6d2f2ef4a20f0454f36294d85140e3638493b5f4216f870fdc2961fecb1eb0c4

Analysis

max time kernel
15s
max time network
62s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67a1ef932123b75f030a17a60f68ffa0N.exe
Size

2.0MB
MD5

67a1ef932123b75f030a17a60f68ffa0
SHA1

caee92091462adefca23b85e46808318598144bb
SHA256

6d2f2ef4a20f0454f36294d85140e3638493b5f4216f870fdc2961fecb1eb0c4
SHA512

e9253bd9335ad7ce8b737dd474b91014f83b2944c878391bb05ab6f7b4f2414f7abec7f699db7e98a977f57be116d88f88dbb70eb62bbff76907ddc8fa6bcedb
SSDEEP

49152:hVVwcv4pXWbIgcU/P11jqXbnA3taLy/LG/sw2WWyI9puRqQo:1tRIgcU/t1jqrnA3suLaWy5Y

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	67a1ef932123b75f030a17a60f68ffa0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	67a1ef932123b75f030a17a60f68ffa0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	67a1ef932123b75f030a17a60f68ffa0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	67a1ef932123b75f030a17a60f68ffa0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	67a1ef932123b75f030a17a60f68ffa0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	67a1ef932123b75f030a17a60f68ffa0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	67a1ef932123b75f030a17a60f68ffa0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	67a1ef932123b75f030a17a60f68ffa0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	67a1ef932123b75f030a17a60f68ffa0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	67a1ef932123b75f030a17a60f68ffa0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	67a1ef932123b75f030a17a60f68ffa0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	67a1ef932123b75f030a17a60f68ffa0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	67a1ef932123b75f030a17a60f68ffa0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	67a1ef932123b75f030a17a60f68ffa0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	67a1ef932123b75f030a17a60f68ffa0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	67a1ef932123b75f030a17a60f68ffa0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	67a1ef932123b75f030a17a60f68ffa0N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	67a1ef932123b75f030a17a60f68ffa0N.exe
File opened (read-only)	\??\B:	67a1ef932123b75f030a17a60f68ffa0N.exe
File opened (read-only)	\??\G:	67a1ef932123b75f030a17a60f68ffa0N.exe
File opened (read-only)	\??\O:	67a1ef932123b75f030a17a60f68ffa0N.exe
File opened (read-only)	\??\P:	67a1ef932123b75f030a17a60f68ffa0N.exe
File opened (read-only)	\??\Q:	67a1ef932123b75f030a17a60f68ffa0N.exe
File opened (read-only)	\??\E:	67a1ef932123b75f030a17a60f68ffa0N.exe
File opened (read-only)	\??\R:	67a1ef932123b75f030a17a60f68ffa0N.exe
File opened (read-only)	\??\Y:	67a1ef932123b75f030a17a60f68ffa0N.exe
File opened (read-only)	\??\T:	67a1ef932123b75f030a17a60f68ffa0N.exe
File opened (read-only)	\??\W:	67a1ef932123b75f030a17a60f68ffa0N.exe
File opened (read-only)	\??\X:	67a1ef932123b75f030a17a60f68ffa0N.exe
File opened (read-only)	\??\H:	67a1ef932123b75f030a17a60f68ffa0N.exe
File opened (read-only)	\??\I:	67a1ef932123b75f030a17a60f68ffa0N.exe
File opened (read-only)	\??\K:	67a1ef932123b75f030a17a60f68ffa0N.exe
File opened (read-only)	\??\L:	67a1ef932123b75f030a17a60f68ffa0N.exe
File opened (read-only)	\??\M:	67a1ef932123b75f030a17a60f68ffa0N.exe
File opened (read-only)	\??\Z:	67a1ef932123b75f030a17a60f68ffa0N.exe
File opened (read-only)	\??\A:	67a1ef932123b75f030a17a60f68ffa0N.exe
File opened (read-only)	\??\J:	67a1ef932123b75f030a17a60f68ffa0N.exe
File opened (read-only)	\??\N:	67a1ef932123b75f030a17a60f68ffa0N.exe
File opened (read-only)	\??\U:	67a1ef932123b75f030a17a60f68ffa0N.exe
File opened (read-only)	\??\V:	67a1ef932123b75f030a17a60f68ffa0N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\cum several models granny (Britney).avi.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\SysWOW64\FxsTmp\italian hardcore beast hidden feet .mpeg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\lesbian horse [free] boobs .mpeg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\cum fucking hot (!) lady (Karin,Melissa).rar.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\italian handjob fucking public ash (Sonja).zip.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\italian fucking beastiality [milf] boobs .avi.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\SysWOW64\FxsTmp\horse girls legs .zip.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\chinese beastiality horse big .mpg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\cum hardcore sleeping traffic (Anniston,Melissa).mpeg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\italian handjob voyeur vagina .avi.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\System32\DriverStore\Temp\lingerie lesbian uncut hole sm (Christine).zip.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\kicking full movie 40+ (Ashley).avi.exe	67a1ef932123b75f030a17a60f68ffa0N.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\american beast [free] cock wifey .zip.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\german gang bang fucking [bangbus] mature .mpg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\gay lesbian masturbation blondie (Janette).mpg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Program Files (x86)\Google\Temp\japanese beast beastiality hidden sweet (Kathrin,Sylvia).mpg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\swedish gang bang hardcore [free] pregnant .rar.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Program Files\Common Files\microsoft shared\horse hardcore sleeping cock .avi.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\bukkake hot (!) \Û .avi.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\gang bang lesbian full movie boobs pregnant (Ashley).avi.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\kicking beast girls pregnant .avi.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\gay beastiality [bangbus] femdom .avi.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\african beastiality [bangbus] granny .avi.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\british gay girls .zip.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Program Files (x86)\Google\Update\Download\trambling hardcore several models legs .mpeg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\american nude several models hairy .mpeg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Program Files\dotnet\shared\swedish horse hidden bondage .avi.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Program Files\Microsoft Office\root\Templates\british fetish xxx lesbian .mpg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\hardcore catfight (Christine).mpeg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_b1ffa0e7b4ed03e2\blowjob horse full movie .mpeg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\danish fetish bukkake public black hairunshaved .mpg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\cum horse lesbian (Tatjana).rar.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\beastiality girls bondage (Christine).avi.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\blowjob voyeur .rar.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\norwegian handjob beast hot (!) ash mistress (Ashley).mpeg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\black sperm nude lesbian .mpeg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\handjob hidden ash .zip.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\gay lesbian licking boobs penetration .mpg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\american beastiality hardcore girls (Melissa,Janette).zip.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\tyrkish blowjob full movie hole blondie .mpg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_de-de_3d077a9cd5de5151\swedish cumshot hot (!) bondage .zip.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_en-us_e5f85095c4bc5d16\canadian kicking gang bang girls vagina .zip.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\brasilian kicking big black hairunshaved (Sarah).mpg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_10.0.19041.1_none_a3d9a07cf2290837\cum girls pregnant .mpg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_10.0.19041.1_none_ae957c4c35a7bf73\british beast catfight sm .mpeg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\gang bang fetish full movie 50+ .mpg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\african beastiality nude girls pregnant .rar.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\canadian bukkake sleeping gorgeoushorny (Curtney,Sandy).rar.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\horse hot (!) .mpeg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\french gang bang action [milf] wifey .avi.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\PLA\Templates\german fucking action [milf] (Ashley,Anniston).rar.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\horse hot (!) (Anniston,Sarah).mpeg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\canadian horse fucking masturbation legs stockings .mpg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\fetish blowjob [milf] mature .rar.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_it-it_72a319bf8ee74a9b\norwegian porn cumshot [milf] hairy .mpg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\black trambling trambling uncut vagina redhair .rar.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\bukkake big ash castration .rar.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_14c898cc82025c76\asian hardcore nude catfight .zip.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\InputMethod\SHARED\tyrkish blowjob animal [free] upskirt (Sandy).rar.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\brasilian beast big glans leather .mpeg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\chinese animal lesbian hotel .rar.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\american porn fucking full movie young .mpg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\brasilian cumshot porn masturbation .zip.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\security\templates\british porn lingerie lesbian vagina 40+ (Jenna,Ashley).zip.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\gay licking titts leather (Sylvia).mpg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\handjob sleeping pregnant .rar.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\gay horse masturbation hotel .zip.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\spanish beastiality licking YEâPSè& (Karin,Britney).zip.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\japanese sperm hidden glans ejaculation .mpg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\tyrkish blowjob action hot (!) vagina .mpg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\horse [bangbus] ash ejaculation .avi.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\nude kicking hidden swallow .avi.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\brasilian horse nude [milf] hotel .rar.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\animal full movie (Janette,Sarah).mpg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\german handjob bukkake several models swallow (Jade).avi.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\brasilian blowjob licking blondie (Sylvia,Samantha).mpg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\japanese gang bang catfight shoes .avi.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\lesbian [bangbus] legs .mpeg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\gay handjob full movie balls .mpeg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_99ddc8ce8d3d6dac\french cumshot sleeping ash gorgeoushorny .mpeg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\chinese gay girls .mpg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\lingerie handjob [milf] legs stockings .rar.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\chinese handjob [bangbus] .mpg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\xxx cum full movie .mpg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\british kicking girls ash .zip.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\porn xxx big (Jenna,Christine).avi.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\bukkake several models young (Karin).mpg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\french sperm several models .mpg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\assembly\tmp\bukkake hidden glans .mpeg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_5abbd3c4a3f2014c\swedish sperm bukkake girls titts .mpeg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fd7349c396c417ae\danish lingerie horse masturbation latex (Janette,Jenna).mpg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_10.0.19041.1_none_bd731e5b85dd203e\lingerie lesbian [bangbus] .mpg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe
File created	C:\Windows\SoftwareDistribution\Download\russian xxx sleeping ash .mpeg.exe	67a1ef932123b75f030a17a60f68ffa0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67a1ef932123b75f030a17a60f68ffa0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67a1ef932123b75f030a17a60f68ffa0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67a1ef932123b75f030a17a60f68ffa0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67a1ef932123b75f030a17a60f68ffa0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67a1ef932123b75f030a17a60f68ffa0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67a1ef932123b75f030a17a60f68ffa0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67a1ef932123b75f030a17a60f68ffa0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67a1ef932123b75f030a17a60f68ffa0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67a1ef932123b75f030a17a60f68ffa0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67a1ef932123b75f030a17a60f68ffa0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67a1ef932123b75f030a17a60f68ffa0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67a1ef932123b75f030a17a60f68ffa0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67a1ef932123b75f030a17a60f68ffa0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67a1ef932123b75f030a17a60f68ffa0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67a1ef932123b75f030a17a60f68ffa0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67a1ef932123b75f030a17a60f68ffa0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67a1ef932123b75f030a17a60f68ffa0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67a1ef932123b75f030a17a60f68ffa0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3916	67a1ef932123b75f030a17a60f68ffa0N.exe
3916	67a1ef932123b75f030a17a60f68ffa0N.exe
212	67a1ef932123b75f030a17a60f68ffa0N.exe
212	67a1ef932123b75f030a17a60f68ffa0N.exe
3916	67a1ef932123b75f030a17a60f68ffa0N.exe
3916	67a1ef932123b75f030a17a60f68ffa0N.exe
3952	67a1ef932123b75f030a17a60f68ffa0N.exe
3952	67a1ef932123b75f030a17a60f68ffa0N.exe
1112	67a1ef932123b75f030a17a60f68ffa0N.exe
1112	67a1ef932123b75f030a17a60f68ffa0N.exe
212	67a1ef932123b75f030a17a60f68ffa0N.exe
212	67a1ef932123b75f030a17a60f68ffa0N.exe
3916	67a1ef932123b75f030a17a60f68ffa0N.exe
3916	67a1ef932123b75f030a17a60f68ffa0N.exe
4276	67a1ef932123b75f030a17a60f68ffa0N.exe
4276	67a1ef932123b75f030a17a60f68ffa0N.exe
4852	67a1ef932123b75f030a17a60f68ffa0N.exe
4852	67a1ef932123b75f030a17a60f68ffa0N.exe
5092	67a1ef932123b75f030a17a60f68ffa0N.exe
5092	67a1ef932123b75f030a17a60f68ffa0N.exe
212	67a1ef932123b75f030a17a60f68ffa0N.exe
212	67a1ef932123b75f030a17a60f68ffa0N.exe
3952	67a1ef932123b75f030a17a60f68ffa0N.exe
3952	67a1ef932123b75f030a17a60f68ffa0N.exe
3916	67a1ef932123b75f030a17a60f68ffa0N.exe
424	67a1ef932123b75f030a17a60f68ffa0N.exe
424	67a1ef932123b75f030a17a60f68ffa0N.exe
3916	67a1ef932123b75f030a17a60f68ffa0N.exe
1112	67a1ef932123b75f030a17a60f68ffa0N.exe
1112	67a1ef932123b75f030a17a60f68ffa0N.exe
960	67a1ef932123b75f030a17a60f68ffa0N.exe
960	67a1ef932123b75f030a17a60f68ffa0N.exe
3972	67a1ef932123b75f030a17a60f68ffa0N.exe
3972	67a1ef932123b75f030a17a60f68ffa0N.exe
4276	67a1ef932123b75f030a17a60f68ffa0N.exe
4276	67a1ef932123b75f030a17a60f68ffa0N.exe
4136	67a1ef932123b75f030a17a60f68ffa0N.exe
4136	67a1ef932123b75f030a17a60f68ffa0N.exe
212	67a1ef932123b75f030a17a60f68ffa0N.exe
2964	67a1ef932123b75f030a17a60f68ffa0N.exe
212	67a1ef932123b75f030a17a60f68ffa0N.exe
2964	67a1ef932123b75f030a17a60f68ffa0N.exe
4852	67a1ef932123b75f030a17a60f68ffa0N.exe
4852	67a1ef932123b75f030a17a60f68ffa0N.exe
8	67a1ef932123b75f030a17a60f68ffa0N.exe
8	67a1ef932123b75f030a17a60f68ffa0N.exe
3916	67a1ef932123b75f030a17a60f68ffa0N.exe
3916	67a1ef932123b75f030a17a60f68ffa0N.exe
1856	67a1ef932123b75f030a17a60f68ffa0N.exe
1856	67a1ef932123b75f030a17a60f68ffa0N.exe
3952	67a1ef932123b75f030a17a60f68ffa0N.exe
3952	67a1ef932123b75f030a17a60f68ffa0N.exe
1112	67a1ef932123b75f030a17a60f68ffa0N.exe
1112	67a1ef932123b75f030a17a60f68ffa0N.exe
540	67a1ef932123b75f030a17a60f68ffa0N.exe
540	67a1ef932123b75f030a17a60f68ffa0N.exe
5108	67a1ef932123b75f030a17a60f68ffa0N.exe
5108	67a1ef932123b75f030a17a60f68ffa0N.exe
5092	67a1ef932123b75f030a17a60f68ffa0N.exe
5092	67a1ef932123b75f030a17a60f68ffa0N.exe
424	67a1ef932123b75f030a17a60f68ffa0N.exe
424	67a1ef932123b75f030a17a60f68ffa0N.exe
2596	67a1ef932123b75f030a17a60f68ffa0N.exe
2596	67a1ef932123b75f030a17a60f68ffa0N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3916 wrote to memory of 212	3916	67a1ef932123b75f030a17a60f68ffa0N.exe	88
PID 3916 wrote to memory of 212	3916	67a1ef932123b75f030a17a60f68ffa0N.exe	88
PID 3916 wrote to memory of 212	3916	67a1ef932123b75f030a17a60f68ffa0N.exe	88
PID 212 wrote to memory of 3952	212	67a1ef932123b75f030a17a60f68ffa0N.exe	93
PID 212 wrote to memory of 3952	212	67a1ef932123b75f030a17a60f68ffa0N.exe	93
PID 212 wrote to memory of 3952	212	67a1ef932123b75f030a17a60f68ffa0N.exe	93
PID 3916 wrote to memory of 1112	3916	67a1ef932123b75f030a17a60f68ffa0N.exe	94
PID 3916 wrote to memory of 1112	3916	67a1ef932123b75f030a17a60f68ffa0N.exe	94
PID 3916 wrote to memory of 1112	3916	67a1ef932123b75f030a17a60f68ffa0N.exe	94
PID 212 wrote to memory of 4276	212	67a1ef932123b75f030a17a60f68ffa0N.exe	95
PID 212 wrote to memory of 4276	212	67a1ef932123b75f030a17a60f68ffa0N.exe	95
PID 212 wrote to memory of 4276	212	67a1ef932123b75f030a17a60f68ffa0N.exe	95
PID 3952 wrote to memory of 4852	3952	67a1ef932123b75f030a17a60f68ffa0N.exe	96
PID 3952 wrote to memory of 4852	3952	67a1ef932123b75f030a17a60f68ffa0N.exe	96
PID 3952 wrote to memory of 4852	3952	67a1ef932123b75f030a17a60f68ffa0N.exe	96
PID 3916 wrote to memory of 5092	3916	67a1ef932123b75f030a17a60f68ffa0N.exe	97
PID 3916 wrote to memory of 5092	3916	67a1ef932123b75f030a17a60f68ffa0N.exe	97
PID 3916 wrote to memory of 5092	3916	67a1ef932123b75f030a17a60f68ffa0N.exe	97
PID 1112 wrote to memory of 424	1112	67a1ef932123b75f030a17a60f68ffa0N.exe	98
PID 1112 wrote to memory of 424	1112	67a1ef932123b75f030a17a60f68ffa0N.exe	98
PID 1112 wrote to memory of 424	1112	67a1ef932123b75f030a17a60f68ffa0N.exe	98
PID 4276 wrote to memory of 960	4276	67a1ef932123b75f030a17a60f68ffa0N.exe	100
PID 4276 wrote to memory of 960	4276	67a1ef932123b75f030a17a60f68ffa0N.exe	100
PID 4276 wrote to memory of 960	4276	67a1ef932123b75f030a17a60f68ffa0N.exe	100
PID 212 wrote to memory of 3972	212	67a1ef932123b75f030a17a60f68ffa0N.exe	101
PID 212 wrote to memory of 3972	212	67a1ef932123b75f030a17a60f68ffa0N.exe	101
PID 212 wrote to memory of 3972	212	67a1ef932123b75f030a17a60f68ffa0N.exe	101
PID 3916 wrote to memory of 4136	3916	67a1ef932123b75f030a17a60f68ffa0N.exe	102
PID 3916 wrote to memory of 4136	3916	67a1ef932123b75f030a17a60f68ffa0N.exe	102
PID 3916 wrote to memory of 4136	3916	67a1ef932123b75f030a17a60f68ffa0N.exe	102
PID 4852 wrote to memory of 2964	4852	67a1ef932123b75f030a17a60f68ffa0N.exe	103
PID 4852 wrote to memory of 2964	4852	67a1ef932123b75f030a17a60f68ffa0N.exe	103
PID 4852 wrote to memory of 2964	4852	67a1ef932123b75f030a17a60f68ffa0N.exe	103
PID 3952 wrote to memory of 8	3952	67a1ef932123b75f030a17a60f68ffa0N.exe	104
PID 3952 wrote to memory of 8	3952	67a1ef932123b75f030a17a60f68ffa0N.exe	104
PID 3952 wrote to memory of 8	3952	67a1ef932123b75f030a17a60f68ffa0N.exe	104
PID 1112 wrote to memory of 1856	1112	67a1ef932123b75f030a17a60f68ffa0N.exe	105
PID 1112 wrote to memory of 1856	1112	67a1ef932123b75f030a17a60f68ffa0N.exe	105
PID 1112 wrote to memory of 1856	1112	67a1ef932123b75f030a17a60f68ffa0N.exe	105
PID 5092 wrote to memory of 540	5092	67a1ef932123b75f030a17a60f68ffa0N.exe	106
PID 5092 wrote to memory of 540	5092	67a1ef932123b75f030a17a60f68ffa0N.exe	106
PID 5092 wrote to memory of 540	5092	67a1ef932123b75f030a17a60f68ffa0N.exe	106
PID 424 wrote to memory of 5108	424	67a1ef932123b75f030a17a60f68ffa0N.exe	107
PID 424 wrote to memory of 5108	424	67a1ef932123b75f030a17a60f68ffa0N.exe	107
PID 424 wrote to memory of 5108	424	67a1ef932123b75f030a17a60f68ffa0N.exe	107
PID 4276 wrote to memory of 2596	4276	67a1ef932123b75f030a17a60f68ffa0N.exe	110
PID 4276 wrote to memory of 2596	4276	67a1ef932123b75f030a17a60f68ffa0N.exe	110
PID 4276 wrote to memory of 2596	4276	67a1ef932123b75f030a17a60f68ffa0N.exe	110
PID 212 wrote to memory of 2272	212	67a1ef932123b75f030a17a60f68ffa0N.exe	111
PID 212 wrote to memory of 2272	212	67a1ef932123b75f030a17a60f68ffa0N.exe	111
PID 212 wrote to memory of 2272	212	67a1ef932123b75f030a17a60f68ffa0N.exe	111
PID 4852 wrote to memory of 2652	4852	67a1ef932123b75f030a17a60f68ffa0N.exe	112
PID 4852 wrote to memory of 2652	4852	67a1ef932123b75f030a17a60f68ffa0N.exe	112
PID 4852 wrote to memory of 2652	4852	67a1ef932123b75f030a17a60f68ffa0N.exe	112
PID 3916 wrote to memory of 2892	3916	67a1ef932123b75f030a17a60f68ffa0N.exe	113
PID 3916 wrote to memory of 2892	3916	67a1ef932123b75f030a17a60f68ffa0N.exe	113
PID 3916 wrote to memory of 2892	3916	67a1ef932123b75f030a17a60f68ffa0N.exe	113
PID 3972 wrote to memory of 4376	3972	67a1ef932123b75f030a17a60f68ffa0N.exe	114
PID 3972 wrote to memory of 4376	3972	67a1ef932123b75f030a17a60f68ffa0N.exe	114
PID 3972 wrote to memory of 4376	3972	67a1ef932123b75f030a17a60f68ffa0N.exe	114
PID 960 wrote to memory of 1860	960	67a1ef932123b75f030a17a60f68ffa0N.exe	115
PID 960 wrote to memory of 1860	960	67a1ef932123b75f030a17a60f68ffa0N.exe	115
PID 960 wrote to memory of 1860	960	67a1ef932123b75f030a17a60f68ffa0N.exe	115
PID 3952 wrote to memory of 3840	3952	67a1ef932123b75f030a17a60f68ffa0N.exe	116

C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
"C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
  "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3952
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4852
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2964
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        7⤵
        
        PID:6316
        
        C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        8⤵
        
        PID:11332
        
        C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        8⤵
        
        PID:15132
        
        C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        7⤵
        
        PID:7148
        
        C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        8⤵
        
        PID:13036
        
        C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        7⤵
        
        PID:9464
        
        C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        7⤵
        
        PID:10212
        
        C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        7⤵
        
        PID:13980
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:5344
        
        C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        7⤵
        
        PID:9488
        
        C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        7⤵
        
        PID:10196
        
        C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        7⤵
        
        PID:13972
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:6664
        
        C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        7⤵
        
        PID:13492
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:8480
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:10504
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:13308
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:2652
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:6340
        
        C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        7⤵
        
        PID:10888
        
        C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        7⤵
        
        PID:13408
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:7312
        
        C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        7⤵
        
        PID:13004
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:9720
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:10164
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:14036
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:5296
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:9176
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:8624
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:13180
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:6680
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:14720
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:8512
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:10320
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:13440
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:8
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:1880
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:6372
        
        C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        7⤵
        
        PID:13704
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:7652
        
        C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        7⤵
        
        PID:13516
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:10372
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:14772
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:5336
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:11356
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:15284
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:6688
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:12868
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:8672
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:10520
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:13448
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:3840
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:6208
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:9152
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:9920
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:13212
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:7036
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:14780
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:9120
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:1432
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:12900
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:5380
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:10972
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:13456
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:6640
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:14160
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:8448
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:10488
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:13228
- - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4276
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:960
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:1860
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:6440
        
        C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        7⤵
        
        PID:11324
        
        C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        7⤵
        
        PID:15484
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:7320
        
        C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        7⤵
        
        PID:12964
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:9452
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:10204
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:14004
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:5376
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:11000
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:15124
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:6592
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:12940
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:8372
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:10456
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:10144
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2596
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:6140
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:9376
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:7772
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:14020
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:6884
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:13012
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:9000
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:10256
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:14168
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:5416
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:10408
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:14740
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:6600
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:12860
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:8396
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:10448
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:13172
- - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3972
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:4376
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:5288
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:11364
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:16320
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:6876
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:12924
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:8968
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:10264
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:13108
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:5392
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:10960
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:13416
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:6576
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:13500
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:8088
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:10336
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:13156
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:10148
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:14152
- - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
    3⤵
    PID:2272
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:6380
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:11384
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:15608
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:7188
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:14028
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:9472
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:10188
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:13964
- - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
    3⤵
    PID:5408
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:11340
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:15716
- - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
    3⤵
    PID:6616
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:13940
- - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
    3⤵
    PID:8404
- - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
    3⤵
    PID:10480
- - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
    3⤵
    PID:13236
- C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
  "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:424
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5108
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:5228
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:6364
        
        C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        7⤵
        
        PID:10432
        
        C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        7⤵
        
        PID:13140
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:7304
        
        C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        7⤵
        
        PID:14128
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:9620
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:10180
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:13948
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:5312
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:7900
        
        C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        7⤵
        
        PID:13044
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:10440
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:13116
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:6696
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:14756
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:8680
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:10312
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:13204
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:4700
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:6220
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:10844
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:13508
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:7044
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:13084
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:9344
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:10156
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:13932
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:5360
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:9440
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:10220
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:14012
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:6624
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:12852
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:8456
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:10296
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:13092
- - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1856
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:5188
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:6448
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:11348
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:15152
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:7328
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:12996
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:10344
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:13124
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:5320
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:11664
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:6672
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:12956
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:8580
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:10304
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:13220
- - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
    3⤵
    PID:1988
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:6348
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:11444
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:15780
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:7216
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:12948
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:9672
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:10172
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:14044
- - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
    3⤵
    PID:5368
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:10416
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:14748
- - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
    3⤵
    PID:6632
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:14144
- - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
    3⤵
    PID:8440
- - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
    3⤵
    PID:10472
- - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
    3⤵
    PID:13464
- C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
  "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5092
- - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:540
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5204
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:6200
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:10424
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:13196
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:7028
      - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        6⤵
        
        PID:12932
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:9140
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:10248
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:12916
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:5304
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:9404
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:10228
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:14136
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:6704
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:13076
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:8688
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:10464
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:13188
- - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
    3⤵
    PID:3336
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:6132
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:11504
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:15772
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:6584
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:12988
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:8936
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:10272
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:13100
- - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
    3⤵
    PID:5352
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:11376
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:15632
- - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
    3⤵
    PID:6656
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:14764
- - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
    3⤵
    PID:8472
- - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
    3⤵
    PID:10496
- - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
    3⤵
    PID:13640
- C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
  "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4136
- - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5140
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:5200
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:8920
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:10288
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:1388
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:6712
    - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
        5⤵
        
        PID:4564
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:8928
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:10280
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:4612
- - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
    3⤵
    PID:5328
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:10400
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:13164
- - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
    3⤵
    PID:6648
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:13056
- - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
    3⤵
    PID:8464
- - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
    3⤵
    PID:10328
- - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
    3⤵
    PID:13132
- C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
  "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
  2⤵
  PID:2892
- - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
    3⤵
    PID:6356
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:11464
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:15624
- - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
    3⤵
    PID:7736
  - - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
      "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
      4⤵
      PID:11760
- - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
    3⤵
    PID:10380
- - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
    3⤵
    PID:13148
- C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
  "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
  2⤵
  PID:5400
- - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
    3⤵
    PID:9432
- - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
    3⤵
    PID:10236
- - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
    3⤵
    PID:13996
- C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
  "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
  2⤵
  PID:6608
- - C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
    3⤵
    PID:12908
- C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
  "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
  2⤵
  PID:8488
- C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
  "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
  2⤵
  PID:10512
- C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe
  "C:\Users\Admin\AppData\Local\Temp\67a1ef932123b75f030a17a60f68ffa0N.exe"
  2⤵
  PID:13244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\kicking beast girls pregnant .avi.exe

Filesize
2.0MB

MD5
319133a32dab94391ae95d841153cad3

SHA1
dd8edc132847d228953aa75ee6b51bfa0d53c8a6

SHA256
1f74f7c14c9b5dc40b1c0c3649fdf263d0e21d1fc6e35b0da78a4659793ef48e

SHA512
16bc478c14e584701c5defebd6f51685ca5332dd7d11f7efb97e51e360ec4585c5e4984b75f46e135886ae835ff864a75e725b49ff3c739c0d913949ef4cd6a6

Download Submit