3⤵
    PID:7320
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:12376
- - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
    3⤵
    PID:9712
- - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
    3⤵
    PID:12704
- C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
  "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:116
- - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
    3⤵
    PID:1524
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:6788
    - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
        5⤵
        
        PID:12836
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:8788
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:9584
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:12960
- - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
    3⤵
    PID:5724
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:9856
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:12632
- - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
    3⤵
    PID:7284
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:12236
- - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
    3⤵
    PID:9736
- - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
    3⤵
    PID:12424
- C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
  "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4036
- - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
    3⤵
    PID:6220
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:10900
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:2204
- - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
    3⤵
    PID:8024
- - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
    3⤵
    PID:9688
- - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
    3⤵
    PID:12416
- C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
  "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
  2⤵
  PID:5268
- - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
    3⤵
    PID:6760
  - - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
      "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
      4⤵
      PID:12564
- - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
    3⤵
    PID:8820
- - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
    3⤵
    PID:9528
- - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
    3⤵
    PID:12120
- C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
  "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
  2⤵
  PID:5644
- - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
    3⤵
    PID:9952
- - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
    3⤵
    PID:13132
- C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
  "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
  2⤵
  PID:7328
- - C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
    "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
    3⤵
    PID:12220
- C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
  "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
  2⤵
  PID:9744
- C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe
  "C:\Users\Admin\AppData\Local\Temp\8d4364cd070227dd6893e6e7cd8d4570N.exe"
  2⤵
  PID:13228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\sperm lesbian blondie (Curtney,Gina).mpeg.exe

Filesize
1.5MB

MD5
19fe2c0ce192207d8fa99c04de0a8bab

SHA1
e1d3e345dc3fbdcc5e82000671e3213f754282a2

SHA256
213b65be0e2fe064d0fffa33122f96ab1105ad44e21c76bf751d2eb6e2a62c29

SHA512
ce8818cef4f43e20bee6c047c3b9d14b2c1387186863494dc8340f37f06d7a256bb5198d8121767db07d75d414e0f80a2fd49c8b473b5651b1fa75f151df8dd2

Download Submit