3f263903d127a88413d6e92db4955ae5841543a6ac1aa157a43b69ece18019f6

Analysis

max time kernel
15s
max time network
64s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 04:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb5d2a4d4441a572078675e9958bb8c0N.exe
Size

355KB
MD5

bb5d2a4d4441a572078675e9958bb8c0
SHA1

dc14de7821647f5ef359cfea850e24f17a06e916
SHA256

3f263903d127a88413d6e92db4955ae5841543a6ac1aa157a43b69ece18019f6
SHA512

0a6a215fcc4f1b99bec4575c70aee93dbbc1f2736742539fdd21e875f4ca1016cc79bdb98e6bd13e0806d5366d2339d05153022e4c0efa90d76321a871d54deb
SSDEEP

6144:dXC4vgmhbIxs3NBBlIik6WH7C3RIJqNh18YQjz7XYRpQuaJD/PPoeJwML:dXCNi9BPIV6J3Aqn189XYnQuaJL3wML

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	bb5d2a4d4441a572078675e9958bb8c0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	bb5d2a4d4441a572078675e9958bb8c0N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	bb5d2a4d4441a572078675e9958bb8c0N.exe
File opened (read-only)	\??\E:	bb5d2a4d4441a572078675e9958bb8c0N.exe
File opened (read-only)	\??\I:	bb5d2a4d4441a572078675e9958bb8c0N.exe
File opened (read-only)	\??\Q:	bb5d2a4d4441a572078675e9958bb8c0N.exe
File opened (read-only)	\??\R:	bb5d2a4d4441a572078675e9958bb8c0N.exe
File opened (read-only)	\??\V:	bb5d2a4d4441a572078675e9958bb8c0N.exe
File opened (read-only)	\??\K:	bb5d2a4d4441a572078675e9958bb8c0N.exe
File opened (read-only)	\??\P:	bb5d2a4d4441a572078675e9958bb8c0N.exe
File opened (read-only)	\??\T:	bb5d2a4d4441a572078675e9958bb8c0N.exe
File opened (read-only)	\??\A:	bb5d2a4d4441a572078675e9958bb8c0N.exe
File opened (read-only)	\??\B:	bb5d2a4d4441a572078675e9958bb8c0N.exe
File opened (read-only)	\??\G:	bb5d2a4d4441a572078675e9958bb8c0N.exe
File opened (read-only)	\??\H:	bb5d2a4d4441a572078675e9958bb8c0N.exe
File opened (read-only)	\??\J:	bb5d2a4d4441a572078675e9958bb8c0N.exe
File opened (read-only)	\??\U:	bb5d2a4d4441a572078675e9958bb8c0N.exe
File opened (read-only)	\??\X:	bb5d2a4d4441a572078675e9958bb8c0N.exe
File opened (read-only)	\??\Z:	bb5d2a4d4441a572078675e9958bb8c0N.exe
File opened (read-only)	\??\N:	bb5d2a4d4441a572078675e9958bb8c0N.exe
File opened (read-only)	\??\S:	bb5d2a4d4441a572078675e9958bb8c0N.exe
File opened (read-only)	\??\Y:	bb5d2a4d4441a572078675e9958bb8c0N.exe
File opened (read-only)	\??\L:	bb5d2a4d4441a572078675e9958bb8c0N.exe
File opened (read-only)	\??\M:	bb5d2a4d4441a572078675e9958bb8c0N.exe
File opened (read-only)	\??\O:	bb5d2a4d4441a572078675e9958bb8c0N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IME\SHARED\beast [free] (Tatjana).avi.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\System32\DriverStore\Temp\gay masturbation mistress .avi.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\SysWOW64\FxsTmp\american gang bang beast licking cock (Gina,Jade).rar.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\lesbian catfight .zip.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\italian animal blowjob several models girly .mpeg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\italian beastiality lesbian licking stockings .mpg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\indian action gay [milf] titts .rar.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\horse girls bedroom .rar.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\beast full movie hole shower .mpg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\tyrkish kicking trambling hidden titts pregnant (Curtney).avi.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\SysWOW64\FxsTmp\tyrkish nude beast sleeping feet shower .mpg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\italian fetish blowjob catfight glans gorgeoushorny .avi.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\swedish cum gay full movie .rar.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\lingerie masturbation .mpeg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\beast [free] 40+ .rar.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\fucking public (Sylvia).mpg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Program Files (x86)\Google\Temp\swedish action gay voyeur titts 40+ .zip.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Templates\italian action hardcore big (Curtney).mpeg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\hardcore girls hole girly .mpg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Program Files (x86)\Google\Update\Download\tyrkish gang bang hardcore [bangbus] titts 40+ .zip.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Program Files\dotnet\shared\gay public glans stockings .mpg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\bukkake [free] penetration .mpeg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\italian kicking bukkake lesbian boots .zip.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Program Files (x86)\Microsoft\Temp\horse public (Janette).mpeg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\black action blowjob hot (!) sweet .mpg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\lingerie [free] hole .rar.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\sperm public gorgeoushorny (Britney,Liz).mpg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\brasilian cumshot hardcore [milf] titts .avi.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\indian kicking gay lesbian girly (Kathrin,Karin).mpg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\hardcore hot (!) mistress .mpeg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\canadian horse masturbation titts fishy (Karin).avi.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\norwegian xxx big glans .mpeg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\animal sperm girls glans .mpg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\chinese bukkake hot (!) titts granny .mpeg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\canadian trambling masturbation feet .zip.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\horse hardcore voyeur hole .mpeg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\gang bang hardcore girls cock .zip.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_10.0.19041.1_none_bd731e5b85dd203e\hardcore sleeping (Sarah).avi.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\african horse licking .avi.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\fetish fucking several models glans pregnant .rar.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_de-de_3d077a9cd5de5151\porn gay hidden feet bondage .mpeg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\handjob horse full movie fishy .rar.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_5abbd3c4a3f2014c\danish cum bukkake girls high heels .mpeg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\fucking hidden titts (Christine,Karin).zip.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\black gang bang sperm several models titts .mpeg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\danish gang bang beast sleeping (Sylvia).zip.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\french gay public .mpg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\british sperm voyeur (Tatjana).zip.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\hardcore full movie cock .rar.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\tyrkish handjob beast [free] gorgeoushorny .zip.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\swedish gang bang beast public glans .rar.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\beastiality lingerie [bangbus] hole .mpeg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\danish action fucking full movie beautyfull (Jenna,Jade).zip.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\bukkake hot (!) .zip.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\african horse licking titts .zip.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_e5c3ad79c4e34ebb\asian horse [bangbus] 40+ .avi.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\bukkake public YEâPSè& .mpg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\italian beastiality hardcore [milf] leather (Sonja,Curtney).mpeg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_b1ffa0e7b4ed03e2\animal gay girls titts .mpg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\russian cum bukkake full movie fishy .rar.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\danish animal blowjob girls .avi.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_it-it_72a319bf8ee74a9b\canadian fucking big black hairunshaved .avi.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\horse [free] feet sweet .rar.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\xxx hidden Ôï .zip.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\malaysia trambling full movie titts .rar.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\asian lingerie public .mpeg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_10.0.19041.1_none_ae957c4c35a7bf73\gang bang xxx uncut beautyfull .mpeg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\italian nude blowjob sleeping feet .mpg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\handjob gay hidden hole .zip.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\tyrkish horse lingerie catfight 50+ .avi.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_5af076e0a3cb0fa7\american beastiality xxx licking wifey .mpeg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\InputMethod\SHARED\american cumshot trambling catfight .rar.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\asian beast masturbation 50+ (Sonja,Janette).mpg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\gay catfight glans pregnant (Sarah).rar.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\danish fetish xxx big .mpg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_89c0bf1761110f07\lingerie [free] penetration .mpg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\american fetish lingerie several models titts mature .rar.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\danish porn lingerie [milf] blondie .zip.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\assembly\tmp\bukkake hidden 40+ .rar.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fd7349c396c417ae\trambling hot (!) fishy .mpeg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\handjob trambling hidden hole 50+ (Curtney).mpeg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.1_none_f42978969c79336a\black animal hardcore [free] feet fishy .avi.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\brasilian horse trambling catfight .zip.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\mssrv.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\Downloaded Program Files\gay masturbation .mpeg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\animal fucking [bangbus] (Melissa).mpg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\lingerie voyeur 50+ .mpg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_10.0.19041.1_none_a3d9a07cf2290837\cum trambling several models (Melissa).mpg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\american action hardcore [free] hole .mpg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\PLA\Templates\russian porn beast masturbation sm (Anniston,Janette).avi.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\american gang bang blowjob catfight swallow .mpeg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_8c0b126c198fcf70\swedish fetish bukkake catfight .avi.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_en-us_e5f85095c4bc5d16\handjob bukkake sleeping balls (Sonja,Sarah).avi.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe
File created	C:\Windows\assembly\temp\xxx public ash .mpg.exe	bb5d2a4d4441a572078675e9958bb8c0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb5d2a4d4441a572078675e9958bb8c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb5d2a4d4441a572078675e9958bb8c0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4052	bb5d2a4d4441a572078675e9958bb8c0N.exe
4052	bb5d2a4d4441a572078675e9958bb8c0N.exe
2832	bb5d2a4d4441a572078675e9958bb8c0N.exe
2832	bb5d2a4d4441a572078675e9958bb8c0N.exe
4052	bb5d2a4d4441a572078675e9958bb8c0N.exe
4052	bb5d2a4d4441a572078675e9958bb8c0N.exe
1216	bb5d2a4d4441a572078675e9958bb8c0N.exe
1216	bb5d2a4d4441a572078675e9958bb8c0N.exe
5044	bb5d2a4d4441a572078675e9958bb8c0N.exe
5044	bb5d2a4d4441a572078675e9958bb8c0N.exe
4052	bb5d2a4d4441a572078675e9958bb8c0N.exe
4052	bb5d2a4d4441a572078675e9958bb8c0N.exe
2832	bb5d2a4d4441a572078675e9958bb8c0N.exe
2832	bb5d2a4d4441a572078675e9958bb8c0N.exe
4048	bb5d2a4d4441a572078675e9958bb8c0N.exe
4048	bb5d2a4d4441a572078675e9958bb8c0N.exe
4364	bb5d2a4d4441a572078675e9958bb8c0N.exe
4364	bb5d2a4d4441a572078675e9958bb8c0N.exe
3820	bb5d2a4d4441a572078675e9958bb8c0N.exe
3820	bb5d2a4d4441a572078675e9958bb8c0N.exe
4108	bb5d2a4d4441a572078675e9958bb8c0N.exe
4108	bb5d2a4d4441a572078675e9958bb8c0N.exe
5044	bb5d2a4d4441a572078675e9958bb8c0N.exe
5044	bb5d2a4d4441a572078675e9958bb8c0N.exe
2832	bb5d2a4d4441a572078675e9958bb8c0N.exe
2832	bb5d2a4d4441a572078675e9958bb8c0N.exe
4052	bb5d2a4d4441a572078675e9958bb8c0N.exe
4052	bb5d2a4d4441a572078675e9958bb8c0N.exe
1216	bb5d2a4d4441a572078675e9958bb8c0N.exe
1216	bb5d2a4d4441a572078675e9958bb8c0N.exe
2956	bb5d2a4d4441a572078675e9958bb8c0N.exe
2956	bb5d2a4d4441a572078675e9958bb8c0N.exe
4488	bb5d2a4d4441a572078675e9958bb8c0N.exe
4488	bb5d2a4d4441a572078675e9958bb8c0N.exe
5044	bb5d2a4d4441a572078675e9958bb8c0N.exe
5044	bb5d2a4d4441a572078675e9958bb8c0N.exe
4476	bb5d2a4d4441a572078675e9958bb8c0N.exe
4476	bb5d2a4d4441a572078675e9958bb8c0N.exe
3592	bb5d2a4d4441a572078675e9958bb8c0N.exe
3592	bb5d2a4d4441a572078675e9958bb8c0N.exe
4052	bb5d2a4d4441a572078675e9958bb8c0N.exe
4052	bb5d2a4d4441a572078675e9958bb8c0N.exe
2832	bb5d2a4d4441a572078675e9958bb8c0N.exe
2832	bb5d2a4d4441a572078675e9958bb8c0N.exe
1216	bb5d2a4d4441a572078675e9958bb8c0N.exe
1216	bb5d2a4d4441a572078675e9958bb8c0N.exe
436	bb5d2a4d4441a572078675e9958bb8c0N.exe
436	bb5d2a4d4441a572078675e9958bb8c0N.exe
4048	bb5d2a4d4441a572078675e9958bb8c0N.exe
4048	bb5d2a4d4441a572078675e9958bb8c0N.exe
2252	bb5d2a4d4441a572078675e9958bb8c0N.exe
2252	bb5d2a4d4441a572078675e9958bb8c0N.exe
3952	bb5d2a4d4441a572078675e9958bb8c0N.exe
3952	bb5d2a4d4441a572078675e9958bb8c0N.exe
4100	bb5d2a4d4441a572078675e9958bb8c0N.exe
4100	bb5d2a4d4441a572078675e9958bb8c0N.exe
3820	bb5d2a4d4441a572078675e9958bb8c0N.exe
3820	bb5d2a4d4441a572078675e9958bb8c0N.exe
4364	bb5d2a4d4441a572078675e9958bb8c0N.exe
4364	bb5d2a4d4441a572078675e9958bb8c0N.exe
4108	bb5d2a4d4441a572078675e9958bb8c0N.exe
4108	bb5d2a4d4441a572078675e9958bb8c0N.exe
3276	bb5d2a4d4441a572078675e9958bb8c0N.exe
3276	bb5d2a4d4441a572078675e9958bb8c0N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 2832	4052	bb5d2a4d4441a572078675e9958bb8c0N.exe	87
PID 4052 wrote to memory of 2832	4052	bb5d2a4d4441a572078675e9958bb8c0N.exe	87
PID 4052 wrote to memory of 2832	4052	bb5d2a4d4441a572078675e9958bb8c0N.exe	87
PID 4052 wrote to memory of 1216	4052	bb5d2a4d4441a572078675e9958bb8c0N.exe	92
PID 4052 wrote to memory of 1216	4052	bb5d2a4d4441a572078675e9958bb8c0N.exe	92
PID 4052 wrote to memory of 1216	4052	bb5d2a4d4441a572078675e9958bb8c0N.exe	92
PID 2832 wrote to memory of 5044	2832	bb5d2a4d4441a572078675e9958bb8c0N.exe	93
PID 2832 wrote to memory of 5044	2832	bb5d2a4d4441a572078675e9958bb8c0N.exe	93
PID 2832 wrote to memory of 5044	2832	bb5d2a4d4441a572078675e9958bb8c0N.exe	93
PID 5044 wrote to memory of 4048	5044	bb5d2a4d4441a572078675e9958bb8c0N.exe	94
PID 5044 wrote to memory of 4048	5044	bb5d2a4d4441a572078675e9958bb8c0N.exe	94
PID 5044 wrote to memory of 4048	5044	bb5d2a4d4441a572078675e9958bb8c0N.exe	94
PID 4052 wrote to memory of 3820	4052	bb5d2a4d4441a572078675e9958bb8c0N.exe	95
PID 2832 wrote to memory of 4364	2832	bb5d2a4d4441a572078675e9958bb8c0N.exe	96
PID 4052 wrote to memory of 3820	4052	bb5d2a4d4441a572078675e9958bb8c0N.exe	95
PID 4052 wrote to memory of 3820	4052	bb5d2a4d4441a572078675e9958bb8c0N.exe	95
PID 2832 wrote to memory of 4364	2832	bb5d2a4d4441a572078675e9958bb8c0N.exe	96
PID 2832 wrote to memory of 4364	2832	bb5d2a4d4441a572078675e9958bb8c0N.exe	96
PID 1216 wrote to memory of 4108	1216	bb5d2a4d4441a572078675e9958bb8c0N.exe	97
PID 1216 wrote to memory of 4108	1216	bb5d2a4d4441a572078675e9958bb8c0N.exe	97
PID 1216 wrote to memory of 4108	1216	bb5d2a4d4441a572078675e9958bb8c0N.exe	97
PID 5044 wrote to memory of 2956	5044	bb5d2a4d4441a572078675e9958bb8c0N.exe	99
PID 5044 wrote to memory of 2956	5044	bb5d2a4d4441a572078675e9958bb8c0N.exe	99
PID 5044 wrote to memory of 2956	5044	bb5d2a4d4441a572078675e9958bb8c0N.exe	99
PID 1216 wrote to memory of 4488	1216	bb5d2a4d4441a572078675e9958bb8c0N.exe	100
PID 1216 wrote to memory of 4488	1216	bb5d2a4d4441a572078675e9958bb8c0N.exe	100
PID 1216 wrote to memory of 4488	1216	bb5d2a4d4441a572078675e9958bb8c0N.exe	100
PID 4052 wrote to memory of 4476	4052	bb5d2a4d4441a572078675e9958bb8c0N.exe	101
PID 4052 wrote to memory of 4476	4052	bb5d2a4d4441a572078675e9958bb8c0N.exe	101
PID 4052 wrote to memory of 4476	4052	bb5d2a4d4441a572078675e9958bb8c0N.exe	101
PID 2832 wrote to memory of 3592	2832	bb5d2a4d4441a572078675e9958bb8c0N.exe	102
PID 2832 wrote to memory of 3592	2832	bb5d2a4d4441a572078675e9958bb8c0N.exe	102
PID 2832 wrote to memory of 3592	2832	bb5d2a4d4441a572078675e9958bb8c0N.exe	102
PID 4048 wrote to memory of 436	4048	bb5d2a4d4441a572078675e9958bb8c0N.exe	103
PID 4048 wrote to memory of 436	4048	bb5d2a4d4441a572078675e9958bb8c0N.exe	103
PID 4048 wrote to memory of 436	4048	bb5d2a4d4441a572078675e9958bb8c0N.exe	103
PID 3820 wrote to memory of 2252	3820	bb5d2a4d4441a572078675e9958bb8c0N.exe	105
PID 3820 wrote to memory of 2252	3820	bb5d2a4d4441a572078675e9958bb8c0N.exe	105
PID 3820 wrote to memory of 2252	3820	bb5d2a4d4441a572078675e9958bb8c0N.exe	105
PID 4108 wrote to memory of 3952	4108	bb5d2a4d4441a572078675e9958bb8c0N.exe	104
PID 4108 wrote to memory of 3952	4108	bb5d2a4d4441a572078675e9958bb8c0N.exe	104
PID 4108 wrote to memory of 3952	4108	bb5d2a4d4441a572078675e9958bb8c0N.exe	104
PID 4364 wrote to memory of 4100	4364	bb5d2a4d4441a572078675e9958bb8c0N.exe	106
PID 4364 wrote to memory of 4100	4364	bb5d2a4d4441a572078675e9958bb8c0N.exe	106
PID 4364 wrote to memory of 4100	4364	bb5d2a4d4441a572078675e9958bb8c0N.exe	106
PID 1216 wrote to memory of 3276	1216	bb5d2a4d4441a572078675e9958bb8c0N.exe	110
PID 1216 wrote to memory of 3276	1216	bb5d2a4d4441a572078675e9958bb8c0N.exe	110
PID 1216 wrote to memory of 3276	1216	bb5d2a4d4441a572078675e9958bb8c0N.exe	110
PID 4052 wrote to memory of 3548	4052	bb5d2a4d4441a572078675e9958bb8c0N.exe	111
PID 4052 wrote to memory of 3548	4052	bb5d2a4d4441a572078675e9958bb8c0N.exe	111
PID 4052 wrote to memory of 3548	4052	bb5d2a4d4441a572078675e9958bb8c0N.exe	111
PID 5044 wrote to memory of 4352	5044	bb5d2a4d4441a572078675e9958bb8c0N.exe	109
PID 5044 wrote to memory of 4352	5044	bb5d2a4d4441a572078675e9958bb8c0N.exe	109
PID 5044 wrote to memory of 4352	5044	bb5d2a4d4441a572078675e9958bb8c0N.exe	109
PID 2832 wrote to memory of 3508	2832	bb5d2a4d4441a572078675e9958bb8c0N.exe	112
PID 2832 wrote to memory of 3508	2832	bb5d2a4d4441a572078675e9958bb8c0N.exe	112
PID 2832 wrote to memory of 3508	2832	bb5d2a4d4441a572078675e9958bb8c0N.exe	112
PID 4048 wrote to memory of 1504	4048	bb5d2a4d4441a572078675e9958bb8c0N.exe	113
PID 4048 wrote to memory of 1504	4048	bb5d2a4d4441a572078675e9958bb8c0N.exe	113
PID 4048 wrote to memory of 1504	4048	bb5d2a4d4441a572078675e9958bb8c0N.exe	113
PID 2956 wrote to memory of 1176	2956	bb5d2a4d4441a572078675e9958bb8c0N.exe	114
PID 2956 wrote to memory of 1176	2956	bb5d2a4d4441a572078675e9958bb8c0N.exe	114
PID 2956 wrote to memory of 1176	2956	bb5d2a4d4441a572078675e9958bb8c0N.exe	114
PID 3820 wrote to memory of 5016	3820	bb5d2a4d4441a572078675e9958bb8c0N.exe	115

C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
"C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
  "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4048
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:436
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        7⤵
        
        PID:6196
        
        C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        8⤵
        
        PID:8808
        
        C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        8⤵
        
        PID:11236
        
        C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        8⤵
        
        PID:14412
        
        C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        7⤵
        
        PID:7928
        
        C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        7⤵
        
        PID:11472
        
        C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        7⤵
        
        PID:980
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:5224
        
        C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        7⤵
        
        PID:6712
        
        C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        8⤵
        
        PID:13576
        
        C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        7⤵
        
        PID:7848
        
        C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        7⤵
        
        PID:11372
        
        C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        7⤵
        
        PID:15420
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:6556
        
        C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        7⤵
        
        PID:13544
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:7676
        
        C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        7⤵
        
        PID:14568
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:10568
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:14516
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1504
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:6288
        
        C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        7⤵
        
        PID:10632
        
        C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        7⤵
        
        PID:14596
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:7912
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:4980
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:5296
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:8940
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:12440
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:6976
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:12400
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:7792
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:11124
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:15016
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2956
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1176
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:6296
        
        C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        7⤵
        
        PID:10388
        
        C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        7⤵
        
        PID:14456
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:7920
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:11580
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:5288
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:8800
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:11480
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:15472
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:7048
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:12132
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:7764
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:11080
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:15124
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:4352
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:6340
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:11108
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:15348
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:7888
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:11572
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:15600
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:5312
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:8908
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:12252
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:7028
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:13560
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:7776
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:11140
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:15116
- - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4364
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4100
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5184
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:6152
        
        C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        7⤵
        
        PID:10012
        
        C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        7⤵
        
        PID:14312
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:7936
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:11488
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:15448
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:5328
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:8916
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:11728
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:2500
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:13552
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:7756
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:11096
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:15336
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:2072
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:6328
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:11600
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:14404
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:7904
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:10820
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:5256
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:6852
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:7732
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:10844
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:14628
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:6768
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:13960
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:7668
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:10544
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:14508
- - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3592
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4508
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:6108
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:8900
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:12124
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:7952
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:11496
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:5240
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:9752
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:12952
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:7236
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:14612
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:7716
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:11664
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:15480
- - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3508
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:6204
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:9744
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:12524
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:7944
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:11680
- - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
    3⤵
    PID:5304
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:8788
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:12328
- - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
    3⤵
    PID:5980
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:12260
- - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
    3⤵
    PID:7748
- - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
    3⤵
    PID:10852
- - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
    3⤵
    PID:14620
- C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
  "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4108
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3952
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2352
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:5940
        
        C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        7⤵
        
        PID:9720
        
        C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        7⤵
        
        PID:12532
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:7064
        
        C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        7⤵
        
        PID:10860
        
        C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        7⤵
        
        PID:14668
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:7724
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:10832
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:14736
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:5336
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:6740
        
        C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        7⤵
        
        PID:13568
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:7816
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:11364
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:15508
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:6568
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:11352
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:7856
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:11564
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:15432
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:1932
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:6372
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:11132
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:15204
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:7864
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:11536
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:15456
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:5272
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:9544
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:13476
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:6840
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:11344
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:7800
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:11328
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:15304
- - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4488
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4156
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:6304
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:9052
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:13772
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:7880
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:11460
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:15440
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:5264
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:8892
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:11944
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:6732
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:11688
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:7832
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:12960
- - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3276
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:6132
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:8312
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:10780
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:14688
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:7960
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:11520
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:15464
- - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
    3⤵
    PID:5344
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:6784
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:13584
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:7808
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:12516
- - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
    3⤵
    PID:6584
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:13592
- - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
    3⤵
    PID:7824
- - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
    3⤵
    PID:11756
- C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
  "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3820
- - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2252
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4784
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:5956
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:8932
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:12432
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:6172
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:11116
      - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        6⤵
        
        PID:4880
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:7740
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:12308
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:5232
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:9528
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:12944
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:7244
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:11992
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:7708
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:10740
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:14704
- - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5016
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:6312
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:10220
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:4036
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:7896
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:11528
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:15668
- - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
    3⤵
    PID:5280
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:8144
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:10748
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:14696
- - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
    3⤵
    PID:6984
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:11336
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:15272
- - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
    3⤵
    PID:7784
- - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
    3⤵
    PID:11088
- - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
    3⤵
    PID:15228
- C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
  "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4476
- - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
    3⤵
    PID:1888
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:6364
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:11244
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:14264
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:7872
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:11544
- - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
    3⤵
    PID:5248
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:7276
    - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
        5⤵
        
        PID:14528
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:7692
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:10600
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:14604
- - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
    3⤵
    PID:6720
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:11672
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:15488
- - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
    3⤵
    PID:7840
- - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
    3⤵
    PID:11380
- C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
  "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3548
- - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
    3⤵
    PID:6120
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:8924
  - - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
      "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
      4⤵
      PID:12320
- - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
    3⤵
    PID:7684
- - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
    3⤵
    PID:10624
- - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
    3⤵
    PID:14588
- C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
  "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
  2⤵
  PID:5320
- - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
    3⤵
    PID:9656
- - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
    3⤵
    PID:10676
- C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
  "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
  2⤵
  PID:7320
- - C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
    3⤵
    PID:15900
- C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
  "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
  2⤵
  PID:7700
- C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
  "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
  2⤵
  PID:10712
- C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe
  "C:\Users\Admin\AppData\Local\Temp\bb5d2a4d4441a572078675e9958bb8c0N.exe"
  2⤵
  PID:15068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\lingerie [free] hole .rar.exe

Filesize
218KB

MD5
14a65389276b6e9c4a22bb28722d5465

SHA1
52a2c15d5358e5c0d3554922f2228ef328f3fd8a

SHA256
46e17116b6d8e6677db372e4f46f1c73c441df85bc0644366477961a73feed24

SHA512
bf620a76b63b0778afd6c02d955a5ff62423c74c8ba86eafbb272f36051fd811bf48351e0998439937dff9868ce3ef8aa125c129c5184eb7c8b2d9784c81ed16

Download Submit
memory/1060-198-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1176-190-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1216-244-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1504-191-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1888-195-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1932-193-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2072-194-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2252-186-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2352-199-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2500-233-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2832-241-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2832-91-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2956-263-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2956-183-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3276-188-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3508-189-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3592-185-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3820-253-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3820-181-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4048-250-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4052-235-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4052-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4100-187-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4108-182-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4108-254-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4364-251-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4476-265-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4488-264-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4488-184-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4508-196-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4784-197-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5016-192-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5044-248-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5224-200-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5232-211-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5256-203-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5264-204-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5280-205-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5288-206-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5296-207-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5312-208-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5320-212-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5336-201-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5344-202-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5940-209-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5956-210-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6108-213-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6120-214-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6132-215-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6152-216-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6196-217-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6204-218-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6288-219-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6296-220-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6304-221-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6312-223-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6340-224-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6364-222-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6568-225-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6712-226-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6732-227-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6784-228-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6840-229-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6976-230-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7028-231-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7048-232-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7244-234-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7276-237-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7320-236-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7668-239-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7676-238-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7692-240-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7700-242-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7708-245-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7716-273-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7724-247-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7732-249-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7764-252-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7792-255-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7800-258-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7808-259-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7816-260-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7840-261-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7848-262-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7904-256-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7920-267-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7928-268-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7936-270-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7944-269-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7952-271-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7960-272-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8144-243-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8312-246-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8800-266-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8808-257-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8892-274-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download