f53b6ca53d80b8930b56f4291f97f9cbd7976a3a4592d205a73b9ddd09ce0a75

Analysis

max time kernel
12s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ba65977350fe214f6f53bfc7609dcd0N.exe
Size

1.2MB
MD5

8ba65977350fe214f6f53bfc7609dcd0
SHA1

f83ac139d2e730bd50b19a9e241a61f44d03819c
SHA256

f53b6ca53d80b8930b56f4291f97f9cbd7976a3a4592d205a73b9ddd09ce0a75
SHA512

2b508a1ffc66727914b6f38c128c80819cdd69421bd6d33c78d06ea76ff5011f14184edbba647dd9ae9de279f8560a8372991fefdcc43f3cf10d0fe7aae0196c
SSDEEP

24576:sWuT9SdYjPULkx+M7wbyh1gzqJOlGX8U4MQjJZnT+x3t:B6gwQAZ1fIk4Hgt

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	8ba65977350fe214f6f53bfc7609dcd0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	8ba65977350fe214f6f53bfc7609dcd0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	8ba65977350fe214f6f53bfc7609dcd0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	8ba65977350fe214f6f53bfc7609dcd0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	8ba65977350fe214f6f53bfc7609dcd0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	8ba65977350fe214f6f53bfc7609dcd0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	8ba65977350fe214f6f53bfc7609dcd0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	8ba65977350fe214f6f53bfc7609dcd0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	8ba65977350fe214f6f53bfc7609dcd0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	8ba65977350fe214f6f53bfc7609dcd0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	8ba65977350fe214f6f53bfc7609dcd0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	8ba65977350fe214f6f53bfc7609dcd0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	8ba65977350fe214f6f53bfc7609dcd0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	8ba65977350fe214f6f53bfc7609dcd0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	8ba65977350fe214f6f53bfc7609dcd0N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	8ba65977350fe214f6f53bfc7609dcd0N.exe
File opened (read-only)	\??\L:	8ba65977350fe214f6f53bfc7609dcd0N.exe
File opened (read-only)	\??\V:	8ba65977350fe214f6f53bfc7609dcd0N.exe
File opened (read-only)	\??\Z:	8ba65977350fe214f6f53bfc7609dcd0N.exe
File opened (read-only)	\??\N:	8ba65977350fe214f6f53bfc7609dcd0N.exe
File opened (read-only)	\??\O:	8ba65977350fe214f6f53bfc7609dcd0N.exe
File opened (read-only)	\??\P:	8ba65977350fe214f6f53bfc7609dcd0N.exe
File opened (read-only)	\??\S:	8ba65977350fe214f6f53bfc7609dcd0N.exe
File opened (read-only)	\??\A:	8ba65977350fe214f6f53bfc7609dcd0N.exe
File opened (read-only)	\??\E:	8ba65977350fe214f6f53bfc7609dcd0N.exe
File opened (read-only)	\??\H:	8ba65977350fe214f6f53bfc7609dcd0N.exe
File opened (read-only)	\??\I:	8ba65977350fe214f6f53bfc7609dcd0N.exe
File opened (read-only)	\??\T:	8ba65977350fe214f6f53bfc7609dcd0N.exe
File opened (read-only)	\??\X:	8ba65977350fe214f6f53bfc7609dcd0N.exe
File opened (read-only)	\??\K:	8ba65977350fe214f6f53bfc7609dcd0N.exe
File opened (read-only)	\??\R:	8ba65977350fe214f6f53bfc7609dcd0N.exe
File opened (read-only)	\??\U:	8ba65977350fe214f6f53bfc7609dcd0N.exe
File opened (read-only)	\??\W:	8ba65977350fe214f6f53bfc7609dcd0N.exe
File opened (read-only)	\??\Y:	8ba65977350fe214f6f53bfc7609dcd0N.exe
File opened (read-only)	\??\B:	8ba65977350fe214f6f53bfc7609dcd0N.exe
File opened (read-only)	\??\G:	8ba65977350fe214f6f53bfc7609dcd0N.exe
File opened (read-only)	\??\M:	8ba65977350fe214f6f53bfc7609dcd0N.exe
File opened (read-only)	\??\Q:	8ba65977350fe214f6f53bfc7609dcd0N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IME\SHARED\japanese nude hardcore big .zip.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\tyrkish nude blowjob [milf] titts .mpg.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\gay several models glans ejaculation (Curtney).mpg.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\gay sleeping glans circumcision (Samantha).mpg.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\System32\DriverStore\Temp\tyrkish gang bang beast hidden circumcision (Kathrin,Sarah).rar.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\SysWOW64\FxsTmp\chinese bukkake full movie redhair .avi.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\SysWOW64\FxsTmp\beast hidden titts sm .mpg.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\black nude xxx public cock .rar.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\hardcore public .avi.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\xxx [free] redhair (Jenna,Liz).zip.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\russian beastiality hardcore [bangbus] (Samantha).avi.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\brasilian horse sperm girls hole bedroom .mpeg.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\swedish cum fucking girls upskirt .avi.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Program Files\Microsoft Office\root\Templates\tyrkish nude blowjob catfight mature .zip.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\american kicking blowjob several models .rar.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\beast public penetration .mpeg.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\black cum bukkake masturbation mature .zip.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\black handjob gay [bangbus] penetration (Sonja,Karin).mpg.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\russian handjob xxx big castration .mpg.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\russian gang bang lesbian [bangbus] titts young .mpeg.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\brasilian porn lesbian girls Œã .rar.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\tyrkish nude hardcore full movie .mpeg.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Program Files (x86)\Google\Update\Download\lesbian big feet leather .mpg.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\swedish horse lesbian full movie glans .avi.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\hardcore masturbation .mpeg.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Program Files\Common Files\microsoft shared\lesbian masturbation cock 50+ .avi.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\danish action xxx girls titts (Sonja,Tatjana).rar.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\japanese kicking lesbian catfight cock .mpeg.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Program Files (x86)\Google\Temp\indian kicking hardcore several models glans leather (Liz).zip.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\danish gang bang horse catfight .zip.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\CbsTemp\russian porn trambling voyeur cock .mpeg.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\tyrkish cumshot lingerie big feet granny (Karin).mpg.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\danish nude bukkake [free] feet granny .zip.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\asian sperm [bangbus] granny .mpg.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\japanese cumshot hardcore catfight mature .rar.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\beast hidden (Karin).rar.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\beastiality xxx [bangbus] Ôï .mpg.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\american beastiality beast [bangbus] .zip.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\danish kicking blowjob hidden high heels .zip.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\asian gay sleeping titts .zip.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\fetish blowjob [free] balls .mpeg.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\norwegian beast girls (Samantha).rar.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\indian nude lesbian girls latex (Sonja,Curtney).avi.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\danish cum gay masturbation glans (Christine,Sarah).rar.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\tyrkish nude gay [free] hole latex .rar.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\indian gang bang sperm big feet femdom (Samantha).mpg.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\black action beast catfight cock sm (Samantha).avi.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\british sperm voyeur .avi.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\beastiality blowjob sleeping hole redhair .avi.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\kicking lesbian [free] hole hotel .avi.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\japanese fetish hardcore public hole Œã .mpg.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\lingerie catfight glans .mpeg.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\brasilian horse trambling girls glans .mpeg.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\porn blowjob catfight titts (Kathrin,Samantha).mpeg.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_89c0bf1761110f07\lesbian [milf] cock granny .zip.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\african bukkake masturbation hairy (Ashley,Curtney).avi.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_9aa486d790131d4e\russian fetish sperm [milf] young .zip.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\spanish lesbian [bangbus] circumcision .avi.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\brasilian cumshot lesbian masturbation .mpg.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\norwegian beast [bangbus] pregnant .mpg.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\french lingerie hot (!) pregnant .zip.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\tyrkish cumshot xxx voyeur hole .avi.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\blowjob sleeping .zip.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\malaysia beast public penetration .mpg.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\american gang bang gay licking hole (Christine,Liz).mpeg.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\indian beastiality horse hot (!) shoes .mpg.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\lesbian licking lady .rar.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\handjob sperm masturbation .rar.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\danish handjob horse licking bondage .rar.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\swedish animal bukkake sleeping (Jade).avi.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\chinese xxx hidden granny .zip.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_8c0b126c198fcf70\bukkake public young .rar.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\assembly\tmp\bukkake uncut .avi.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\malaysia sperm [free] penetration .rar.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_e79b400a6df5fd2c\canadian beast masturbation titts .avi.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\german bukkake lesbian swallow .mpg.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\beastiality gay licking girly .mpeg.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\indian porn hardcore masturbation titts granny .rar.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\chinese beast catfight .mpg.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_5abbd3c4a3f2014c\black nude blowjob hidden .rar.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\InputMethod\SHARED\blowjob [bangbus] titts .avi.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\horse gay licking titts .avi.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\trambling several models balls .mpeg.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\hardcore catfight feet .mpg.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\malaysia beast hot (!) feet wifey .mpg.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\mssrv.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\horse [free] titts .avi.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\animal bukkake hidden .mpg.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_10.0.19041.1_none_a3d9a07cf2290837\hardcore several models titts .avi.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\american fetish bukkake public (Janette).mpeg.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\italian cumshot blowjob uncut .zip.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\brasilian action beast catfight (Tatjana).mpeg.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.1_none_f42978969c79336a\swedish animal trambling full movie swallow .rar.exe	8ba65977350fe214f6f53bfc7609dcd0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ba65977350fe214f6f53bfc7609dcd0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ba65977350fe214f6f53bfc7609dcd0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ba65977350fe214f6f53bfc7609dcd0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ba65977350fe214f6f53bfc7609dcd0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ba65977350fe214f6f53bfc7609dcd0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ba65977350fe214f6f53bfc7609dcd0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ba65977350fe214f6f53bfc7609dcd0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ba65977350fe214f6f53bfc7609dcd0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ba65977350fe214f6f53bfc7609dcd0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ba65977350fe214f6f53bfc7609dcd0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ba65977350fe214f6f53bfc7609dcd0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ba65977350fe214f6f53bfc7609dcd0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ba65977350fe214f6f53bfc7609dcd0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ba65977350fe214f6f53bfc7609dcd0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ba65977350fe214f6f53bfc7609dcd0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ba65977350fe214f6f53bfc7609dcd0N.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
1920	8ba65977350fe214f6f53bfc7609dcd0N.exe
1920	8ba65977350fe214f6f53bfc7609dcd0N.exe
4832	8ba65977350fe214f6f53bfc7609dcd0N.exe
4832	8ba65977350fe214f6f53bfc7609dcd0N.exe
1920	8ba65977350fe214f6f53bfc7609dcd0N.exe
1920	8ba65977350fe214f6f53bfc7609dcd0N.exe
4460	8ba65977350fe214f6f53bfc7609dcd0N.exe
4460	8ba65977350fe214f6f53bfc7609dcd0N.exe
1920	8ba65977350fe214f6f53bfc7609dcd0N.exe
1920	8ba65977350fe214f6f53bfc7609dcd0N.exe
4832	8ba65977350fe214f6f53bfc7609dcd0N.exe
4832	8ba65977350fe214f6f53bfc7609dcd0N.exe
4320	8ba65977350fe214f6f53bfc7609dcd0N.exe
4320	8ba65977350fe214f6f53bfc7609dcd0N.exe
3596	8ba65977350fe214f6f53bfc7609dcd0N.exe
3596	8ba65977350fe214f6f53bfc7609dcd0N.exe
2488	8ba65977350fe214f6f53bfc7609dcd0N.exe
2488	8ba65977350fe214f6f53bfc7609dcd0N.exe
1444	8ba65977350fe214f6f53bfc7609dcd0N.exe
1444	8ba65977350fe214f6f53bfc7609dcd0N.exe
4832	8ba65977350fe214f6f53bfc7609dcd0N.exe
4832	8ba65977350fe214f6f53bfc7609dcd0N.exe
1920	8ba65977350fe214f6f53bfc7609dcd0N.exe
1920	8ba65977350fe214f6f53bfc7609dcd0N.exe
4460	8ba65977350fe214f6f53bfc7609dcd0N.exe
4460	8ba65977350fe214f6f53bfc7609dcd0N.exe
544	8ba65977350fe214f6f53bfc7609dcd0N.exe
544	8ba65977350fe214f6f53bfc7609dcd0N.exe
1864	8ba65977350fe214f6f53bfc7609dcd0N.exe
1864	8ba65977350fe214f6f53bfc7609dcd0N.exe
548	8ba65977350fe214f6f53bfc7609dcd0N.exe
548	8ba65977350fe214f6f53bfc7609dcd0N.exe
1920	8ba65977350fe214f6f53bfc7609dcd0N.exe
1920	8ba65977350fe214f6f53bfc7609dcd0N.exe
4832	8ba65977350fe214f6f53bfc7609dcd0N.exe
4832	8ba65977350fe214f6f53bfc7609dcd0N.exe
2408	8ba65977350fe214f6f53bfc7609dcd0N.exe
2408	8ba65977350fe214f6f53bfc7609dcd0N.exe
2020	8ba65977350fe214f6f53bfc7609dcd0N.exe
2020	8ba65977350fe214f6f53bfc7609dcd0N.exe
4460	8ba65977350fe214f6f53bfc7609dcd0N.exe
4460	8ba65977350fe214f6f53bfc7609dcd0N.exe
864	8ba65977350fe214f6f53bfc7609dcd0N.exe
864	8ba65977350fe214f6f53bfc7609dcd0N.exe
4320	8ba65977350fe214f6f53bfc7609dcd0N.exe
4320	8ba65977350fe214f6f53bfc7609dcd0N.exe
3568	8ba65977350fe214f6f53bfc7609dcd0N.exe
3568	8ba65977350fe214f6f53bfc7609dcd0N.exe
3596	8ba65977350fe214f6f53bfc7609dcd0N.exe
2488	8ba65977350fe214f6f53bfc7609dcd0N.exe
3596	8ba65977350fe214f6f53bfc7609dcd0N.exe
2488	8ba65977350fe214f6f53bfc7609dcd0N.exe
3632	8ba65977350fe214f6f53bfc7609dcd0N.exe
3632	8ba65977350fe214f6f53bfc7609dcd0N.exe
1444	8ba65977350fe214f6f53bfc7609dcd0N.exe
1444	8ba65977350fe214f6f53bfc7609dcd0N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 4832	1920	8ba65977350fe214f6f53bfc7609dcd0N.exe	89
PID 1920 wrote to memory of 4832	1920	8ba65977350fe214f6f53bfc7609dcd0N.exe	89
PID 1920 wrote to memory of 4832	1920	8ba65977350fe214f6f53bfc7609dcd0N.exe	89
PID 1920 wrote to memory of 3124	1920	8ba65977350fe214f6f53bfc7609dcd0N.exe	93
PID 1920 wrote to memory of 3124	1920	8ba65977350fe214f6f53bfc7609dcd0N.exe	93
PID 1920 wrote to memory of 3124	1920	8ba65977350fe214f6f53bfc7609dcd0N.exe	93
PID 4832 wrote to memory of 4460	4832	8ba65977350fe214f6f53bfc7609dcd0N.exe	94
PID 4832 wrote to memory of 4460	4832	8ba65977350fe214f6f53bfc7609dcd0N.exe	94
PID 4832 wrote to memory of 4460	4832	8ba65977350fe214f6f53bfc7609dcd0N.exe	94
PID 1920 wrote to memory of 4320	1920	8ba65977350fe214f6f53bfc7609dcd0N.exe	97
PID 1920 wrote to memory of 4320	1920	8ba65977350fe214f6f53bfc7609dcd0N.exe	97
PID 1920 wrote to memory of 4320	1920	8ba65977350fe214f6f53bfc7609dcd0N.exe	97
PID 4832 wrote to memory of 2488	4832	8ba65977350fe214f6f53bfc7609dcd0N.exe	99
PID 4832 wrote to memory of 2488	4832	8ba65977350fe214f6f53bfc7609dcd0N.exe	99
PID 4832 wrote to memory of 2488	4832	8ba65977350fe214f6f53bfc7609dcd0N.exe	99
PID 4460 wrote to memory of 1444	4460	8ba65977350fe214f6f53bfc7609dcd0N.exe	100
PID 4460 wrote to memory of 1444	4460	8ba65977350fe214f6f53bfc7609dcd0N.exe	100
PID 4460 wrote to memory of 1444	4460	8ba65977350fe214f6f53bfc7609dcd0N.exe	100
PID 4832 wrote to memory of 1864	4832	8ba65977350fe214f6f53bfc7609dcd0N.exe	103
PID 4832 wrote to memory of 1864	4832	8ba65977350fe214f6f53bfc7609dcd0N.exe	103
PID 4832 wrote to memory of 1864	4832	8ba65977350fe214f6f53bfc7609dcd0N.exe	103
PID 1920 wrote to memory of 548	1920	8ba65977350fe214f6f53bfc7609dcd0N.exe	104
PID 1920 wrote to memory of 548	1920	8ba65977350fe214f6f53bfc7609dcd0N.exe	104
PID 1920 wrote to memory of 548	1920	8ba65977350fe214f6f53bfc7609dcd0N.exe	104
PID 4460 wrote to memory of 2408	4460	8ba65977350fe214f6f53bfc7609dcd0N.exe	105
PID 4460 wrote to memory of 2408	4460	8ba65977350fe214f6f53bfc7609dcd0N.exe	105
PID 4460 wrote to memory of 2408	4460	8ba65977350fe214f6f53bfc7609dcd0N.exe	105
PID 4320 wrote to memory of 2020	4320	8ba65977350fe214f6f53bfc7609dcd0N.exe	106
PID 4320 wrote to memory of 2020	4320	8ba65977350fe214f6f53bfc7609dcd0N.exe	106
PID 4320 wrote to memory of 2020	4320	8ba65977350fe214f6f53bfc7609dcd0N.exe	106
PID 3596 wrote to memory of 864	3596	8ba65977350fe214f6f53bfc7609dcd0N.exe	107
PID 3596 wrote to memory of 864	3596	8ba65977350fe214f6f53bfc7609dcd0N.exe	107
PID 3596 wrote to memory of 864	3596	8ba65977350fe214f6f53bfc7609dcd0N.exe	107
PID 2488 wrote to memory of 3568	2488	8ba65977350fe214f6f53bfc7609dcd0N.exe	108
PID 2488 wrote to memory of 3568	2488	8ba65977350fe214f6f53bfc7609dcd0N.exe	108
PID 2488 wrote to memory of 3568	2488	8ba65977350fe214f6f53bfc7609dcd0N.exe	108
PID 1444 wrote to memory of 3632	1444	8ba65977350fe214f6f53bfc7609dcd0N.exe	109
PID 1444 wrote to memory of 3632	1444	8ba65977350fe214f6f53bfc7609dcd0N.exe	109
PID 1444 wrote to memory of 3632	1444	8ba65977350fe214f6f53bfc7609dcd0N.exe	109
PID 1920 wrote to memory of 4040	1920	8ba65977350fe214f6f53bfc7609dcd0N.exe	113
PID 1920 wrote to memory of 4040	1920	8ba65977350fe214f6f53bfc7609dcd0N.exe	113
PID 1920 wrote to memory of 4040	1920	8ba65977350fe214f6f53bfc7609dcd0N.exe	113
PID 4832 wrote to memory of 464	4832	8ba65977350fe214f6f53bfc7609dcd0N.exe	114
PID 4832 wrote to memory of 464	4832	8ba65977350fe214f6f53bfc7609dcd0N.exe	114
PID 4832 wrote to memory of 464	4832	8ba65977350fe214f6f53bfc7609dcd0N.exe	114
PID 4460 wrote to memory of 1040	4460	8ba65977350fe214f6f53bfc7609dcd0N.exe	115
PID 4460 wrote to memory of 1040	4460	8ba65977350fe214f6f53bfc7609dcd0N.exe	115
PID 4460 wrote to memory of 1040	4460	8ba65977350fe214f6f53bfc7609dcd0N.exe	115
PID 544 wrote to memory of 724	544	8ba65977350fe214f6f53bfc7609dcd0N.exe	116
PID 544 wrote to memory of 724	544	8ba65977350fe214f6f53bfc7609dcd0N.exe	116
PID 544 wrote to memory of 724	544	8ba65977350fe214f6f53bfc7609dcd0N.exe	116
PID 1864 wrote to memory of 3560	1864	8ba65977350fe214f6f53bfc7609dcd0N.exe	117
PID 1864 wrote to memory of 3560	1864	8ba65977350fe214f6f53bfc7609dcd0N.exe	117
PID 1864 wrote to memory of 3560	1864	8ba65977350fe214f6f53bfc7609dcd0N.exe	117
PID 4320 wrote to memory of 2632	4320	8ba65977350fe214f6f53bfc7609dcd0N.exe	118
PID 4320 wrote to memory of 2632	4320	8ba65977350fe214f6f53bfc7609dcd0N.exe	118
PID 4320 wrote to memory of 2632	4320	8ba65977350fe214f6f53bfc7609dcd0N.exe	118
PID 2020 wrote to memory of 3464	2020	8ba65977350fe214f6f53bfc7609dcd0N.exe	121
PID 2020 wrote to memory of 3464	2020	8ba65977350fe214f6f53bfc7609dcd0N.exe	121
PID 2020 wrote to memory of 3464	2020	8ba65977350fe214f6f53bfc7609dcd0N.exe	121
PID 2488 wrote to memory of 4136	2488	8ba65977350fe214f6f53bfc7609dcd0N.exe	122
PID 2488 wrote to memory of 4136	2488	8ba65977350fe214f6f53bfc7609dcd0N.exe	122
PID 2488 wrote to memory of 4136	2488	8ba65977350fe214f6f53bfc7609dcd0N.exe	122
PID 1444 wrote to memory of 2240	1444	8ba65977350fe214f6f53bfc7609dcd0N.exe	123

C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
"C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
  "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4460
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1444
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3632
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:5156
        
        C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        7⤵
        
        PID:6260
        
        C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        8⤵
        
        PID:12032
        
        C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        8⤵
        
        PID:17632
        
        C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        7⤵
        
        PID:7272
        
        C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        8⤵
        
        PID:18620
        
        C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        7⤵
        
        PID:9500
        
        C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        7⤵
        
        PID:13876
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:5272
        
        C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        7⤵
        
        PID:6996
        
        C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        8⤵
        
        PID:11356
        
        C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        8⤵
        
        PID:15736
        
        C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        7⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        8⤵
        
        PID:15120
        
        C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        7⤵
        
        PID:9556
        
        C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        7⤵
        
        PID:14568
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:6652
        
        C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        7⤵
        
        PID:12284
        
        C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        7⤵
        
        PID:17688
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:7224
        
        C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        7⤵
        
        PID:16872
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:9320
        
        C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        7⤵
        
        PID:18824
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:12752
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:17868
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:2240
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:6276
        
        C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        7⤵
        
        PID:11440
        
        C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        7⤵
        
        PID:15944
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:7288
        
        C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        7⤵
        
        PID:17388
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:9420
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:13652
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:5248
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:6732
        
        C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        7⤵
        
        PID:12048
        
        C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        7⤵
        
        PID:17704
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:7200
        
        C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        7⤵
        
        PID:2956
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:9580
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:14648
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:6524
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:12168
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:17644
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:7240
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:18164
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:9508
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:13540
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:4004
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2408
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:4488
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:6288
        
        C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        7⤵
        
        PID:11996
        
        C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        7⤵
        
        PID:17504
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:7256
        
        C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        7⤵
        
        PID:18908
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:9460
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:13668
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:5280
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:7592
        
        C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        7⤵
        
        PID:18636
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:9452
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:13716
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:6724
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:12516
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:17748
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:7208
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:16288
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:9588
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:13884
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:1040
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:6236
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:11032
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:1884
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:7296
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:18652
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:9372
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:13204
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:18056
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:5344
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:9596
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:13552
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:3972
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:7424
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:18156
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:9388
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:13612
- - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3568
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:5148
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:6204
        
        C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        7⤵
        
        PID:11460
        
        C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        7⤵
        
        PID:16856
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:7336
        
        C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        7⤵
        
        PID:19340
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:9412
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:13708
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:5264
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:7676
        
        C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        7⤵
        
        PID:18644
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:10184
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:15364
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:6628
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:12160
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:17672
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:7232
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:18540
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:9364
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:13188
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:18172
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:4136
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:6244
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:11048
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:12696
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:7312
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:16940
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:9404
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:13908
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:5312
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:7684
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:17220
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:9532
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:13852
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:6892
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:11864
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:16760
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:7176
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:17204
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:9524
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:13700
- - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1864
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:3560
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:6068
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:11164
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:4424
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:7376
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:18556
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:9468
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:13688
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:5336
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:9704
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:6092
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:12912
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:17952
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:6988
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:16864
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:5848
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:11452
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:15960
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:9620
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:13892
- - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
    3⤵
    PID:464
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:6044
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:11856
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:16848
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:7392
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:17396
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:9348
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:6168
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:13316
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:18300
- - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
    3⤵
    PID:5352
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:10712
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:15112
- - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
    3⤵
    PID:3492
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:10936
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:1092
- - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
    3⤵
    PID:9612
- - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
    3⤵
    PID:13900
- C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
  "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3124
- - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3596
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:864
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:5136
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:6268
        
        C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        7⤵
        
        PID:11636
        
        C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        7⤵
        
        PID:16704
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:7320
        
        C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        7⤵
        
        PID:16880
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:9380
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:14576
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:5256
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:6640
        
        C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        7⤵
        
        PID:11060
        
        C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        7⤵
        
        PID:2732
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:7216
        
        C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        7⤵
        
        PID:16948
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:9540
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:13956
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:6532
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:12084
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:17696
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:7248
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:18192
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:9492
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:13676
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:4708
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:6252
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:12076
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:17664
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:7328
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:16932
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:9356
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:13180
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:18268
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:5304
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:7896
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:16520
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:11348
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:15456
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:6860
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:11012
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:15380
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:7184
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:16904
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:9444
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:13660
- - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:544
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:724
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:6052
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:11040
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:15372
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:7384
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:4476
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:9428
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:14640
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:5320
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:9604
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:13924
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:7004
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:13472
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:18292
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:4304
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:18628
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:9476
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:13684
- - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
    3⤵
    PID:3456
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:6148
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:10996
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:408
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:7344
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:17212
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:9332
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:6164
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:13164
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:17876
- - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
    3⤵
    PID:5368
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:10788
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:15096
- - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
    3⤵
    PID:7352
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:17380
- - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
    3⤵
    PID:9548
- - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
    3⤵
    PID:13868
- C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
  "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4320
- - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:3464
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:6352
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:12016
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:17616
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:7264
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:18788
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:9484
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:13800
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:5296
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:7692
      - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        6⤵
        
        PID:18548
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:11276
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:15464
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:6880
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:11364
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:15952
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:7152
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:1612
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:9516
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:13948
- - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
    3⤵
    PID:2632
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:6296
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:11152
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:15448
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:7280
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:18796
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:9340
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:6096
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:13172
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:18048
- - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
    3⤵
    PID:5328
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:8816
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:18816
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:12152
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:17680
- - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
    3⤵
    PID:6936
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:11068
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:1076
- - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
    3⤵
    PID:2092
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:11388
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:15900
- - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
    3⤵
    PID:9628
- - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
    3⤵
    PID:13916
- C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
  "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:548
- - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
    3⤵
    PID:3660
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:6336
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:12024
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:17860
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:7304
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:16888
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:9396
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:13932
- - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
    3⤵
    PID:5288
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:7608
    - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
        5⤵
        
        PID:16896
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:9572
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:13860
- - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
    3⤵
    PID:6748
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:11372
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:15816
- - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
    3⤵
    PID:7192
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:18564
- - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
    3⤵
    PID:9312
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:5808
- - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
    3⤵
    PID:12744
- - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
    3⤵
    PID:17808
- C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
  "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
  2⤵
  PID:4040
- - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
    3⤵
    PID:6060
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:11396
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:15892
- - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
    3⤵
    PID:7360
  - - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
      4⤵
      PID:16116
- - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
    3⤵
    PID:9564
- - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
    3⤵
    PID:13940
- C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
  "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
  2⤵
  PID:5360
- - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
    3⤵
    PID:12040
- - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
    3⤵
    PID:17624
- C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
  "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
  2⤵
  PID:7368
- - C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
    3⤵
    PID:18308
- C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
  "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
  2⤵
  PID:9436
- C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe
  "C:\Users\Admin\AppData\Local\Temp\8ba65977350fe214f6f53bfc7609dcd0N.exe"
  2⤵
  PID:13844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\american kicking blowjob several models .rar.exe

Filesize
1.3MB

MD5
6b253fbd470ed78055e0cbed159889e3

SHA1
69551d45e5421404225ee9682aa021df302212df

SHA256
ab64dcc18cee5fe23d1bd15ab1901418a53e9b936b7d1dbc279b4548db25a1fb

SHA512
dd6acc0592f4754e3116654cd58e1a55f797d957eca54d25556d7eb9b1cb58f4766c640606490ee5b5c4b4b44a7e7c94ffa28958a62be300852e105d2d707642

Download Submit