b0edd3f465402a74feeb3cd75a898182bcd444fc13c1d3aee772153dbcaa89d7

Analysis

max time kernel
15s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 11:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecdb0f3366feb124acda02b48d73d4e0N.exe
Size

509KB
MD5

ecdb0f3366feb124acda02b48d73d4e0
SHA1

5e43ca762dcae770a0c246c19fa35b0dbff0c289
SHA256

b0edd3f465402a74feeb3cd75a898182bcd444fc13c1d3aee772153dbcaa89d7
SHA512

734b8f0490d6919b5356cc5eaa02f2fbc1aae8c0b416e2a81220d848a5e1fdd8baeab046033570d010ef1aab59e630fe354bca762282127d8a420c8f4641f450
SSDEEP

12288:JXCNi9Bis1sEj2WM68yL/I7eWuNgprugO7KH0Z7n9gx8K:sWxXjMHTtROez

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	ecdb0f3366feb124acda02b48d73d4e0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	ecdb0f3366feb124acda02b48d73d4e0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	ecdb0f3366feb124acda02b48d73d4e0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	ecdb0f3366feb124acda02b48d73d4e0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	ecdb0f3366feb124acda02b48d73d4e0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	ecdb0f3366feb124acda02b48d73d4e0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	ecdb0f3366feb124acda02b48d73d4e0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	ecdb0f3366feb124acda02b48d73d4e0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	ecdb0f3366feb124acda02b48d73d4e0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	ecdb0f3366feb124acda02b48d73d4e0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	ecdb0f3366feb124acda02b48d73d4e0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	ecdb0f3366feb124acda02b48d73d4e0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	ecdb0f3366feb124acda02b48d73d4e0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	ecdb0f3366feb124acda02b48d73d4e0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	ecdb0f3366feb124acda02b48d73d4e0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	ecdb0f3366feb124acda02b48d73d4e0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	ecdb0f3366feb124acda02b48d73d4e0N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	ecdb0f3366feb124acda02b48d73d4e0N.exe
File opened (read-only)	\??\N:	ecdb0f3366feb124acda02b48d73d4e0N.exe
File opened (read-only)	\??\P:	ecdb0f3366feb124acda02b48d73d4e0N.exe
File opened (read-only)	\??\R:	ecdb0f3366feb124acda02b48d73d4e0N.exe
File opened (read-only)	\??\W:	ecdb0f3366feb124acda02b48d73d4e0N.exe
File opened (read-only)	\??\X:	ecdb0f3366feb124acda02b48d73d4e0N.exe
File opened (read-only)	\??\Z:	ecdb0f3366feb124acda02b48d73d4e0N.exe
File opened (read-only)	\??\A:	ecdb0f3366feb124acda02b48d73d4e0N.exe
File opened (read-only)	\??\E:	ecdb0f3366feb124acda02b48d73d4e0N.exe
File opened (read-only)	\??\H:	ecdb0f3366feb124acda02b48d73d4e0N.exe
File opened (read-only)	\??\J:	ecdb0f3366feb124acda02b48d73d4e0N.exe
File opened (read-only)	\??\M:	ecdb0f3366feb124acda02b48d73d4e0N.exe
File opened (read-only)	\??\T:	ecdb0f3366feb124acda02b48d73d4e0N.exe
File opened (read-only)	\??\L:	ecdb0f3366feb124acda02b48d73d4e0N.exe
File opened (read-only)	\??\Q:	ecdb0f3366feb124acda02b48d73d4e0N.exe
File opened (read-only)	\??\S:	ecdb0f3366feb124acda02b48d73d4e0N.exe
File opened (read-only)	\??\U:	ecdb0f3366feb124acda02b48d73d4e0N.exe
File opened (read-only)	\??\G:	ecdb0f3366feb124acda02b48d73d4e0N.exe
File opened (read-only)	\??\I:	ecdb0f3366feb124acda02b48d73d4e0N.exe
File opened (read-only)	\??\K:	ecdb0f3366feb124acda02b48d73d4e0N.exe
File opened (read-only)	\??\O:	ecdb0f3366feb124acda02b48d73d4e0N.exe
File opened (read-only)	\??\V:	ecdb0f3366feb124acda02b48d73d4e0N.exe
File opened (read-only)	\??\Y:	ecdb0f3366feb124acda02b48d73d4e0N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\indian kicking lesbian public balls .avi.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\System32\DriverStore\Temp\brasilian kicking blowjob public feet .mpg.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\blowjob full movie glans leather .zip.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\american handjob fucking uncut glans blondie .zip.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\tyrkish kicking lingerie several models hole swallow .mpeg.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\SysWOW64\FxsTmp\hardcore masturbation titts ash .avi.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\SysWOW64\FxsTmp\black fetish fucking hot (!) titts wifey .avi.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\black cum lesbian full movie titts circumcision .zip.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\russian handjob bukkake hidden .rar.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\lingerie voyeur castration (Kathrin,Samantha).zip.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\american cumshot trambling [milf] gorgeoushorny (Anniston,Samantha).mpeg.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\black nude bukkake catfight cock wifey (Janette).mpg.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\tyrkish animal sperm licking traffic .mpg.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Program Files (x86)\Google\Update\Download\horse full movie titts .rar.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Program Files\dotnet\shared\tyrkish horse trambling uncut black hairunshaved .mpeg.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Program Files\Microsoft Office\root\Templates\horse girls feet .mpg.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\russian kicking trambling full movie .rar.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\indian handjob fucking big feet (Sandy,Jade).mpeg.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\japanese nude bukkake licking cock wifey .mpeg.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\black fetish bukkake full movie (Samantha).rar.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\bukkake public 50+ .mpg.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\swedish cumshot gay girls feet sweet .mpeg.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Program Files (x86)\Microsoft\Temp\danish horse blowjob hidden glans (Britney,Sylvia).avi.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\black action beast girls .zip.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\black action lingerie lesbian titts traffic .zip.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\american nude beast big .mpg.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\horse licking hairy (Britney,Tatjana).zip.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\tyrkish nude beast [free] (Jade).zip.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\bukkake public hole 50+ .avi.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Program Files (x86)\Google\Temp\japanese handjob gay several models titts pregnant .mpg.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\trambling several models (Sarah).avi.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\british blowjob masturbation sweet .mpg.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\black fetish beast girls redhair .mpg.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\security\templates\sperm uncut castration (Kathrin,Janette).mpg.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\swedish porn gay public (Jade).rar.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\malaysia horse full movie .zip.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\horse full movie hole fishy (Samantha).mpg.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\malaysia fucking girls cock .avi.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\bukkake hot (!) glans stockings .avi.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\PLA\Templates\black action lingerie public blondie .mpeg.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\asian gay public .zip.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\fucking licking feet wifey .rar.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\cum lingerie hot (!) YEâPSè& .rar.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\trambling [bangbus] (Tatjana).avi.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\kicking beast masturbation beautyfull (Britney,Janette).mpeg.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\canadian lesbian hidden beautyfull .avi.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\indian cum sperm big cock mature .mpg.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\indian cum blowjob [bangbus] feet lady .rar.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\brasilian gang bang xxx [free] cock boots .zip.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\assembly\tmp\horse [milf] titts mistress (Sarah).rar.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\italian cum fucking licking .avi.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\action lingerie several models hairy .zip.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\russian gang bang hardcore full movie gorgeoushorny .zip.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\cumshot lingerie catfight .avi.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\nude bukkake big feet Ôï .rar.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\british blowjob several models circumcision (Kathrin,Melissa).zip.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\british hardcore uncut pregnant .zip.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.1_none_f42978969c79336a\spanish gay public .rar.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\brasilian beastiality fucking catfight titts bondage .zip.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\InputMethod\SHARED\american action sperm [milf] pregnant .mpeg.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\horse licking feet gorgeoushorny .mpeg.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\cumshot lingerie hot (!) glans (Anniston,Samantha).avi.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\german lesbian hot (!) titts swallow (Tatjana).mpeg.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\animal trambling voyeur cock .zip.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\italian cum bukkake several models swallow .avi.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\action lesbian licking feet .mpeg.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\danish handjob sperm [bangbus] circumcision .rar.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\CbsTemp\italian action gay voyeur .avi.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\canadian hardcore masturbation mistress (Jenna,Curtney).avi.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\russian animal beast catfight feet .mpeg.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\asian xxx hot (!) cock .rar.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\british lingerie [bangbus] 40+ (Sonja,Liz).zip.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\chinese bukkake big (Jade).rar.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\tyrkish beastiality trambling hot (!) castration .zip.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\horse public (Karin).avi.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\british beast [bangbus] femdom .zip.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\brasilian porn xxx hidden femdom .avi.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\swedish action trambling hot (!) ejaculation (Sandy,Samantha).avi.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\canadian hardcore big .zip.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\lingerie [free] mature .mpg.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\blowjob [milf] feet .rar.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\fucking masturbation hairy .mpg.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\beastiality lingerie girls titts castration (Tatjana).mpg.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\norwegian lesbian hot (!) cock (Sonja,Sylvia).avi.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\porn bukkake [milf] YEâPSè& .rar.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\mssrv.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\indian cumshot lingerie [free] shoes .rar.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\black gang bang fucking full movie glans (Sonja,Curtney).mpg.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\fetish hardcore girls (Jade).avi.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\russian beastiality bukkake voyeur high heels .zip.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\italian fetish gay big gorgeoushorny .avi.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\handjob trambling girls sm .avi.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\russian gang bang horse big .rar.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\russian porn blowjob masturbation shoes .avi.exe	ecdb0f3366feb124acda02b48d73d4e0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdb0f3366feb124acda02b48d73d4e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdb0f3366feb124acda02b48d73d4e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdb0f3366feb124acda02b48d73d4e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdb0f3366feb124acda02b48d73d4e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdb0f3366feb124acda02b48d73d4e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdb0f3366feb124acda02b48d73d4e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdb0f3366feb124acda02b48d73d4e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdb0f3366feb124acda02b48d73d4e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdb0f3366feb124acda02b48d73d4e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdb0f3366feb124acda02b48d73d4e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdb0f3366feb124acda02b48d73d4e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdb0f3366feb124acda02b48d73d4e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdb0f3366feb124acda02b48d73d4e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdb0f3366feb124acda02b48d73d4e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdb0f3366feb124acda02b48d73d4e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdb0f3366feb124acda02b48d73d4e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdb0f3366feb124acda02b48d73d4e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdb0f3366feb124acda02b48d73d4e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdb0f3366feb124acda02b48d73d4e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdb0f3366feb124acda02b48d73d4e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdb0f3366feb124acda02b48d73d4e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdb0f3366feb124acda02b48d73d4e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdb0f3366feb124acda02b48d73d4e0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4968	ecdb0f3366feb124acda02b48d73d4e0N.exe
4968	ecdb0f3366feb124acda02b48d73d4e0N.exe
1852	ecdb0f3366feb124acda02b48d73d4e0N.exe
1852	ecdb0f3366feb124acda02b48d73d4e0N.exe
4968	ecdb0f3366feb124acda02b48d73d4e0N.exe
4968	ecdb0f3366feb124acda02b48d73d4e0N.exe
3312	ecdb0f3366feb124acda02b48d73d4e0N.exe
3312	ecdb0f3366feb124acda02b48d73d4e0N.exe
3756	ecdb0f3366feb124acda02b48d73d4e0N.exe
3756	ecdb0f3366feb124acda02b48d73d4e0N.exe
4968	ecdb0f3366feb124acda02b48d73d4e0N.exe
4968	ecdb0f3366feb124acda02b48d73d4e0N.exe
1852	ecdb0f3366feb124acda02b48d73d4e0N.exe
1852	ecdb0f3366feb124acda02b48d73d4e0N.exe
2704	ecdb0f3366feb124acda02b48d73d4e0N.exe
2704	ecdb0f3366feb124acda02b48d73d4e0N.exe
2428	ecdb0f3366feb124acda02b48d73d4e0N.exe
2428	ecdb0f3366feb124acda02b48d73d4e0N.exe
1636	ecdb0f3366feb124acda02b48d73d4e0N.exe
1636	ecdb0f3366feb124acda02b48d73d4e0N.exe
4968	ecdb0f3366feb124acda02b48d73d4e0N.exe
4968	ecdb0f3366feb124acda02b48d73d4e0N.exe
1852	ecdb0f3366feb124acda02b48d73d4e0N.exe
1852	ecdb0f3366feb124acda02b48d73d4e0N.exe
3312	ecdb0f3366feb124acda02b48d73d4e0N.exe
3312	ecdb0f3366feb124acda02b48d73d4e0N.exe
3556	ecdb0f3366feb124acda02b48d73d4e0N.exe
3556	ecdb0f3366feb124acda02b48d73d4e0N.exe
3756	ecdb0f3366feb124acda02b48d73d4e0N.exe
3756	ecdb0f3366feb124acda02b48d73d4e0N.exe
1912	ecdb0f3366feb124acda02b48d73d4e0N.exe
1912	ecdb0f3366feb124acda02b48d73d4e0N.exe
2968	ecdb0f3366feb124acda02b48d73d4e0N.exe
2968	ecdb0f3366feb124acda02b48d73d4e0N.exe
4704	ecdb0f3366feb124acda02b48d73d4e0N.exe
4704	ecdb0f3366feb124acda02b48d73d4e0N.exe
4968	ecdb0f3366feb124acda02b48d73d4e0N.exe
4968	ecdb0f3366feb124acda02b48d73d4e0N.exe
2076	ecdb0f3366feb124acda02b48d73d4e0N.exe
2076	ecdb0f3366feb124acda02b48d73d4e0N.exe
1852	ecdb0f3366feb124acda02b48d73d4e0N.exe
1852	ecdb0f3366feb124acda02b48d73d4e0N.exe
3312	ecdb0f3366feb124acda02b48d73d4e0N.exe
3312	ecdb0f3366feb124acda02b48d73d4e0N.exe
2704	ecdb0f3366feb124acda02b48d73d4e0N.exe
2704	ecdb0f3366feb124acda02b48d73d4e0N.exe
4528	ecdb0f3366feb124acda02b48d73d4e0N.exe
4528	ecdb0f3366feb124acda02b48d73d4e0N.exe
1040	ecdb0f3366feb124acda02b48d73d4e0N.exe
1040	ecdb0f3366feb124acda02b48d73d4e0N.exe
2428	ecdb0f3366feb124acda02b48d73d4e0N.exe
2428	ecdb0f3366feb124acda02b48d73d4e0N.exe
3756	ecdb0f3366feb124acda02b48d73d4e0N.exe
3756	ecdb0f3366feb124acda02b48d73d4e0N.exe
4904	ecdb0f3366feb124acda02b48d73d4e0N.exe
4904	ecdb0f3366feb124acda02b48d73d4e0N.exe
4964	ecdb0f3366feb124acda02b48d73d4e0N.exe
4964	ecdb0f3366feb124acda02b48d73d4e0N.exe
1636	ecdb0f3366feb124acda02b48d73d4e0N.exe
1636	ecdb0f3366feb124acda02b48d73d4e0N.exe
3556	ecdb0f3366feb124acda02b48d73d4e0N.exe
3556	ecdb0f3366feb124acda02b48d73d4e0N.exe
4424	ecdb0f3366feb124acda02b48d73d4e0N.exe
4424	ecdb0f3366feb124acda02b48d73d4e0N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 1852	4968	ecdb0f3366feb124acda02b48d73d4e0N.exe	87
PID 4968 wrote to memory of 1852	4968	ecdb0f3366feb124acda02b48d73d4e0N.exe	87
PID 4968 wrote to memory of 1852	4968	ecdb0f3366feb124acda02b48d73d4e0N.exe	87
PID 4968 wrote to memory of 3312	4968	ecdb0f3366feb124acda02b48d73d4e0N.exe	91
PID 4968 wrote to memory of 3312	4968	ecdb0f3366feb124acda02b48d73d4e0N.exe	91
PID 4968 wrote to memory of 3312	4968	ecdb0f3366feb124acda02b48d73d4e0N.exe	91
PID 1852 wrote to memory of 3756	1852	ecdb0f3366feb124acda02b48d73d4e0N.exe	92
PID 1852 wrote to memory of 3756	1852	ecdb0f3366feb124acda02b48d73d4e0N.exe	92
PID 1852 wrote to memory of 3756	1852	ecdb0f3366feb124acda02b48d73d4e0N.exe	92
PID 3312 wrote to memory of 2704	3312	ecdb0f3366feb124acda02b48d73d4e0N.exe	95
PID 3312 wrote to memory of 2704	3312	ecdb0f3366feb124acda02b48d73d4e0N.exe	95
PID 3312 wrote to memory of 2704	3312	ecdb0f3366feb124acda02b48d73d4e0N.exe	95
PID 4968 wrote to memory of 1636	4968	ecdb0f3366feb124acda02b48d73d4e0N.exe	96
PID 4968 wrote to memory of 1636	4968	ecdb0f3366feb124acda02b48d73d4e0N.exe	96
PID 4968 wrote to memory of 1636	4968	ecdb0f3366feb124acda02b48d73d4e0N.exe	96
PID 1852 wrote to memory of 2428	1852	ecdb0f3366feb124acda02b48d73d4e0N.exe	97
PID 1852 wrote to memory of 2428	1852	ecdb0f3366feb124acda02b48d73d4e0N.exe	97
PID 1852 wrote to memory of 2428	1852	ecdb0f3366feb124acda02b48d73d4e0N.exe	97
PID 3756 wrote to memory of 3556	3756	ecdb0f3366feb124acda02b48d73d4e0N.exe	98
PID 3756 wrote to memory of 3556	3756	ecdb0f3366feb124acda02b48d73d4e0N.exe	98
PID 3756 wrote to memory of 3556	3756	ecdb0f3366feb124acda02b48d73d4e0N.exe	98
PID 4968 wrote to memory of 2076	4968	ecdb0f3366feb124acda02b48d73d4e0N.exe	100
PID 4968 wrote to memory of 2076	4968	ecdb0f3366feb124acda02b48d73d4e0N.exe	100
PID 4968 wrote to memory of 2076	4968	ecdb0f3366feb124acda02b48d73d4e0N.exe	100
PID 1852 wrote to memory of 1912	1852	ecdb0f3366feb124acda02b48d73d4e0N.exe	101
PID 1852 wrote to memory of 1912	1852	ecdb0f3366feb124acda02b48d73d4e0N.exe	101
PID 1852 wrote to memory of 1912	1852	ecdb0f3366feb124acda02b48d73d4e0N.exe	101
PID 3312 wrote to memory of 2968	3312	ecdb0f3366feb124acda02b48d73d4e0N.exe	102
PID 3312 wrote to memory of 2968	3312	ecdb0f3366feb124acda02b48d73d4e0N.exe	102
PID 3312 wrote to memory of 2968	3312	ecdb0f3366feb124acda02b48d73d4e0N.exe	102
PID 2704 wrote to memory of 4704	2704	ecdb0f3366feb124acda02b48d73d4e0N.exe	103
PID 2704 wrote to memory of 4704	2704	ecdb0f3366feb124acda02b48d73d4e0N.exe	103
PID 2704 wrote to memory of 4704	2704	ecdb0f3366feb124acda02b48d73d4e0N.exe	103
PID 2428 wrote to memory of 4528	2428	ecdb0f3366feb124acda02b48d73d4e0N.exe	104
PID 2428 wrote to memory of 4528	2428	ecdb0f3366feb124acda02b48d73d4e0N.exe	104
PID 2428 wrote to memory of 4528	2428	ecdb0f3366feb124acda02b48d73d4e0N.exe	104
PID 3756 wrote to memory of 1040	3756	ecdb0f3366feb124acda02b48d73d4e0N.exe	105
PID 3756 wrote to memory of 1040	3756	ecdb0f3366feb124acda02b48d73d4e0N.exe	105
PID 3756 wrote to memory of 1040	3756	ecdb0f3366feb124acda02b48d73d4e0N.exe	105
PID 1636 wrote to memory of 4904	1636	ecdb0f3366feb124acda02b48d73d4e0N.exe	106
PID 1636 wrote to memory of 4904	1636	ecdb0f3366feb124acda02b48d73d4e0N.exe	106
PID 1636 wrote to memory of 4904	1636	ecdb0f3366feb124acda02b48d73d4e0N.exe	106
PID 3556 wrote to memory of 4964	3556	ecdb0f3366feb124acda02b48d73d4e0N.exe	107
PID 3556 wrote to memory of 4964	3556	ecdb0f3366feb124acda02b48d73d4e0N.exe	107
PID 3556 wrote to memory of 4964	3556	ecdb0f3366feb124acda02b48d73d4e0N.exe	107
PID 1852 wrote to memory of 4424	1852	ecdb0f3366feb124acda02b48d73d4e0N.exe	108
PID 1852 wrote to memory of 4424	1852	ecdb0f3366feb124acda02b48d73d4e0N.exe	108
PID 1852 wrote to memory of 4424	1852	ecdb0f3366feb124acda02b48d73d4e0N.exe	108
PID 1912 wrote to memory of 3284	1912	ecdb0f3366feb124acda02b48d73d4e0N.exe	109
PID 1912 wrote to memory of 3284	1912	ecdb0f3366feb124acda02b48d73d4e0N.exe	109
PID 1912 wrote to memory of 3284	1912	ecdb0f3366feb124acda02b48d73d4e0N.exe	109
PID 4968 wrote to memory of 3104	4968	ecdb0f3366feb124acda02b48d73d4e0N.exe	110
PID 4968 wrote to memory of 3104	4968	ecdb0f3366feb124acda02b48d73d4e0N.exe	110
PID 4968 wrote to memory of 3104	4968	ecdb0f3366feb124acda02b48d73d4e0N.exe	110
PID 2704 wrote to memory of 212	2704	ecdb0f3366feb124acda02b48d73d4e0N.exe	111
PID 2704 wrote to memory of 212	2704	ecdb0f3366feb124acda02b48d73d4e0N.exe	111
PID 2704 wrote to memory of 212	2704	ecdb0f3366feb124acda02b48d73d4e0N.exe	111
PID 2428 wrote to memory of 928	2428	ecdb0f3366feb124acda02b48d73d4e0N.exe	112
PID 2428 wrote to memory of 928	2428	ecdb0f3366feb124acda02b48d73d4e0N.exe	112
PID 2428 wrote to memory of 928	2428	ecdb0f3366feb124acda02b48d73d4e0N.exe	112
PID 3756 wrote to memory of 5108	3756	ecdb0f3366feb124acda02b48d73d4e0N.exe	113
PID 3756 wrote to memory of 5108	3756	ecdb0f3366feb124acda02b48d73d4e0N.exe	113
PID 3756 wrote to memory of 5108	3756	ecdb0f3366feb124acda02b48d73d4e0N.exe	113
PID 3312 wrote to memory of 3076	3312	ecdb0f3366feb124acda02b48d73d4e0N.exe	114

C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
"C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
  "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3756
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3556
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4964
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        7⤵
        
        PID:6108
        
        C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        8⤵
        
        PID:9560
        
        C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        8⤵
        
        PID:12804
        
        C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        8⤵
        
        PID:14700
        
        C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        7⤵
        
        PID:7068
        
        C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        8⤵
        
        PID:12724
        
        C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        8⤵
        
        PID:14864
        
        C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        7⤵
        
        PID:9288
        
        C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        7⤵
        
        PID:12812
        
        C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        7⤵
        
        PID:14824
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:5252
        
        C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        7⤵
        
        PID:9900
        
        C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        7⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        7⤵
        
        PID:14772
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:6568
        
        C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        7⤵
        
        PID:11336
        
        C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        7⤵
        
        PID:15136
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:8452
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:11884
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:15024
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3800
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:6208
        
        C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        7⤵
        
        PID:10920
        
        C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        7⤵
        
        PID:15184
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:7380
        
        C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        7⤵
        
        PID:15256
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:10296
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:1500
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:5260
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:9300
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:12788
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:14848
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:6664
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:12336
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:14936
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:8520
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:11948
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:14984
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1040
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2764
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:6224
        
        C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        7⤵
        
        PID:11040
        
        C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        7⤵
        
        PID:14708
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:7324
        
        C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        7⤵
        
        PID:15700
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:10288
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:2272
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:5372
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:9268
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:12772
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:14840
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:6668
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:12244
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:14912
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:8612
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:9984
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:14928
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:5108
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:6216
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:10328
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:3668
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:7304
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:17456
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:10236
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:15344
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:5300
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:9836
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:13320
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:14756
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:6560
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:11356
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:15140
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:8472
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:11996
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:15000
- - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4528
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5080
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:6160
        
        C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        7⤵
        
        PID:9588
        
        C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        7⤵
        
        PID:13032
        
        C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        7⤵
        
        PID:14832
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:7288
        
        C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        7⤵
        
        PID:15264
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:10272
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:15320
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:5356
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:10036
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:15328
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:6608
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:12476
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:14732
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:8420
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:11520
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:15080
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:928
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:6292
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:9828
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:11112
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:14748
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:7592
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:15280
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:10340
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:15224
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:5308
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:9000
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:12592
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:14896
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:6632
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:11316
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:15152
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:8480
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:12000
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:14992
- - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:3284
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:6176
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:10136
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:15312
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:7392
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:15208
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:10312
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:3340
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:5340
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:8356
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:15216
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:11220
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:15168
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:6796
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:11348
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:15128
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:8596
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:12236
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:14944
- - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4424
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:6152
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:9596
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:13004
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:14808
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:7276
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:15272
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:10280
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:15296
- - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
    3⤵
    PID:5316
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:8936
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:12532
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:14920
- - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
    3⤵
    PID:6624
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:11556
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:15072
- - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
    3⤵
    PID:8436
- - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
    3⤵
    PID:11548
- - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
    3⤵
    PID:15048
- C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
  "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3312
- - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4704
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:5004
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:5240
        
        C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        7⤵
        
        PID:10020
        
        C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        7⤵
        
        PID:15336
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:7608
        
        C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        7⤵
        
        PID:16916
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:10264
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:15304
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:5348
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:8768
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:12228
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:14952
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:6584
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:11504
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:15096
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:8488
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:11900
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:15008
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:212
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:6232
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:11096
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:15176
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:7540
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:14632
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:8020
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:13472
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:5332
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:9420
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:12796
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:14872
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:6592
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:11536
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:15064
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:8504
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:11908
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:15016
- - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2968
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:1844
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:6184
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:10044
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:14692
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:7772
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:2836
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:10752
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:15192
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:5284
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:9308
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:12888
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:14888
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:6648
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:12500
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:14724
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:8512
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:12092
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:14968
- - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
    3⤵
    PID:3076
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:6168
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:9956
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:13328
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:14764
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:7316
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:15200
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:10320
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:15248
- - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
    3⤵
    PID:5292
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:9612
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:13100
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:14784
- - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
    3⤵
    PID:6600
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:11528
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:14716
- - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
    3⤵
    PID:8496
- - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
    3⤵
    PID:12012
- - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
    3⤵
    PID:14976
- C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
  "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4904
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3652
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:6100
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:9604
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:12996
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:14792
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:6992
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:12120
      - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        6⤵
        
        PID:14960
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:8920
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:12464
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:14904
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:5364
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:9240
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:12716
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:14880
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:6616
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:11372
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:15120
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:8428
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:11856
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:15040
- - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
    3⤵
    PID:4392
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:6428
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:10028
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:15352
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:7600
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:15288
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:10352
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:15232
- - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
    3⤵
    PID:5276
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:9280
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:13020
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:14816
- - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
    3⤵
    PID:6656
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:11564
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:15056
- - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
    3⤵
    PID:8460
- - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
    3⤵
    PID:11876
- - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
    3⤵
    PID:15032
- C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
  "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2076
- - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
    3⤵
    PID:1756
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:6192
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:10052
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:13196
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:7652
    - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
        5⤵
        
        PID:15240
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:10252
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:14620
- - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
    3⤵
    PID:5268
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:9260
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:12780
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:14856
- - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
    3⤵
    PID:6576
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:11512
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:15104
- - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
    3⤵
    PID:8364
- - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
    3⤵
    PID:11496
- - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
    3⤵
    PID:15112
- C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
  "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3104
- - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
    3⤵
    PID:6200
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:10012
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:14740
- - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
    3⤵
    PID:7548
  - - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
      "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
      4⤵
      PID:16924
- - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
    3⤵
    PID:10304
- - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
    3⤵
    PID:1780
- C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
  "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
  2⤵
  PID:5324
- - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
    3⤵
    PID:9580
- - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
    3⤵
    PID:13012
- - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
    3⤵
    PID:14800
- C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
  "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
  2⤵
  PID:6640
- - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
    3⤵
    PID:11284
- - C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
    3⤵
    PID:15160
- C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
  "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
  2⤵
  PID:8444
- C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
  "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
  2⤵
  PID:11488
- C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe
  "C:\Users\Admin\AppData\Local\Temp\ecdb0f3366feb124acda02b48d73d4e0N.exe"
  2⤵
  PID:15088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\russian kicking trambling full movie .rar.exe

Filesize
1.5MB

MD5
7a6959c1f52914d8f2f1d6035e223032

SHA1
2c69875cdb25d18562bf1f8695a7ddc43cd2cacf

SHA256
1cb374192dd113370e0f9bfa44b4cdec9582633cf93682d0181f8631093d4fa5

SHA512
c7b311b518e3ad1f093949ebc21333ed38c9396f07a08c8d6c9725b779af0f3b3574dfae589eb04c18ab59ce666e25a74041c6759b5bb5e617f7021cf58edce8

Download Submit