af0c2b69a97f6558e07e8d8d0382dad3b6719998a6456c9d1cb5e94c873b6f5e

Analysis

max time kernel
15s
max time network
88s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-08-2024 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0ee0cc358cc1950138fd3c152fb00b0N.exe
Size

1.7MB
MD5

f0ee0cc358cc1950138fd3c152fb00b0
SHA1

8f8b9b8fd6ede9fdf5cc815988033b798f25db84
SHA256

af0c2b69a97f6558e07e8d8d0382dad3b6719998a6456c9d1cb5e94c873b6f5e
SHA512

6eeb6d1ea6cd20524cf0faa33b947777f7570503bcc8fd87d98866eeb9df65af9451dd5870280fa8ab2ae4be82698095ad91e5539032263c31eff99f63868288
SSDEEP

49152:5ouZBfKohqt6+1S4SF+SB6wTbaogNghkycMwph4Vi:dhzx1fkwnoNghh0pqi

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	f0ee0cc358cc1950138fd3c152fb00b0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	f0ee0cc358cc1950138fd3c152fb00b0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	f0ee0cc358cc1950138fd3c152fb00b0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	f0ee0cc358cc1950138fd3c152fb00b0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	f0ee0cc358cc1950138fd3c152fb00b0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	f0ee0cc358cc1950138fd3c152fb00b0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	f0ee0cc358cc1950138fd3c152fb00b0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	f0ee0cc358cc1950138fd3c152fb00b0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	f0ee0cc358cc1950138fd3c152fb00b0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	f0ee0cc358cc1950138fd3c152fb00b0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	f0ee0cc358cc1950138fd3c152fb00b0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	f0ee0cc358cc1950138fd3c152fb00b0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	f0ee0cc358cc1950138fd3c152fb00b0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	f0ee0cc358cc1950138fd3c152fb00b0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	f0ee0cc358cc1950138fd3c152fb00b0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	f0ee0cc358cc1950138fd3c152fb00b0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	f0ee0cc358cc1950138fd3c152fb00b0N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File opened (read-only)	\??\G:	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File opened (read-only)	\??\K:	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File opened (read-only)	\??\O:	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File opened (read-only)	\??\U:	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File opened (read-only)	\??\X:	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File opened (read-only)	\??\Y:	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File opened (read-only)	\??\I:	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File opened (read-only)	\??\L:	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File opened (read-only)	\??\M:	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File opened (read-only)	\??\P:	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File opened (read-only)	\??\V:	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File opened (read-only)	\??\B:	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File opened (read-only)	\??\J:	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File opened (read-only)	\??\Q:	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File opened (read-only)	\??\S:	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File opened (read-only)	\??\Z:	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File opened (read-only)	\??\A:	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File opened (read-only)	\??\H:	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File opened (read-only)	\??\N:	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File opened (read-only)	\??\R:	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File opened (read-only)	\??\T:	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File opened (read-only)	\??\W:	f0ee0cc358cc1950138fd3c152fb00b0N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IME\SHARED\canadian beast [bangbus] cock .zip.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\british nude several models glans .avi.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\black nude xxx sleeping YEâPSè& .avi.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\canadian gay sperm [milf] glans .mpeg.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\System32\DriverStore\Temp\french beastiality nude hidden legs balls .zip.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\SysWOW64\FxsTmp\japanese horse [milf] hotel .mpeg.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\trambling handjob hot (!) .avi.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\gay fetish several models .mpeg.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\SysWOW64\FxsTmp\spanish horse handjob big boobs sweet (Sarah,Christine).avi.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\german horse masturbation (Christine,Tatjana).mpeg.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\malaysia horse licking legs redhair .rar.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\spanish cum beastiality [free] feet stockings (Jenna,Christine).mpg.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\spanish fucking public hole (Kathrin,Jade).avi.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Program Files\dotnet\shared\hardcore sperm girls Ôï .avi.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\malaysia horse cum big boobs black hairunshaved .rar.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\brasilian horse hidden .avi.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\swedish kicking hidden .rar.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\trambling catfight upskirt .mpg.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\horse blowjob licking girly .zip.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\norwegian gay cumshot girls (Karin).mpeg.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Program Files (x86)\Google\Temp\norwegian cumshot uncut nipples redhair .zip.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Program Files\Microsoft Office\root\Templates\lingerie sleeping penetration (Janette,Tatjana).zip.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Program Files (x86)\Google\Update\Download\fetish xxx public legs sweet .mpg.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\spanish lingerie gay public (Liz,Ashley).zip.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\lesbian xxx voyeur legs penetration (Sarah).mpg.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\italian gay several models .rar.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\asian beastiality handjob [free] ash .rar.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\brasilian trambling fucking [bangbus] .zip.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\fetish fetish full movie .mpeg.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\beast fetish uncut girly .zip.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\russian animal voyeur (Karin,Samantha).mpeg.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\black action horse [milf] 50+ .rar.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\british xxx catfight legs .avi.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\swedish handjob hardcore [bangbus] YEâPSè& .avi.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_e79b400a6df5fd2c\beast voyeur ejaculation (Tatjana).mpg.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\fetish blowjob masturbation bedroom .rar.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\bukkake catfight girly .mpeg.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_b1ffa0e7b4ed03e2\beastiality uncut glans redhair .mpeg.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_887b2378b7b5651d\fucking cum hot (!) cock granny .rar.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\swedish porn blowjob masturbation legs balls .rar.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\swedish kicking animal licking boobs .rar.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\cum beastiality [milf] (Sonja).mpg.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\CbsTemp\xxx masturbation high heels (Britney).mpeg.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\spanish horse catfight pregnant (Samantha).rar.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\action horse girls cock (Ashley,Sonja).avi.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\InputMethod\SHARED\nude beast uncut feet (Kathrin).rar.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\action fetish masturbation ash ejaculation (Samantha).avi.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\horse public castration .mpeg.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\russian fetish big shower .mpeg.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\french animal action hot (!) redhair .rar.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\mssrv.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\swedish lingerie action masturbation pregnant .zip.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\malaysia lingerie hot (!) .mpeg.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\french handjob lesbian girls wifey .mpg.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\chinese trambling cumshot [free] (Jenna,Jenna).mpg.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\danish kicking horse big (Tatjana,Jade).mpg.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\chinese xxx hardcore licking high heels .rar.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\nude gay uncut redhair .avi.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\british porn nude voyeur boobs (Jade).rar.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\norwegian cum uncut traffic (Janette,Melissa).mpeg.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\chinese gay lesbian castration .mpg.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\sperm voyeur legs castration (Tatjana).avi.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\cumshot girls boobs sm .rar.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_5af076e0a3cb0fa7\canadian cumshot sperm lesbian feet .mpeg.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_5abbd3c4a3f2014c\hardcore hardcore hot (!) titts castration .mpg.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\british lingerie [bangbus] legs swallow .avi.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_10.0.19041.1_none_bd731e5b85dd203e\handjob big vagina .mpg.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\french beastiality several models .zip.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\gang bang public .rar.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\cum girls .zip.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.1_none_f42978969c79336a\swedish nude trambling hidden feet .zip.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_10.0.19041.1_none_a3d9a07cf2290837\asian sperm big femdom .rar.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\canadian xxx hot (!) mistress .avi.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\beast lingerie [milf] shower .mpeg.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\sperm bukkake [milf] glans .rar.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_it-it_72a319bf8ee74a9b\beastiality voyeur 40+ .mpeg.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\assembly\temp\canadian horse licking beautyfull (Britney).zip.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\african horse full movie latex .mpg.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_abfc9db6c377b91f\nude cumshot [milf] .rar.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\danish cumshot licking gorgeoushorny .mpg.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\black fucking horse lesbian penetration .avi.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\gang bang blowjob uncut leather (Sonja).rar.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\asian sperm cumshot girls mature .mpg.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\asian gay action girls vagina .avi.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\japanese cumshot masturbation .mpg.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\american beastiality fucking public sm .mpeg.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\asian nude lesbian swallow .rar.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\assembly\tmp\swedish trambling several models high heels .zip.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\animal blowjob hidden .mpeg.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\indian kicking [bangbus] YEâPSè& (Janette,Jade).mpeg.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_10.0.19041.1_none_ae957c4c35a7bf73\african gay lesbian boobs mature (Tatjana).avi.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\sperm [bangbus] young (Curtney).rar.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_e5c3ad79c4e34ebb\japanese horse hidden .mpeg.exe	f0ee0cc358cc1950138fd3c152fb00b0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0ee0cc358cc1950138fd3c152fb00b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0ee0cc358cc1950138fd3c152fb00b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0ee0cc358cc1950138fd3c152fb00b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0ee0cc358cc1950138fd3c152fb00b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0ee0cc358cc1950138fd3c152fb00b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0ee0cc358cc1950138fd3c152fb00b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0ee0cc358cc1950138fd3c152fb00b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0ee0cc358cc1950138fd3c152fb00b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0ee0cc358cc1950138fd3c152fb00b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0ee0cc358cc1950138fd3c152fb00b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0ee0cc358cc1950138fd3c152fb00b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0ee0cc358cc1950138fd3c152fb00b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0ee0cc358cc1950138fd3c152fb00b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0ee0cc358cc1950138fd3c152fb00b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0ee0cc358cc1950138fd3c152fb00b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0ee0cc358cc1950138fd3c152fb00b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0ee0cc358cc1950138fd3c152fb00b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0ee0cc358cc1950138fd3c152fb00b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0ee0cc358cc1950138fd3c152fb00b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0ee0cc358cc1950138fd3c152fb00b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0ee0cc358cc1950138fd3c152fb00b0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4084	f0ee0cc358cc1950138fd3c152fb00b0N.exe
4084	f0ee0cc358cc1950138fd3c152fb00b0N.exe
4684	f0ee0cc358cc1950138fd3c152fb00b0N.exe
4684	f0ee0cc358cc1950138fd3c152fb00b0N.exe
4084	f0ee0cc358cc1950138fd3c152fb00b0N.exe
4084	f0ee0cc358cc1950138fd3c152fb00b0N.exe
2132	f0ee0cc358cc1950138fd3c152fb00b0N.exe
2132	f0ee0cc358cc1950138fd3c152fb00b0N.exe
4252	f0ee0cc358cc1950138fd3c152fb00b0N.exe
4252	f0ee0cc358cc1950138fd3c152fb00b0N.exe
4084	f0ee0cc358cc1950138fd3c152fb00b0N.exe
4684	f0ee0cc358cc1950138fd3c152fb00b0N.exe
4084	f0ee0cc358cc1950138fd3c152fb00b0N.exe
4684	f0ee0cc358cc1950138fd3c152fb00b0N.exe
448	f0ee0cc358cc1950138fd3c152fb00b0N.exe
448	f0ee0cc358cc1950138fd3c152fb00b0N.exe
1688	f0ee0cc358cc1950138fd3c152fb00b0N.exe
1688	f0ee0cc358cc1950138fd3c152fb00b0N.exe
1316	f0ee0cc358cc1950138fd3c152fb00b0N.exe
1316	f0ee0cc358cc1950138fd3c152fb00b0N.exe
1288	f0ee0cc358cc1950138fd3c152fb00b0N.exe
1288	f0ee0cc358cc1950138fd3c152fb00b0N.exe
4084	f0ee0cc358cc1950138fd3c152fb00b0N.exe
4084	f0ee0cc358cc1950138fd3c152fb00b0N.exe
4684	f0ee0cc358cc1950138fd3c152fb00b0N.exe
4684	f0ee0cc358cc1950138fd3c152fb00b0N.exe
4252	f0ee0cc358cc1950138fd3c152fb00b0N.exe
4252	f0ee0cc358cc1950138fd3c152fb00b0N.exe
2132	f0ee0cc358cc1950138fd3c152fb00b0N.exe
2132	f0ee0cc358cc1950138fd3c152fb00b0N.exe
1620	f0ee0cc358cc1950138fd3c152fb00b0N.exe
1620	f0ee0cc358cc1950138fd3c152fb00b0N.exe
4836	f0ee0cc358cc1950138fd3c152fb00b0N.exe
4836	f0ee0cc358cc1950138fd3c152fb00b0N.exe
4200	f0ee0cc358cc1950138fd3c152fb00b0N.exe
4200	f0ee0cc358cc1950138fd3c152fb00b0N.exe
4324	f0ee0cc358cc1950138fd3c152fb00b0N.exe
4324	f0ee0cc358cc1950138fd3c152fb00b0N.exe
2384	f0ee0cc358cc1950138fd3c152fb00b0N.exe
2384	f0ee0cc358cc1950138fd3c152fb00b0N.exe
448	f0ee0cc358cc1950138fd3c152fb00b0N.exe
448	f0ee0cc358cc1950138fd3c152fb00b0N.exe
4084	f0ee0cc358cc1950138fd3c152fb00b0N.exe
4084	f0ee0cc358cc1950138fd3c152fb00b0N.exe
4684	f0ee0cc358cc1950138fd3c152fb00b0N.exe
4684	f0ee0cc358cc1950138fd3c152fb00b0N.exe
2132	f0ee0cc358cc1950138fd3c152fb00b0N.exe
4252	f0ee0cc358cc1950138fd3c152fb00b0N.exe
2132	f0ee0cc358cc1950138fd3c152fb00b0N.exe
4252	f0ee0cc358cc1950138fd3c152fb00b0N.exe
2996	f0ee0cc358cc1950138fd3c152fb00b0N.exe
2996	f0ee0cc358cc1950138fd3c152fb00b0N.exe
4344	f0ee0cc358cc1950138fd3c152fb00b0N.exe
4344	f0ee0cc358cc1950138fd3c152fb00b0N.exe
4364	f0ee0cc358cc1950138fd3c152fb00b0N.exe
4364	f0ee0cc358cc1950138fd3c152fb00b0N.exe
1288	f0ee0cc358cc1950138fd3c152fb00b0N.exe
1288	f0ee0cc358cc1950138fd3c152fb00b0N.exe
1316	f0ee0cc358cc1950138fd3c152fb00b0N.exe
1316	f0ee0cc358cc1950138fd3c152fb00b0N.exe
1688	f0ee0cc358cc1950138fd3c152fb00b0N.exe
1688	f0ee0cc358cc1950138fd3c152fb00b0N.exe
4360	f0ee0cc358cc1950138fd3c152fb00b0N.exe
4360	f0ee0cc358cc1950138fd3c152fb00b0N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4084 wrote to memory of 4684	4084	f0ee0cc358cc1950138fd3c152fb00b0N.exe	89
PID 4084 wrote to memory of 4684	4084	f0ee0cc358cc1950138fd3c152fb00b0N.exe	89
PID 4084 wrote to memory of 4684	4084	f0ee0cc358cc1950138fd3c152fb00b0N.exe	89
PID 4084 wrote to memory of 2132	4084	f0ee0cc358cc1950138fd3c152fb00b0N.exe	94
PID 4084 wrote to memory of 2132	4084	f0ee0cc358cc1950138fd3c152fb00b0N.exe	94
PID 4084 wrote to memory of 2132	4084	f0ee0cc358cc1950138fd3c152fb00b0N.exe	94
PID 4684 wrote to memory of 4252	4684	f0ee0cc358cc1950138fd3c152fb00b0N.exe	95
PID 4684 wrote to memory of 4252	4684	f0ee0cc358cc1950138fd3c152fb00b0N.exe	95
PID 4684 wrote to memory of 4252	4684	f0ee0cc358cc1950138fd3c152fb00b0N.exe	95
PID 4084 wrote to memory of 1316	4084	f0ee0cc358cc1950138fd3c152fb00b0N.exe	96
PID 4084 wrote to memory of 1316	4084	f0ee0cc358cc1950138fd3c152fb00b0N.exe	96
PID 4084 wrote to memory of 1316	4084	f0ee0cc358cc1950138fd3c152fb00b0N.exe	96
PID 4684 wrote to memory of 448	4684	f0ee0cc358cc1950138fd3c152fb00b0N.exe	97
PID 4684 wrote to memory of 448	4684	f0ee0cc358cc1950138fd3c152fb00b0N.exe	97
PID 4684 wrote to memory of 448	4684	f0ee0cc358cc1950138fd3c152fb00b0N.exe	97
PID 4252 wrote to memory of 1688	4252	f0ee0cc358cc1950138fd3c152fb00b0N.exe	98
PID 4252 wrote to memory of 1688	4252	f0ee0cc358cc1950138fd3c152fb00b0N.exe	98
PID 4252 wrote to memory of 1688	4252	f0ee0cc358cc1950138fd3c152fb00b0N.exe	98
PID 2132 wrote to memory of 1288	2132	f0ee0cc358cc1950138fd3c152fb00b0N.exe	99
PID 2132 wrote to memory of 1288	2132	f0ee0cc358cc1950138fd3c152fb00b0N.exe	99
PID 2132 wrote to memory of 1288	2132	f0ee0cc358cc1950138fd3c152fb00b0N.exe	99
PID 4684 wrote to memory of 4200	4684	f0ee0cc358cc1950138fd3c152fb00b0N.exe	102
PID 4684 wrote to memory of 4200	4684	f0ee0cc358cc1950138fd3c152fb00b0N.exe	102
PID 4684 wrote to memory of 4200	4684	f0ee0cc358cc1950138fd3c152fb00b0N.exe	102
PID 2132 wrote to memory of 4836	2132	f0ee0cc358cc1950138fd3c152fb00b0N.exe	104
PID 2132 wrote to memory of 4836	2132	f0ee0cc358cc1950138fd3c152fb00b0N.exe	104
PID 2132 wrote to memory of 4836	2132	f0ee0cc358cc1950138fd3c152fb00b0N.exe	104
PID 448 wrote to memory of 2384	448	f0ee0cc358cc1950138fd3c152fb00b0N.exe	105
PID 448 wrote to memory of 2384	448	f0ee0cc358cc1950138fd3c152fb00b0N.exe	105
PID 448 wrote to memory of 2384	448	f0ee0cc358cc1950138fd3c152fb00b0N.exe	105
PID 4084 wrote to memory of 1620	4084	f0ee0cc358cc1950138fd3c152fb00b0N.exe	101
PID 4084 wrote to memory of 1620	4084	f0ee0cc358cc1950138fd3c152fb00b0N.exe	101
PID 4084 wrote to memory of 1620	4084	f0ee0cc358cc1950138fd3c152fb00b0N.exe	101
PID 4252 wrote to memory of 4324	4252	f0ee0cc358cc1950138fd3c152fb00b0N.exe	103
PID 4252 wrote to memory of 4324	4252	f0ee0cc358cc1950138fd3c152fb00b0N.exe	103
PID 4252 wrote to memory of 4324	4252	f0ee0cc358cc1950138fd3c152fb00b0N.exe	103
PID 1316 wrote to memory of 2996	1316	f0ee0cc358cc1950138fd3c152fb00b0N.exe	106
PID 1316 wrote to memory of 2996	1316	f0ee0cc358cc1950138fd3c152fb00b0N.exe	106
PID 1316 wrote to memory of 2996	1316	f0ee0cc358cc1950138fd3c152fb00b0N.exe	106
PID 1288 wrote to memory of 4364	1288	f0ee0cc358cc1950138fd3c152fb00b0N.exe	107
PID 1288 wrote to memory of 4364	1288	f0ee0cc358cc1950138fd3c152fb00b0N.exe	107
PID 1288 wrote to memory of 4364	1288	f0ee0cc358cc1950138fd3c152fb00b0N.exe	107
PID 1688 wrote to memory of 4344	1688	f0ee0cc358cc1950138fd3c152fb00b0N.exe	108
PID 1688 wrote to memory of 4344	1688	f0ee0cc358cc1950138fd3c152fb00b0N.exe	108
PID 1688 wrote to memory of 4344	1688	f0ee0cc358cc1950138fd3c152fb00b0N.exe	108
PID 4084 wrote to memory of 3728	4084	f0ee0cc358cc1950138fd3c152fb00b0N.exe	110
PID 4084 wrote to memory of 3728	4084	f0ee0cc358cc1950138fd3c152fb00b0N.exe	110
PID 4084 wrote to memory of 3728	4084	f0ee0cc358cc1950138fd3c152fb00b0N.exe	110
PID 2132 wrote to memory of 4360	2132	f0ee0cc358cc1950138fd3c152fb00b0N.exe	111
PID 2132 wrote to memory of 4360	2132	f0ee0cc358cc1950138fd3c152fb00b0N.exe	111
PID 2132 wrote to memory of 4360	2132	f0ee0cc358cc1950138fd3c152fb00b0N.exe	111
PID 448 wrote to memory of 3128	448	f0ee0cc358cc1950138fd3c152fb00b0N.exe	112
PID 448 wrote to memory of 3128	448	f0ee0cc358cc1950138fd3c152fb00b0N.exe	112
PID 448 wrote to memory of 3128	448	f0ee0cc358cc1950138fd3c152fb00b0N.exe	112
PID 4684 wrote to memory of 4460	4684	f0ee0cc358cc1950138fd3c152fb00b0N.exe	113
PID 4684 wrote to memory of 4460	4684	f0ee0cc358cc1950138fd3c152fb00b0N.exe	113
PID 4684 wrote to memory of 4460	4684	f0ee0cc358cc1950138fd3c152fb00b0N.exe	113
PID 4252 wrote to memory of 5024	4252	f0ee0cc358cc1950138fd3c152fb00b0N.exe	114
PID 4252 wrote to memory of 5024	4252	f0ee0cc358cc1950138fd3c152fb00b0N.exe	114
PID 4252 wrote to memory of 5024	4252	f0ee0cc358cc1950138fd3c152fb00b0N.exe	114
PID 1620 wrote to memory of 4152	1620	f0ee0cc358cc1950138fd3c152fb00b0N.exe	115
PID 1620 wrote to memory of 4152	1620	f0ee0cc358cc1950138fd3c152fb00b0N.exe	115
PID 1620 wrote to memory of 4152	1620	f0ee0cc358cc1950138fd3c152fb00b0N.exe	115
PID 1288 wrote to memory of 4964	1288	f0ee0cc358cc1950138fd3c152fb00b0N.exe	116

C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
"C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
  "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4684
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4252
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1688
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4344
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        7⤵
        
        PID:5956
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        8⤵
        
        PID:9040
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        9⤵
        
        PID:19272
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        8⤵
        
        PID:12112
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        8⤵
        
        PID:17024
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        7⤵
        
        PID:7912
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        8⤵
        
        PID:17984
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        7⤵
        
        PID:11620
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        7⤵
        
        PID:16684
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        7⤵
        
        PID:6568
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        8⤵
        
        PID:13508
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        8⤵
        
        PID:19184
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        7⤵
        
        PID:7792
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        8⤵
        
        PID:17476
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        7⤵
        
        PID:10956
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        7⤵
        
        PID:15804
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:6424
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        7⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        7⤵
        
        PID:19016
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:7768
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        7⤵
        
        PID:17480
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:10836
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:15384
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:2152
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:6232
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        7⤵
        
        PID:11528
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        7⤵
        
        PID:16436
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:7736
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        7⤵
        
        PID:17936
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:10876
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:15392
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:5124
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:9032
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        7⤵
        
        PID:17928
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:12092
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:17036
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:6884
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:13920
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:1700
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:7672
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:15832
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:10364
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:14312
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:21256
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4324
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1660
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:5920
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        7⤵
        
        PID:9196
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        8⤵
        
        PID:18016
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        7⤵
        
        PID:12764
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        7⤵
        
        PID:18032
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:7880
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        7⤵
        
        PID:18040
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:11692
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:16776
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:3028
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:7972
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        7⤵
        
        PID:17380
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:10888
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:15416
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:6668
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:13092
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:18480
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:7696
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:17268
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:10556
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:14676
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:5236
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5024
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:6004
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:9256
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        7⤵
        
        PID:20508
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:2960
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:19144
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:7848
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:17896
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:10868
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:15228
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:3224
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:6460
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:13332
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:19240
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:7744
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:18008
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:10844
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:15772
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:6332
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:13928
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:860
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:7776
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:17284
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:10852
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:15440
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:448
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2384
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:564
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:5996
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        7⤵
        
        PID:9724
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        8⤵
        
        PID:21044
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        7⤵
        
        PID:13804
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        7⤵
        
        PID:19512
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:7872
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        7⤵
        
        PID:17252
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:10932
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:15812
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:1228
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:7896
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        7⤵
        
        PID:15300
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:10604
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:14924
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:5860
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:6552
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:13420
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:19192
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:7784
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:17912
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:10904
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:15400
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:3128
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:6020
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:12516
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:17872
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:7864
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:18024
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:11012
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:15288
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:1016
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:6584
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:13556
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:19256
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:7728
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:17396
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:11684
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:16768
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:6452
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:14180
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:20728
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:7752
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:17904
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:10924
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:15796
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4200
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:1280
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:6044
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:12568
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:15328
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:7840
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:17976
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:10896
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:15432
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:2360
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:7172
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:13912
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:20180
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:7632
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:17628
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:10356
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:14356
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:21472
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:6676
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:13324
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:19128
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:7712
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:17300
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:10636
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:15184
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:6608
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    PID:4460
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:6028
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:9732
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:21356
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:13812
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:19528
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:7888
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:17388
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:10916
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:15368
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    PID:5156
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:9656
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:21000
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:13548
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:19136
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    PID:7036
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:14072
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:20456
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    PID:7656
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:17656
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    PID:10296
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    PID:14276
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    PID:21224
- C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
  "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1288
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4364
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:2552
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:6012
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        7⤵
        
        PID:9264
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        8⤵
        
        PID:20904
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        7⤵
        
        PID:13076
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        7⤵
        
        PID:18716
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:7856
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        7⤵
        
        PID:17920
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:11004
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:15788
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:996
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:7188
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        7⤵
        
        PID:13252
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        7⤵
        
        PID:19004
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:7624
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        7⤵
        
        PID:15820
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:10348
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:14288
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:21216
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:6656
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:13084
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:18472
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:7704
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:17260
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:11572
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:16592
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:4964
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:5984
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:9480
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        7⤵
        
        PID:20448
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:13596
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:19248
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:7824
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:17584
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:11304
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:16264
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:5132
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:8200
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:17944
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:11700
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:16724
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:6892
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:13464
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:19176
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:7680
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:17292
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:10548
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:14872
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:3148
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4836
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3652
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:5828
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:9188
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        7⤵
        
        PID:17856
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:12600
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:17992
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:7128
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:13240
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:19024
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:7640
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:16576
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:10460
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:14568
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:5240
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:4440
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:9248
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:20316
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:13112
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:18260
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:6764
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:13988
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:20308
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:7688
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:17308
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:10448
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:14736
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:5624
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4360
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:5928
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:9156
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:21056
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:12696
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:17816
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:7608
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:15168
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:6580
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:10036
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:1192
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:13896
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:20720
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    PID:5164
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:9828
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:21232
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:13760
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:19536
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    PID:7136
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:13456
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:19208
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    PID:7616
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:15320
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    PID:10372
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    PID:14172
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    PID:20712
- C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
  "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2996
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:828
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:6036
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:9160
        
        C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        7⤵
        
        PID:17952
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:12644
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:18048
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:7816
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:17864
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:10940
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:15780
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:1908
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:6644
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:13380
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:19152
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:7720
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:17276
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:10628
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:15176
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:6512
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:6432
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:14364
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:21464
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:7760
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:17212
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:10860
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:15408
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    PID:884
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:6084
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:7988
      - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        6⤵
        
        PID:17968
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:11808
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:16940
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:7832
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:17888
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:10996
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:15424
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    PID:5140
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:9172
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:17880
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:12592
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:17748
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    PID:7008
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:13904
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:20472
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    PID:7648
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:17492
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    PID:10304
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    PID:14300
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    PID:21116
- C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
  "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    PID:4152
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:6200
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:10820
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:15236
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:7808
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:17616
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:11452
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:16312
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    PID:5148
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:9180
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:19232
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:12688
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:18000
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    PID:7028
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:13060
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:18708
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    PID:7664
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:14720
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    PID:10644
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    PID:15160
- C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
  "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
  2⤵
  PID:3728
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    PID:6108
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:9140
    - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
        5⤵
        
        PID:19264
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:12508
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:17404
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    PID:7800
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:17836
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    PID:10964
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    PID:15848
- C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
  "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
  2⤵
  PID:5172
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    PID:9716
  - - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
      4⤵
      PID:20992
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    PID:13752
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    PID:19520
- C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
  "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
  2⤵
  PID:7904
- - C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
    3⤵
    PID:17064
- C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
  "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
  2⤵
  PID:10948
- C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe
  "C:\Users\Admin\AppData\Local\Temp\f0ee0cc358cc1950138fd3c152fb00b0N.exe"
  2⤵
  PID:15376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\brasilian horse hidden .avi.exe

Filesize
913KB

MD5
e2c77d10b7c8bb61ae182437896815a4

SHA1
5dfb648d789b7f6b722dd85fd8802ee509899123

SHA256
96f14dc47261dc48ef686bc16e3b0fc2f18ba675f072994b50821e64e42eb810

SHA512
86a273b79f14ff4d85dc7b8edcf1b35570ea3025853a24a538794c7d8520fa850024e8096850a4b7265543c8eeaa5ce26b0fb71251b50f5cf47f7a39a0f674a4

Download Submit
C:\debug.txt

Filesize
146B

MD5
30780b1c846f1c99ce28207b86dd3fde

SHA1
3d947f9beeac10e0ddb0755759b59141910c0ec0

SHA256
aaab44d508de318cd8bdfa7496a74468ec4f35e535a0fddfcf93a277c7be910c

SHA512
bc731dfe202de42eceaf44a36618f2d809fc4993570353953d68ee626a14c56abd73a210bb12fb5beb1ee054adb45285bb70800f620f0b52877efc16ff352ab8

Download Submit