4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25e

Analysis

max time kernel
12s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
Size

437KB
MD5

c018fe834cf9a6194a488b2e98e2e910
SHA1

38f8c3696741a8732ff53225208388627ef96a10
SHA256

4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25e
SHA512

4b23d75690c9eb5a58ede5b4dcad84f635f161f11316cd650a0613cc6e745a473a6488be5a8215fdc36145aa86dbc4a6327d2d7ff37ddda6bcbaa7d272af6fba
SSDEEP

12288:dXCNi9BuJdXgK7+SWtsFN/c9BOE2NMZMsTEV1c2:oWOwKzWtSN/c9YE2Eqx

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File opened (read-only)	\??\J:	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File opened (read-only)	\??\N:	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File opened (read-only)	\??\R:	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File opened (read-only)	\??\S:	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File opened (read-only)	\??\T:	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File opened (read-only)	\??\A:	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File opened (read-only)	\??\B:	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File opened (read-only)	\??\E:	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File opened (read-only)	\??\G:	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File opened (read-only)	\??\H:	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File opened (read-only)	\??\K:	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File opened (read-only)	\??\V:	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File opened (read-only)	\??\W:	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File opened (read-only)	\??\X:	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File opened (read-only)	\??\Q:	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File opened (read-only)	\??\U:	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File opened (read-only)	\??\Y:	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File opened (read-only)	\??\L:	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File opened (read-only)	\??\M:	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File opened (read-only)	\??\O:	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File opened (read-only)	\??\P:	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File opened (read-only)	\??\Z:	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IME\SHARED\japanese kicking fucking catfight .avi.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\SysWOW64\config\systemprofile\black gang bang lingerie public wifey .zip.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\SysWOW64\FxsTmp\kicking lesbian lesbian .zip.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\sperm uncut glans (Anniston,Melissa).mpg.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\swedish porn lingerie full movie cock lady (Sarah).mpg.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\american porn bukkake [bangbus] latex .zip.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\SysWOW64\FxsTmp\swedish fetish lesbian big cock .rar.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\SysWOW64\IME\SHARED\bukkake sleeping glans young (Curtney).rar.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\SysWOW64\config\systemprofile\beast lesbian feet shower .zip.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\System32\DriverStore\Temp\bukkake [bangbus] .zip.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\black nude lingerie voyeur (Tatjana).rar.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\japanese beastiality trambling licking cock .mpeg.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Templates\italian animal lingerie sleeping latex .avi.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\lingerie masturbation .rar.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\italian handjob sperm hidden bedroom .avi.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\american fetish lingerie girls boots .rar.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Program Files (x86)\Google\Temp\japanese porn sperm big titts shoes (Jade).mpeg.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\italian cum fucking catfight ash (Kathrin,Liz).rar.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Program Files\Common Files\microsoft shared\swedish cumshot gay several models feet .mpg.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\blowjob sleeping .mpg.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\italian animal lingerie [bangbus] titts .mpeg.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\xxx hidden (Tatjana).rar.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Program Files (x86)\Google\Update\Download\lingerie uncut (Samantha).zip.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU99A0.tmp\danish cumshot sperm hidden titts bedroom (Karin).rar.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Program Files\dotnet\shared\tyrkish animal blowjob girls pregnant .avi.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\indian gang bang xxx catfight (Jade).mpg.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\sperm full movie black hairunshaved (Ashley,Karin).zip.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Program Files (x86)\Microsoft\Temp\swedish cum lesbian several models hole .avi.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\blowjob sleeping .mpg.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\danish animal horse girls mature .mpeg.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\swedish action bukkake hidden bondage .mpg.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\tyrkish nude bukkake licking .mpg.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\norwegian fucking big (Samantha).mpeg.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\danish porn fucking uncut hole ejaculation (Tatjana).rar.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\CbsTemp\lesbian masturbation penetration .avi.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\action trambling hot (!) upskirt .zip.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\german xxx uncut .mpeg.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\canadian sperm girls balls (Sandy,Sarah).avi.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\SoftwareDistribution\Download\japanese cumshot sperm hidden (Liz).zip.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\bukkake uncut ejaculation .rar.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\canadian trambling lesbian titts traffic (Liz).mpg.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\russian gang bang xxx catfight mature .mpeg.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\brasilian cum trambling masturbation titts .avi.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\porn trambling lesbian .zip.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\british xxx full movie glans bedroom (Melissa).zip.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\chinese blowjob several models bedroom .zip.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\Downloaded Program Files\beast big .rar.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\asian horse sleeping .rar.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\handjob blowjob catfight .mpeg.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\french lesbian [milf] hole blondie .avi.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\black cumshot gay sleeping hotel (Anniston,Sarah).mpg.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\bukkake hidden redhair .mpeg.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\german beast [bangbus] hole 40+ (Curtney).mpeg.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\gay [milf] hole wifey (Janette).mpeg.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\asian lesbian girls .avi.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\assembly\tmp\italian gang bang gay sleeping (Curtney).rar.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\hardcore hot (!) .mpg.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\french lesbian masturbation (Sylvia).zip.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\beastiality trambling voyeur cock mature .mpeg.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\InputMethod\SHARED\japanese cum hardcore catfight feet leather (Janette).mpg.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\PLA\Templates\trambling [bangbus] penetration .mpeg.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\russian beastiality xxx several models hole circumcision (Sarah).mpeg.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\xxx big .mpg.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\indian horse sperm lesbian shoes .avi.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\blowjob sleeping latex (Britney,Sarah).mpeg.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\bukkake several models (Karin).avi.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\french bukkake voyeur (Curtney).zip.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\japanese action xxx hot (!) titts .mpg.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\spanish beast public black hairunshaved .zip.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\norwegian xxx hot (!) .zip.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\brasilian horse bukkake girls cock .mpg.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\british blowjob big .mpg.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\blowjob several models (Karin).zip.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\assembly\temp\swedish beastiality bukkake public glans .zip.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\cumshot lesbian sleeping feet .mpeg.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\porn fucking sleeping feet (Sandy,Janette).zip.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\horse [bangbus] pregnant (Christine,Sarah).mpeg.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\danish fetish sperm [bangbus] cock hairy .rar.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\asian horse several models glans bedroom (Sylvia).mpg.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\black cumshot gay [bangbus] glans (Ashley,Karin).rar.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\black horse trambling lesbian mature .mpeg.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\lesbian full movie upskirt .avi.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\italian cumshot xxx full movie glans 50+ .avi.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\canadian blowjob big titts circumcision .zip.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\black handjob lingerie lesbian (Sarah).mpeg.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\danish kicking fucking [milf] fishy (Sonja,Karin).zip.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\security\templates\swedish gang bang trambling hidden hole beautyfull .rar.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\swedish handjob horse [free] titts .zip.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\norwegian blowjob uncut cock young .rar.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\malaysia fucking uncut balls .mpg.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\chinese blowjob girls shoes (Sandy,Karin).mpeg.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\mssrv.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\american action blowjob big .zip.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\gay catfight feet .mpeg.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\chinese gay uncut .avi.exe	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
2032	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
2032	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
4512	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
4512	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
2032	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
2032	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
1012	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
1012	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
748	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
748	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
4512	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
4512	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
2032	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
2032	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
1308	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
1308	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
2304	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
2304	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
4512	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
4512	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
2032	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
2032	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
1604	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
1604	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
5076	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
5076	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
1012	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
1012	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
748	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
748	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
5024	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
5024	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
3668	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
3668	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
4512	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
4512	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
1392	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
1392	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
2032	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
2032	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
3404	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
3404	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
1308	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
1308	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
2304	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
2304	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
2692	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
2692	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
4280	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
4280	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
1012	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
1604	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
1012	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
1604	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
3968	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
3968	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
1112	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
1112	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
5076	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
5076	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
748	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
748	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 4512	2032	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	89
PID 2032 wrote to memory of 4512	2032	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	89
PID 2032 wrote to memory of 4512	2032	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	89
PID 4512 wrote to memory of 1012	4512	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	90
PID 4512 wrote to memory of 1012	4512	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	90
PID 4512 wrote to memory of 1012	4512	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	90
PID 2032 wrote to memory of 748	2032	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	91
PID 2032 wrote to memory of 748	2032	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	91
PID 2032 wrote to memory of 748	2032	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	91
PID 4512 wrote to memory of 1308	4512	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	97
PID 4512 wrote to memory of 1308	4512	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	97
PID 4512 wrote to memory of 1308	4512	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	97
PID 2032 wrote to memory of 2304	2032	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	98
PID 2032 wrote to memory of 2304	2032	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	98
PID 2032 wrote to memory of 2304	2032	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	98
PID 1012 wrote to memory of 1604	1012	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	99
PID 1012 wrote to memory of 1604	1012	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	99
PID 1012 wrote to memory of 1604	1012	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	99
PID 748 wrote to memory of 5076	748	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	100
PID 748 wrote to memory of 5076	748	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	100
PID 748 wrote to memory of 5076	748	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	100
PID 4512 wrote to memory of 5024	4512	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	101
PID 4512 wrote to memory of 5024	4512	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	101
PID 4512 wrote to memory of 5024	4512	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	101
PID 2032 wrote to memory of 3668	2032	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	102
PID 2032 wrote to memory of 3668	2032	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	102
PID 2032 wrote to memory of 3668	2032	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	102
PID 1308 wrote to memory of 1392	1308	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	103
PID 1308 wrote to memory of 1392	1308	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	103
PID 1308 wrote to memory of 1392	1308	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	103
PID 2304 wrote to memory of 3404	2304	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	104
PID 2304 wrote to memory of 3404	2304	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	104
PID 2304 wrote to memory of 3404	2304	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	104
PID 1012 wrote to memory of 2692	1012	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	106
PID 1012 wrote to memory of 2692	1012	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	106
PID 1012 wrote to memory of 2692	1012	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	106
PID 1604 wrote to memory of 4280	1604	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	107
PID 1604 wrote to memory of 4280	1604	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	107
PID 1604 wrote to memory of 4280	1604	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	107
PID 5076 wrote to memory of 1112	5076	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	108
PID 5076 wrote to memory of 1112	5076	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	108
PID 5076 wrote to memory of 1112	5076	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	108
PID 748 wrote to memory of 3968	748	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	109
PID 748 wrote to memory of 3968	748	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	109
PID 748 wrote to memory of 3968	748	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	109
PID 5024 wrote to memory of 820	5024	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	110
PID 5024 wrote to memory of 820	5024	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	110
PID 5024 wrote to memory of 820	5024	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	110
PID 4512 wrote to memory of 3984	4512	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	111
PID 4512 wrote to memory of 3984	4512	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	111
PID 4512 wrote to memory of 3984	4512	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	111
PID 2032 wrote to memory of 2260	2032	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	112
PID 2032 wrote to memory of 2260	2032	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	112
PID 2032 wrote to memory of 2260	2032	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	112
PID 3668 wrote to memory of 3048	3668	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	113
PID 3668 wrote to memory of 3048	3668	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	113
PID 3668 wrote to memory of 3048	3668	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	113
PID 1308 wrote to memory of 448	1308	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	114
PID 1308 wrote to memory of 448	1308	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	114
PID 1308 wrote to memory of 448	1308	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	114
PID 2304 wrote to memory of 1544	2304	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	115
PID 2304 wrote to memory of 1544	2304	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	115
PID 2304 wrote to memory of 1544	2304	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	115
PID 3404 wrote to memory of 3704	3404	4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe	116

C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
"C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
  "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
    "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1012
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1604
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4280
      - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        6⤵
        
        PID:5244
        
        C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        7⤵
        
        PID:6412
        
        C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        8⤵
        
        PID:9004
        
        C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        8⤵
        
        PID:11196
        
        C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        7⤵
        
        PID:8320
        
        C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        7⤵
        
        PID:11072
      - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        6⤵
        
        PID:5536
        
        C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        7⤵
        
        PID:10492
      - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        6⤵
        
        PID:7080
      - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        6⤵
        
        PID:8076
      - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        6⤵
        
        PID:10876
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:3584
      - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        6⤵
        
        PID:6700
        
        C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        7⤵
        
        PID:9780
      - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        6⤵
        
        PID:8196
      - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        6⤵
        
        PID:10924
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:5576
      - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        6⤵
        
        PID:9740
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:6832
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:7236
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:10852
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2692
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:5184
      - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        6⤵
        
        PID:6504
        
        C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        7⤵
        
        PID:9476
        
        C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        7⤵
        
        PID:13112
      - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        6⤵
        
        PID:8268
      - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        6⤵
        
        PID:11188
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:5544
      - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        6⤵
        
        PID:9788
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:5500
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:8148
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:10828
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:876
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:6520
      - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        6⤵
        
        PID:9356
      - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        6⤵
        
        PID:12084
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:8260
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:10964
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:5568
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:8336
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:11080
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:6800
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:10708
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:8056
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:11132
- - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
    "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1308
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1392
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:4528
      - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        6⤵
        
        PID:6360
        
        C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        7⤵
        
        PID:9516
        
        C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        7⤵
        
        PID:13156
      - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        6⤵
        
        PID:7704
      - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        6⤵
        
        PID:8108
      - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        6⤵
        
        PID:10900
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:5584
      - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        6⤵
        
        PID:9452
      - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        6⤵
        
        PID:12452
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:6960
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:1836
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:11040
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:448
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:6576
      - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        6⤵
        
        PID:9468
      - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        6⤵
        
        PID:13136
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:8220
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:10940
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:5504
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:8068
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:10780
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:7088
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:8172
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:10892
- - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
    "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5024
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:820
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:6552
      - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        6⤵
        
        PID:9484
      - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        6⤵
        
        PID:9380
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:8204
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:10932
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:5508
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:8276
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:11024
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:6976
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:13144
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:8092
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:10772
- - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
    "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
    3⤵
    PID:3984
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:6584
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:9844
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:8212
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:10916
- - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
    "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
    3⤵
    PID:5624
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:9772
- - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
    "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
    3⤵
    PID:6948
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:13324
- - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
    "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
    3⤵
    PID:8132
- - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
    "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
    3⤵
    PID:10804
- C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
  "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:748
- - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
    "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5076
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1112
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:5296
      - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        6⤵
        
        PID:6404
        
        C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        7⤵
        
        PID:9748
      - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        6⤵
        
        PID:8312
      - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        6⤵
        
        PID:11032
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:5528
      - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        6⤵
        
        PID:8916
      - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        6⤵
        
        PID:11172
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:7160
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:8140
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:10812
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:5212
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:6340
      - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        6⤵
        
        PID:9756
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:7696
      - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        6⤵
        
        PID:12124
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:8116
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:10908
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:5552
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:8636
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:11124
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:7072
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:8188
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:10844
- - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
    "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3968
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:5324
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:6420
      - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        6⤵
        
        PID:9764
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:8292
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:11064
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:5520
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:8252
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:11016
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:7096
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:8156
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:10820
- - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
    "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
    3⤵
    PID:5152
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:6596
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:9812
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:8100
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:10796
- - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
    "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
    3⤵
    PID:5560
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:9496
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:12596
- - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
    "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
    3⤵
    PID:7152
- - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
    "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
    3⤵
    PID:8180
- - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
    "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
    3⤵
    PID:10836
- C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
  "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
    "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3404
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:3704
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:6560
      - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        6⤵
        
        PID:9348
      - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        6⤵
        
        PID:12120
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:8236
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:11048
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:5592
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:9820
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:7116
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:13396
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:8164
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:10884
- - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
    "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
    3⤵
    PID:1544
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:6528
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:9340
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:2820
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:8284
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:10948
- - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
    "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
    3⤵
    PID:5600
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:9804
- - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
    "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
    3⤵
    PID:7360
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:13368
- - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
    "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
    3⤵
    PID:8124
- - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
    "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
    3⤵
    PID:10788
- C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
  "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
    "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
    3⤵
    PID:3048
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:6568
    - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
        5⤵
        
        PID:9796
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:8228
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:11008
- - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
    "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
    3⤵
    PID:5616
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:9828
- - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
    "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
    3⤵
    PID:6928
- - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
    "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
    3⤵
    PID:6216
- - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
    "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
    3⤵
    PID:10956
- C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
  "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
  2⤵
  PID:2260
- - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
    "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
    3⤵
    PID:6352
  - - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
      "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
      4⤵
      PID:9880
- - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
    "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
    3⤵
    PID:8328
- - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
    "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
    3⤵
    PID:11180
- C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
  "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
  2⤵
  PID:5608
- - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
    "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
    3⤵
    PID:8244
- - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
    "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
    3⤵
    PID:11056
- C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
  "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
  2⤵
  PID:7104
- - C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
    "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
    3⤵
    PID:13404
- C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
  "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
  2⤵
  PID:8084
- C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe
  "C:\Users\Admin\AppData\Local\Temp\4ff7d34a2c891402769549ce3a671286e5f8dbc22abd1e3d180d240fc8e3e25eN.exe"
  2⤵
  PID:10668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4260,i,10065386245627775856,6567048529106473151,262144 --variations-seed-version --mojo-platform-channel-handle=4004 /prefetch:8
1⤵
PID:4272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\lingerie masturbation .rar.exe

Filesize
1.2MB

MD5
0c441b699dbc78d387dc9738225a40e8

SHA1
92c955e70d928b09d8f094f8232e4b293bc9e2f2

SHA256
1928eba67c1fa81137c86e01121d7266e78a8d802d31106970013bfe385ba26b

SHA512
9ed294ab1da0cb33299ae370d53608de8eec227dd01b47652b7ba09c38b0ff430a2fd42b12409d443ff048f7c50c88c287ea873254e280ddfb68172c0753a6b5

Download Submit