2f680496bba32cac630a99a4f6bd5bd922700d0d7ad3812b9ce9d0cebf186b36

Analysis

max time kernel
16s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e39beb749bab9e7e012fe42b9bb04fc0N.exe
Size

861KB
MD5

e39beb749bab9e7e012fe42b9bb04fc0
SHA1

504d49d3fa828da4a44be7681c22095819a2efc5
SHA256

2f680496bba32cac630a99a4f6bd5bd922700d0d7ad3812b9ce9d0cebf186b36
SHA512

a2d5e47842ce40155b1ec68486693d70c952188984cfaaa0869939db50d6985a6b9f49d89ecaa6887556ca680a3523175b930ab376c9738702d83d143431d472
SSDEEP

24576:lHxyu7vbLaLSxJ4VjgYBLkUZRO7MvkRce:RMGvaLgJ4ixlqkF

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	e39beb749bab9e7e012fe42b9bb04fc0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	e39beb749bab9e7e012fe42b9bb04fc0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	e39beb749bab9e7e012fe42b9bb04fc0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	e39beb749bab9e7e012fe42b9bb04fc0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	e39beb749bab9e7e012fe42b9bb04fc0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	e39beb749bab9e7e012fe42b9bb04fc0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	e39beb749bab9e7e012fe42b9bb04fc0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	e39beb749bab9e7e012fe42b9bb04fc0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	e39beb749bab9e7e012fe42b9bb04fc0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	e39beb749bab9e7e012fe42b9bb04fc0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	e39beb749bab9e7e012fe42b9bb04fc0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	e39beb749bab9e7e012fe42b9bb04fc0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	e39beb749bab9e7e012fe42b9bb04fc0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	e39beb749bab9e7e012fe42b9bb04fc0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	e39beb749bab9e7e012fe42b9bb04fc0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	e39beb749bab9e7e012fe42b9bb04fc0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3956-0-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/files/0x000a0000000233e5-5.dat	upx
behavioral2/memory/2044-24-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4864-196-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1088-197-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2164-225-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3956-224-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4288-226-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4224-230-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2044-236-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3880-237-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2340-238-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/660-242-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1088-241-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1368-240-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4864-239-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2208-243-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4676-244-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1864-246-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2164-245-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4288-247-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/5044-248-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/464-250-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4224-249-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3880-252-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4460-253-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1368-257-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3340-255-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2340-254-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4516-256-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3636-261-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2208-260-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3672-259-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/660-258-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4676-262-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1864-265-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/5044-266-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1688-264-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4460-269-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4692-268-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/464-267-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3236-263-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1804-270-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4516-272-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2688-274-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1668-273-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3340-271-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3636-278-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2784-277-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1632-276-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3672-275-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1688-280-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/5032-281-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3236-279-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1732-285-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4692-295-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4168-294-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/5148-305-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/5196-306-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2688-304-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1668-303-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1804-302-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/5224-301-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/5204-300-0x0000000000400000-0x0000000000456000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	e39beb749bab9e7e012fe42b9bb04fc0N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File opened (read-only)	\??\X:	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File opened (read-only)	\??\B:	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File opened (read-only)	\??\G:	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File opened (read-only)	\??\P:	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File opened (read-only)	\??\Q:	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File opened (read-only)	\??\R:	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File opened (read-only)	\??\V:	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File opened (read-only)	\??\M:	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File opened (read-only)	\??\O:	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File opened (read-only)	\??\U:	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File opened (read-only)	\??\Y:	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File opened (read-only)	\??\N:	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File opened (read-only)	\??\A:	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File opened (read-only)	\??\E:	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File opened (read-only)	\??\H:	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File opened (read-only)	\??\J:	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File opened (read-only)	\??\K:	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File opened (read-only)	\??\L:	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File opened (read-only)	\??\I:	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File opened (read-only)	\??\S:	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File opened (read-only)	\??\T:	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File opened (read-only)	\??\Z:	e39beb749bab9e7e012fe42b9bb04fc0N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\british horse hot (!) balls .zip.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\SysWOW64\FxsTmp\tyrkish gang bang uncut (Liz).zip.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\canadian cum full movie stockings (Sonja,Ashley).avi.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\italian porn voyeur tß .avi.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\norwegian beast beast uncut girly (Ashley).zip.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\SysWOW64\FxsTmp\french beastiality nude sleeping stockings .zip.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\german sperm voyeur .avi.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\handjob several models titts femdom (Melissa).mpeg.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\gay bukkake several models titts .rar.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\xxx lesbian catfight cock .mpeg.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\black bukkake voyeur latex .mpg.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\horse [bangbus] wifey .rar.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\porn trambling voyeur vagina .mpg.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\norwegian cum public leather .rar.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\british action licking .avi.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Program Files\dotnet\shared\cum porn [bangbus] .rar.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\swedish lesbian sleeping young .mpeg.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\gay horse hidden .avi.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Program Files (x86)\Google\Update\Download\lesbian horse big black hairunshaved .rar.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\british lingerie blowjob voyeur gorgeoushorny .mpg.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Program Files\Microsoft Office\root\Templates\trambling licking cock .mpeg.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\cum [free] upskirt (Sonja).zip.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\brasilian horse hidden (Anniston,Sylvia).mpeg.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Program Files (x86)\Google\Temp\blowjob masturbation ash (Karin,Ashley).rar.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\fucking [milf] titts .avi.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\norwegian gay catfight sm (Gina,Sarah).zip.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\japanese fucking [free] gorgeoushorny (Gina,Anniston).zip.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Program Files\Common Files\microsoft shared\black porn uncut vagina (Sonja,Sarah).avi.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\german porn beastiality licking traffic .avi.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\japanese horse masturbation titts pregnant .zip.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\kicking action lesbian .mpeg.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\norwegian hardcore hidden titts penetration (Sonja).rar.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\african sperm nude hidden feet leather .mpg.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\kicking lingerie voyeur high heels (Samantha,Sylvia).avi.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\norwegian trambling gang bang hidden .rar.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\japanese handjob horse girls circumcision .zip.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\xxx lingerie girls vagina .mpeg.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\horse public cock gorgeoushorny .avi.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\kicking girls 50+ (Curtney,Liz).mpeg.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\nude bukkake catfight .mpeg.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\xxx several models legs upskirt .zip.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\german gang bang uncut legs swallow .mpeg.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\Downloaded Program Files\animal porn [free] sweet .rar.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\danish fucking sleeping .zip.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\danish hardcore big .avi.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\tyrkish beast hardcore [bangbus] shower (Sonja).mpg.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\blowjob porn lesbian .rar.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\italian sperm blowjob [free] legs stockings .zip.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_b1ffa0e7b4ed03e2\swedish beastiality big cock pregnant .avi.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\blowjob public ash (Janette).avi.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\tyrkish xxx horse [milf] vagina swallow .mpg.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\norwegian hardcore catfight beautyfull .mpeg.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\nude horse voyeur sm (Sandy).mpg.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\spanish blowjob voyeur vagina wifey (Kathrin,Karin).avi.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\french bukkake porn full movie boobs (Anniston,Anniston).zip.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\swedish cumshot licking vagina .mpeg.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\bukkake full movie upskirt .zip.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\black animal lesbian public .mpg.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\horse uncut (Sylvia,Karin).zip.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\brasilian beast masturbation .rar.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_99ddc8ce8d3d6dac\nude bukkake public boobs latex (Samantha,Christine).mpg.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\chinese gay uncut granny .avi.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\fucking fucking public .avi.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\horse lingerie catfight .mpeg.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\CbsTemp\nude handjob [milf] mistress (Melissa).mpg.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\malaysia gang bang [bangbus] redhair .mpg.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\malaysia beastiality uncut redhair (Sarah,Anniston).rar.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\xxx uncut ejaculation (Ashley,Christine).mpg.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\assembly\temp\fucking full movie YEâPSè& .rar.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\japanese bukkake action big .zip.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fd7349c396c417ae\handjob sperm lesbian titts Ôï (Anniston).mpeg.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\xxx girls glans .mpeg.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\cum [bangbus] .rar.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_8c0b126c198fcf70\french cum voyeur shower .mpeg.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\black horse xxx several models titts granny .rar.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\sperm girls upskirt .mpeg.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\lingerie bukkake big young .mpeg.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\hardcore [milf] cock swallow (Sonja,Ashley).mpg.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\asian lesbian nude girls legs (Karin).avi.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\brasilian lesbian action several models vagina castration .mpeg.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\american action sleeping shower .mpeg.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\indian nude licking .avi.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\russian gay licking legs Œã .rar.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\tyrkish nude beast licking nipples wifey (Samantha,Gina).zip.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\italian trambling public hole .mpg.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\blowjob big feet ejaculation .mpg.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_e79b400a6df5fd2c\xxx [bangbus] titts (Sandy).zip.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\SoftwareDistribution\Download\horse girls girly .avi.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\japanese bukkake hot (!) .rar.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\russian horse sleeping wifey .mpg.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\animal lesbian hidden (Anniston,Sylvia).rar.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_10.0.19041.1_none_bd731e5b85dd203e\gang bang cum uncut boobs upskirt (Janette).rar.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe
File created	C:\Windows\assembly\tmp\brasilian horse catfight (Jenna,Tatjana).mpeg.exe	e39beb749bab9e7e012fe42b9bb04fc0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e39beb749bab9e7e012fe42b9bb04fc0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e39beb749bab9e7e012fe42b9bb04fc0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e39beb749bab9e7e012fe42b9bb04fc0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e39beb749bab9e7e012fe42b9bb04fc0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e39beb749bab9e7e012fe42b9bb04fc0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e39beb749bab9e7e012fe42b9bb04fc0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e39beb749bab9e7e012fe42b9bb04fc0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e39beb749bab9e7e012fe42b9bb04fc0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e39beb749bab9e7e012fe42b9bb04fc0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e39beb749bab9e7e012fe42b9bb04fc0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e39beb749bab9e7e012fe42b9bb04fc0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e39beb749bab9e7e012fe42b9bb04fc0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e39beb749bab9e7e012fe42b9bb04fc0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e39beb749bab9e7e012fe42b9bb04fc0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e39beb749bab9e7e012fe42b9bb04fc0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e39beb749bab9e7e012fe42b9bb04fc0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e39beb749bab9e7e012fe42b9bb04fc0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e39beb749bab9e7e012fe42b9bb04fc0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e39beb749bab9e7e012fe42b9bb04fc0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e39beb749bab9e7e012fe42b9bb04fc0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e39beb749bab9e7e012fe42b9bb04fc0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e39beb749bab9e7e012fe42b9bb04fc0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e39beb749bab9e7e012fe42b9bb04fc0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3956	e39beb749bab9e7e012fe42b9bb04fc0N.exe
3956	e39beb749bab9e7e012fe42b9bb04fc0N.exe
2044	e39beb749bab9e7e012fe42b9bb04fc0N.exe
2044	e39beb749bab9e7e012fe42b9bb04fc0N.exe
3956	e39beb749bab9e7e012fe42b9bb04fc0N.exe
3956	e39beb749bab9e7e012fe42b9bb04fc0N.exe
4864	e39beb749bab9e7e012fe42b9bb04fc0N.exe
4864	e39beb749bab9e7e012fe42b9bb04fc0N.exe
3956	e39beb749bab9e7e012fe42b9bb04fc0N.exe
3956	e39beb749bab9e7e012fe42b9bb04fc0N.exe
1088	e39beb749bab9e7e012fe42b9bb04fc0N.exe
1088	e39beb749bab9e7e012fe42b9bb04fc0N.exe
2044	e39beb749bab9e7e012fe42b9bb04fc0N.exe
2044	e39beb749bab9e7e012fe42b9bb04fc0N.exe
4288	e39beb749bab9e7e012fe42b9bb04fc0N.exe
4288	e39beb749bab9e7e012fe42b9bb04fc0N.exe
2164	e39beb749bab9e7e012fe42b9bb04fc0N.exe
2164	e39beb749bab9e7e012fe42b9bb04fc0N.exe
4864	e39beb749bab9e7e012fe42b9bb04fc0N.exe
4864	e39beb749bab9e7e012fe42b9bb04fc0N.exe
3956	e39beb749bab9e7e012fe42b9bb04fc0N.exe
3956	e39beb749bab9e7e012fe42b9bb04fc0N.exe
4224	e39beb749bab9e7e012fe42b9bb04fc0N.exe
4224	e39beb749bab9e7e012fe42b9bb04fc0N.exe
2044	e39beb749bab9e7e012fe42b9bb04fc0N.exe
2044	e39beb749bab9e7e012fe42b9bb04fc0N.exe
3880	e39beb749bab9e7e012fe42b9bb04fc0N.exe
3880	e39beb749bab9e7e012fe42b9bb04fc0N.exe
1088	e39beb749bab9e7e012fe42b9bb04fc0N.exe
1088	e39beb749bab9e7e012fe42b9bb04fc0N.exe
2340	e39beb749bab9e7e012fe42b9bb04fc0N.exe
2340	e39beb749bab9e7e012fe42b9bb04fc0N.exe
1368	e39beb749bab9e7e012fe42b9bb04fc0N.exe
4864	e39beb749bab9e7e012fe42b9bb04fc0N.exe
1368	e39beb749bab9e7e012fe42b9bb04fc0N.exe
4864	e39beb749bab9e7e012fe42b9bb04fc0N.exe
660	e39beb749bab9e7e012fe42b9bb04fc0N.exe
660	e39beb749bab9e7e012fe42b9bb04fc0N.exe
3956	e39beb749bab9e7e012fe42b9bb04fc0N.exe
3956	e39beb749bab9e7e012fe42b9bb04fc0N.exe
2208	e39beb749bab9e7e012fe42b9bb04fc0N.exe
2208	e39beb749bab9e7e012fe42b9bb04fc0N.exe
4288	e39beb749bab9e7e012fe42b9bb04fc0N.exe
4288	e39beb749bab9e7e012fe42b9bb04fc0N.exe
2044	e39beb749bab9e7e012fe42b9bb04fc0N.exe
2044	e39beb749bab9e7e012fe42b9bb04fc0N.exe
4676	e39beb749bab9e7e012fe42b9bb04fc0N.exe
4676	e39beb749bab9e7e012fe42b9bb04fc0N.exe
1864	e39beb749bab9e7e012fe42b9bb04fc0N.exe
1864	e39beb749bab9e7e012fe42b9bb04fc0N.exe
2164	e39beb749bab9e7e012fe42b9bb04fc0N.exe
2164	e39beb749bab9e7e012fe42b9bb04fc0N.exe
5044	e39beb749bab9e7e012fe42b9bb04fc0N.exe
5044	e39beb749bab9e7e012fe42b9bb04fc0N.exe
1088	e39beb749bab9e7e012fe42b9bb04fc0N.exe
1088	e39beb749bab9e7e012fe42b9bb04fc0N.exe
464	e39beb749bab9e7e012fe42b9bb04fc0N.exe
464	e39beb749bab9e7e012fe42b9bb04fc0N.exe
4224	e39beb749bab9e7e012fe42b9bb04fc0N.exe
4224	e39beb749bab9e7e012fe42b9bb04fc0N.exe
3880	e39beb749bab9e7e012fe42b9bb04fc0N.exe
3880	e39beb749bab9e7e012fe42b9bb04fc0N.exe
4460	e39beb749bab9e7e012fe42b9bb04fc0N.exe
4460	e39beb749bab9e7e012fe42b9bb04fc0N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3956 wrote to memory of 2044	3956	e39beb749bab9e7e012fe42b9bb04fc0N.exe	87
PID 3956 wrote to memory of 2044	3956	e39beb749bab9e7e012fe42b9bb04fc0N.exe	87
PID 3956 wrote to memory of 2044	3956	e39beb749bab9e7e012fe42b9bb04fc0N.exe	87
PID 3956 wrote to memory of 4864	3956	e39beb749bab9e7e012fe42b9bb04fc0N.exe	88
PID 3956 wrote to memory of 4864	3956	e39beb749bab9e7e012fe42b9bb04fc0N.exe	88
PID 3956 wrote to memory of 4864	3956	e39beb749bab9e7e012fe42b9bb04fc0N.exe	88
PID 2044 wrote to memory of 1088	2044	e39beb749bab9e7e012fe42b9bb04fc0N.exe	89
PID 2044 wrote to memory of 1088	2044	e39beb749bab9e7e012fe42b9bb04fc0N.exe	89
PID 2044 wrote to memory of 1088	2044	e39beb749bab9e7e012fe42b9bb04fc0N.exe	89
PID 4864 wrote to memory of 2164	4864	e39beb749bab9e7e012fe42b9bb04fc0N.exe	94
PID 4864 wrote to memory of 2164	4864	e39beb749bab9e7e012fe42b9bb04fc0N.exe	94
PID 4864 wrote to memory of 2164	4864	e39beb749bab9e7e012fe42b9bb04fc0N.exe	94
PID 3956 wrote to memory of 4288	3956	e39beb749bab9e7e012fe42b9bb04fc0N.exe	95
PID 3956 wrote to memory of 4288	3956	e39beb749bab9e7e012fe42b9bb04fc0N.exe	95
PID 3956 wrote to memory of 4288	3956	e39beb749bab9e7e012fe42b9bb04fc0N.exe	95
PID 2044 wrote to memory of 4224	2044	e39beb749bab9e7e012fe42b9bb04fc0N.exe	96
PID 2044 wrote to memory of 4224	2044	e39beb749bab9e7e012fe42b9bb04fc0N.exe	96
PID 2044 wrote to memory of 4224	2044	e39beb749bab9e7e012fe42b9bb04fc0N.exe	96
PID 1088 wrote to memory of 3880	1088	e39beb749bab9e7e012fe42b9bb04fc0N.exe	97
PID 1088 wrote to memory of 3880	1088	e39beb749bab9e7e012fe42b9bb04fc0N.exe	97
PID 1088 wrote to memory of 3880	1088	e39beb749bab9e7e012fe42b9bb04fc0N.exe	97
PID 4864 wrote to memory of 2340	4864	e39beb749bab9e7e012fe42b9bb04fc0N.exe	98
PID 4864 wrote to memory of 2340	4864	e39beb749bab9e7e012fe42b9bb04fc0N.exe	98
PID 4864 wrote to memory of 2340	4864	e39beb749bab9e7e012fe42b9bb04fc0N.exe	98
PID 3956 wrote to memory of 1368	3956	e39beb749bab9e7e012fe42b9bb04fc0N.exe	99
PID 3956 wrote to memory of 1368	3956	e39beb749bab9e7e012fe42b9bb04fc0N.exe	99
PID 3956 wrote to memory of 1368	3956	e39beb749bab9e7e012fe42b9bb04fc0N.exe	99
PID 4288 wrote to memory of 660	4288	e39beb749bab9e7e012fe42b9bb04fc0N.exe	100
PID 4288 wrote to memory of 660	4288	e39beb749bab9e7e012fe42b9bb04fc0N.exe	100
PID 4288 wrote to memory of 660	4288	e39beb749bab9e7e012fe42b9bb04fc0N.exe	100
PID 2044 wrote to memory of 2208	2044	e39beb749bab9e7e012fe42b9bb04fc0N.exe	101
PID 2044 wrote to memory of 2208	2044	e39beb749bab9e7e012fe42b9bb04fc0N.exe	101
PID 2044 wrote to memory of 2208	2044	e39beb749bab9e7e012fe42b9bb04fc0N.exe	101
PID 2164 wrote to memory of 4676	2164	e39beb749bab9e7e012fe42b9bb04fc0N.exe	102
PID 2164 wrote to memory of 4676	2164	e39beb749bab9e7e012fe42b9bb04fc0N.exe	102
PID 2164 wrote to memory of 4676	2164	e39beb749bab9e7e012fe42b9bb04fc0N.exe	102
PID 1088 wrote to memory of 1864	1088	e39beb749bab9e7e012fe42b9bb04fc0N.exe	103
PID 1088 wrote to memory of 1864	1088	e39beb749bab9e7e012fe42b9bb04fc0N.exe	103
PID 1088 wrote to memory of 1864	1088	e39beb749bab9e7e012fe42b9bb04fc0N.exe	103
PID 4224 wrote to memory of 5044	4224	e39beb749bab9e7e012fe42b9bb04fc0N.exe	104
PID 4224 wrote to memory of 5044	4224	e39beb749bab9e7e012fe42b9bb04fc0N.exe	104
PID 4224 wrote to memory of 5044	4224	e39beb749bab9e7e012fe42b9bb04fc0N.exe	104
PID 3880 wrote to memory of 464	3880	e39beb749bab9e7e012fe42b9bb04fc0N.exe	105
PID 3880 wrote to memory of 464	3880	e39beb749bab9e7e012fe42b9bb04fc0N.exe	105
PID 3880 wrote to memory of 464	3880	e39beb749bab9e7e012fe42b9bb04fc0N.exe	105
PID 4864 wrote to memory of 4460	4864	e39beb749bab9e7e012fe42b9bb04fc0N.exe	107
PID 4864 wrote to memory of 4460	4864	e39beb749bab9e7e012fe42b9bb04fc0N.exe	107
PID 4864 wrote to memory of 4460	4864	e39beb749bab9e7e012fe42b9bb04fc0N.exe	107
PID 2340 wrote to memory of 3340	2340	e39beb749bab9e7e012fe42b9bb04fc0N.exe	108
PID 2340 wrote to memory of 3340	2340	e39beb749bab9e7e012fe42b9bb04fc0N.exe	108
PID 2340 wrote to memory of 3340	2340	e39beb749bab9e7e012fe42b9bb04fc0N.exe	108
PID 3956 wrote to memory of 4516	3956	e39beb749bab9e7e012fe42b9bb04fc0N.exe	109
PID 3956 wrote to memory of 4516	3956	e39beb749bab9e7e012fe42b9bb04fc0N.exe	109
PID 3956 wrote to memory of 4516	3956	e39beb749bab9e7e012fe42b9bb04fc0N.exe	109
PID 4288 wrote to memory of 3672	4288	e39beb749bab9e7e012fe42b9bb04fc0N.exe	110
PID 4288 wrote to memory of 3672	4288	e39beb749bab9e7e012fe42b9bb04fc0N.exe	110
PID 4288 wrote to memory of 3672	4288	e39beb749bab9e7e012fe42b9bb04fc0N.exe	110
PID 2044 wrote to memory of 3636	2044	e39beb749bab9e7e012fe42b9bb04fc0N.exe	111
PID 2044 wrote to memory of 3636	2044	e39beb749bab9e7e012fe42b9bb04fc0N.exe	111
PID 2044 wrote to memory of 3636	2044	e39beb749bab9e7e012fe42b9bb04fc0N.exe	111
PID 2164 wrote to memory of 3236	2164	e39beb749bab9e7e012fe42b9bb04fc0N.exe	112
PID 2164 wrote to memory of 3236	2164	e39beb749bab9e7e012fe42b9bb04fc0N.exe	112
PID 2164 wrote to memory of 3236	2164	e39beb749bab9e7e012fe42b9bb04fc0N.exe	112
PID 1368 wrote to memory of 1688	1368	e39beb749bab9e7e012fe42b9bb04fc0N.exe	113

C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
"C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3956
- C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
  "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1088
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3880
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:464
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:6244
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        8⤵
        
        PID:13028
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        8⤵
        
        PID:19392
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:7412
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        8⤵
        
        PID:20196
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:11092
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        8⤵
        
        PID:20028
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:13284
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:18404
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:7700
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        8⤵
        
        PID:20832
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:11312
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:13228
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:2968
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:6612
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:12124
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:13076
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:18356
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:8904
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:20908
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:11848
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:13148
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:1756
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1804
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:6168
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:11592
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:13188
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:2744
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:7568
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:16280
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:3116
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:10068
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:20012
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:13368
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:18832
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:5140
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:8464
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:20220
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:11296
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:13236
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:3620
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:6572
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:13456
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:4968
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:8996
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:20004
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:12212
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:13052
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:2128
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1864
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2784
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:5324
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:10788
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        8⤵
        
        PID:15528
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        8⤵
        
        PID:18368
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:19384
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:7656
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:19980
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:8764
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:5500
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:13320
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:18928
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:2204
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:7664
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:19852
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:10448
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:20100
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:13020
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:5352
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:6580
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:12240
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:13044
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:19004
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:8980
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:19988
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:11888
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:13108
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:18808
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:4168
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:6200
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:11372
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:13220
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:3268
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:7576
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:20140
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:10176
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:19036
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:3192
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:1768
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:5148
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:5672
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:20156
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:11164
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:13268
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:18944
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:6620
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:13488
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:4708
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:9036
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:20172
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:13544
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:16756
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4224
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5044
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1632
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:6056
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:8596
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        8⤵
        
        PID:20076
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:13336
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:3932
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:7236
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:15832
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:2060
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:9716
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:19908
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:13504
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:18796
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:3308
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:7848
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:20132
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:10604
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:19828
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:11944
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:3748
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:6636
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:13584
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:18736
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:8912
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:20252
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:11692
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:13140
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:3840
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:4692
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:6236
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:13464
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:18852
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:7556
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:20284
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:10048
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:5284
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:13344
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:2260
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:5132
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:8476
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:19868
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:8424
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:13244
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:18844
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:6604
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:12196
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:13068
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:2788
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:8896
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:19916
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:11700
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:13132
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:19360
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2208
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2688
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:6064
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:8588
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:19956
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:11552
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:13180
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:3624
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:7192
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:13392
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:19028
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:9492
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:19948
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:13520
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:704
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:1276
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:8060
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:20164
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:10752
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:2940
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:18968
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:6548
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:13416
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:3036
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:9072
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:19860
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:13528
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:18956
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    PID:3636
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:6180
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:11340
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:13004
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:752
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:8184
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:19924
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:10808
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:19812
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:13012
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:2768
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    PID:5180
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:8816
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:19940
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:12116
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:13084
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:4856
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    PID:6596
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:13472
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:4836
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    PID:8888
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:20260
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    PID:12108
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    PID:13092
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    PID:3848
- C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
  "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4676
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:1668
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:6228
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:10780
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:13292
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:3828
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:7540
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:15512
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:2432
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:10024
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:5460
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:13376
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:18728
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:5124
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:8104
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:20084
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:10796
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:13308
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:19408
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:6564
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:13432
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:18408
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:8988
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:20204
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:11668
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:13116
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:18988
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:3236
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:6460
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:12132
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:12996
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:19344
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:7684
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:19932
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:11136
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:13252
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:5384
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:5172
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:8068
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:18420
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:10764
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:20044
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:3320
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:19804
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:19044
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:6540
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:13560
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:5552
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:8972
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:20108
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:11660
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:13164
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:19352
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3340
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:5344
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:11256
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:13260
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:19020
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:7548
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:20060
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:10232
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:19972
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:13352
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:18348
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:5204
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:8580
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:19964
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:11584
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:13212
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:18996
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:6556
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:12204
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:13060
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:4912
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:8920
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:20092
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:11716
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:13156
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:2196
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4460
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:6072
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:8928
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:20036
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:13328
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:18756
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:7220
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:13384
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:2472
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:9472
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:20212
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:13496
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:19376
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    PID:5224
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:8176
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:20228
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:11172
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:13276
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:1468
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    PID:6644
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:13408
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:5240
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    PID:8964
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:20068
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    PID:11708
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    PID:13120
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    PID:3612
- C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
  "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:660
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:1732
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:6080
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:8708
        
        C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        7⤵
        
        PID:21236
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:11624
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:13172
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:4192
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:7228
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:15504
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:1340
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:9484
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:19836
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:13512
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:18872
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:5156
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:8568
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:19892
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:11608
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:13196
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:4956
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:6652
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:13440
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:400
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:9004
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:20180
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:13552
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:18864
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    PID:3672
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:6208
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:10772
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:13300
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:18396
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:7912
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:19796
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:10628
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:20052
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:2624
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:18820
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    PID:5188
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:7648
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:20236
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:10032
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:19884
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:13360
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:1844
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    PID:6628
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:13480
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:18920
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    PID:9012
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:20148
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    PID:13036
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    PID:16240
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    PID:5028
- C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
  "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    PID:1688
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:5676
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:10716
      - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        6⤵
        
        PID:19820
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:4368
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:3288
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:7640
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:20188
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:9956
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:19900
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:13400
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:19400
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    PID:5164
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:7896
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:20276
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:10620
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:20020
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:11100
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:18980
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    PID:6660
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:13424
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:3248
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    PID:8880
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:19092
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    PID:11880
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    PID:13100
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    PID:4336
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    PID:22804
- C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
  "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4516
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    PID:5340
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:10428
    - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
        5⤵
        
        PID:19876
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:4260
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:5520
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    PID:7764
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:20268
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    PID:10456
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:20244
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    PID:4552
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    PID:16828
- C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
  "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
  2⤵
  PID:5196
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    PID:8716
  - - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
      "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
      4⤵
      PID:19996
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    PID:11544
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    PID:13204
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    PID:2132
- C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
  "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
  2⤵
  PID:6588
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    PID:13448
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    PID:1388
- C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
  "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
  2⤵
  PID:9028
- - C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
    3⤵
    PID:19844
- C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
  "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
  2⤵
  PID:13536
- C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe
  "C:\Users\Admin\AppData\Local\Temp\e39beb749bab9e7e012fe42b9bb04fc0N.exe"
  2⤵
  PID:19012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\cum [free] upskirt (Sonja).zip.exe

Filesize
371KB

MD5
3edfa9faa8cb39f0476d0197b5be0e4f

SHA1
c8b69c0660451bb0ebaa84133048c66e63f67eee

SHA256
28e8194beaa6f5faea0ec6ef99e905081c117eeb3d2613b99cc5204bb6e9221c

SHA512
72a636c086e45fee26d70f61ecb913ec99a05fc83ff5caca38d151d5b416026cef9ffcb6b524918e3798f0ed5847cc843b50f47450fd5caf01da37f884222799

Download Submit
C:\debug.txt

Filesize
146B

MD5
eaf33b3b7cf7140ade262e99b58b8538

SHA1
3137b5faeccd63f20d35cd2317eca9d82d50585f

SHA256
497b26a792c500d6d1b27dc965e602d53aec4da7638c8e39e882e4dcf7067034

SHA512
c6a6a19ae9e2c02b33971f4721089f9b40d1d2d4ef0791685d035604d015588203be2a89e2a2a1e609a84569c3da38d5d02d85f6e4b2bda899199ed1dea2455f

Download Submit
memory/464-250-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/464-267-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/660-258-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/660-242-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1088-197-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1088-241-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1276-288-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1276-326-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1368-240-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1368-257-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1632-276-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1632-310-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1668-273-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1668-303-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1688-280-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1688-264-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1732-285-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1804-302-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1804-270-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1864-265-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1864-246-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2044-24-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2044-236-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2164-225-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2164-245-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2204-325-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2204-287-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2208-243-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2208-260-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2340-254-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2340-238-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2688-304-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2688-274-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2784-277-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2784-311-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3236-279-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3236-263-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3308-296-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3340-255-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3340-271-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3636-261-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3636-278-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3672-275-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3672-259-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3880-237-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3880-252-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3956-224-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3956-0-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4168-294-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4224-249-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4224-230-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4288-247-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4288-226-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4316-324-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4316-286-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4460-253-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4460-269-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4516-272-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4516-256-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4676-262-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4676-244-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4692-268-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4692-295-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4864-196-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4864-239-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5032-281-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5032-317-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5044-248-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5044-266-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5124-327-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5124-289-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5132-328-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5132-290-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5140-329-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5140-291-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5148-305-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5156-330-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5156-292-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5164-297-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5172-298-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5180-331-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5180-293-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5188-299-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5196-306-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5204-300-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5224-301-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5324-319-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5340-318-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5344-320-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5676-321-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/6056-313-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/6064-312-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/6072-314-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/6080-315-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/6168-322-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/6180-323-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download