xtremerat | 44ad557c0ab3afb9b705071f29b47da96ec36ca513e3159286e51682dc6ade3d

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2025, 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_ef12e05e6574ccb9217ca43121bf0f69.exe
Size

285KB
MD5

ef12e05e6574ccb9217ca43121bf0f69
SHA1

e1c7af9bbc5dd38a023f80bf81a1d34191eeeb1c
SHA256

44ad557c0ab3afb9b705071f29b47da96ec36ca513e3159286e51682dc6ade3d
SHA512

ab216d5785e5cf26db9c036054b4470d78435798a765801230f799b5fc3d6bc7ac80e5edd2eca78a750eff298524d136039d353b1c4a1f5f7a960abdcb11372c
SSDEEP

6144:8JZ61AGWfu0tBXQQPekwZ5BtMoj6D6SP8XrWU:oo1AGd0/QsekwXPj6tUXr

Score

10^/10

xtremerat discovery persistence rat spyware

Malware Config

Signatures

Detect XtremeRAT payload 31 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023e26-21.dat	family_xtremerat
behavioral2/memory/3848-36-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/4780-43-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/2064-48-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/5012-53-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/1560-59-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/1596-64-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/4704-69-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/4696-74-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/4872-81-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/4556-87-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/1288-92-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/4184-97-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/1208-102-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/4692-107-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/4948-112-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/4812-117-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/1644-122-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/2784-127-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/2124-132-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/3764-137-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/2656-142-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/532-147-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/5012-152-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/964-157-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/2364-162-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/964-167-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/1940-171-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/5176-177-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/5316-181-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/5468-185-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Downloads MZ/PE file 1 IoCs

flow	pid	Process
33	4576	Process not Found

Checks computer location settings 2 TTPs 32 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation	JaffaCakes118_ef12e05e6574ccb9217ca43121bf0f69.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation	%tmp%.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation	%tmp%.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation	%tmp%.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation	%tmp%.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation	%tmp%.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation	%tmp%.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation	%tmp%.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation	%tmp%.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation	%tmp%.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation	%tmp%.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation	%tmp%.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation	%tmp%.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation	%tmp%.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation	%tmp%.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation	%tmp%.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation	%tmp%.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation	%tmp%.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation	%tmp%.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation	%tmp%.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation	%tmp%.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation	%tmp%.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation	%tmp%.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation	%tmp%.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation	%tmp%.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation	%tmp%.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation	%tmp%.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation	%tmp%.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation	%tmp%.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation	%tmp%.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation	%tmp%.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winupdate .exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winupdate .exe	cmd.exe

Executes dropped EXE 31 IoCs

pid	Process
3848	%tmp%.exe
4780	%tmp%.exe
2064	%tmp%.exe
5012	%tmp%.exe
1560	%tmp%.exe
1596	%tmp%.exe
4704	%tmp%.exe
4696	%tmp%.exe
4872	%tmp%.exe
4556	%tmp%.exe
1288	%tmp%.exe
4184	%tmp%.exe
1208	%tmp%.exe
4692	%tmp%.exe
4948	%tmp%.exe
4812	%tmp%.exe
1644	%tmp%.exe
2784	%tmp%.exe
2124	%tmp%.exe
3764	%tmp%.exe
2656	%tmp%.exe
532	%tmp%.exe
5012	%tmp%.exe
964	%tmp%.exe
2364	%tmp%.exe
964	%tmp%.exe
1940	%tmp%.exe
5176	%tmp%.exe
5316	%tmp%.exe
5468	%tmp%.exe
5604	%tmp%.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	%tmp%.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ef12e05e6574ccb9217ca43121bf0f69.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	%tmp%.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	%tmp%.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	%tmp%.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	%tmp%.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	%tmp%.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	%tmp%.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	%tmp%.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	%tmp%.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	%tmp%.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	%tmp%.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	%tmp%.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	%tmp%.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	%tmp%.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	%tmp%.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	%tmp%.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	%tmp%.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	%tmp%.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	%tmp%.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	%tmp%.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	%tmp%.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	%tmp%.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	%tmp%.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	%tmp%.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	%tmp%.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	%tmp%.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	%tmp%.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	%tmp%.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	%tmp%.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	%tmp%.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	%tmp%.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3584	MicrosoftEdgeUpdate.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1528	JaffaCakes118_ef12e05e6574ccb9217ca43121bf0f69.exe
1528	JaffaCakes118_ef12e05e6574ccb9217ca43121bf0f69.exe
1528	JaffaCakes118_ef12e05e6574ccb9217ca43121bf0f69.exe
1528	JaffaCakes118_ef12e05e6574ccb9217ca43121bf0f69.exe
1528	JaffaCakes118_ef12e05e6574ccb9217ca43121bf0f69.exe
1528	JaffaCakes118_ef12e05e6574ccb9217ca43121bf0f69.exe
1528	JaffaCakes118_ef12e05e6574ccb9217ca43121bf0f69.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1528	JaffaCakes118_ef12e05e6574ccb9217ca43121bf0f69.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 2104	1528	JaffaCakes118_ef12e05e6574ccb9217ca43121bf0f69.exe	87
PID 1528 wrote to memory of 2104	1528	JaffaCakes118_ef12e05e6574ccb9217ca43121bf0f69.exe	87
PID 1528 wrote to memory of 2104	1528	JaffaCakes118_ef12e05e6574ccb9217ca43121bf0f69.exe	87
PID 1528 wrote to memory of 4512	1528	JaffaCakes118_ef12e05e6574ccb9217ca43121bf0f69.exe	89
PID 1528 wrote to memory of 4512	1528	JaffaCakes118_ef12e05e6574ccb9217ca43121bf0f69.exe	89
PID 1528 wrote to memory of 4512	1528	JaffaCakes118_ef12e05e6574ccb9217ca43121bf0f69.exe	89
PID 1528 wrote to memory of 3920	1528	JaffaCakes118_ef12e05e6574ccb9217ca43121bf0f69.exe	90
PID 1528 wrote to memory of 3920	1528	JaffaCakes118_ef12e05e6574ccb9217ca43121bf0f69.exe	90
PID 1528 wrote to memory of 3920	1528	JaffaCakes118_ef12e05e6574ccb9217ca43121bf0f69.exe	90
PID 1528 wrote to memory of 3952	1528	JaffaCakes118_ef12e05e6574ccb9217ca43121bf0f69.exe	91
PID 1528 wrote to memory of 3952	1528	JaffaCakes118_ef12e05e6574ccb9217ca43121bf0f69.exe	91
PID 1528 wrote to memory of 3952	1528	JaffaCakes118_ef12e05e6574ccb9217ca43121bf0f69.exe	91
PID 1528 wrote to memory of 3512	1528	JaffaCakes118_ef12e05e6574ccb9217ca43121bf0f69.exe	92
PID 1528 wrote to memory of 3512	1528	JaffaCakes118_ef12e05e6574ccb9217ca43121bf0f69.exe	92
PID 1528 wrote to memory of 3512	1528	JaffaCakes118_ef12e05e6574ccb9217ca43121bf0f69.exe	92
PID 1528 wrote to memory of 3848	1528	JaffaCakes118_ef12e05e6574ccb9217ca43121bf0f69.exe	94
PID 1528 wrote to memory of 3848	1528	JaffaCakes118_ef12e05e6574ccb9217ca43121bf0f69.exe	94
PID 1528 wrote to memory of 3848	1528	JaffaCakes118_ef12e05e6574ccb9217ca43121bf0f69.exe	94
PID 2104 wrote to memory of 1764	2104	cmd.exe	95
PID 2104 wrote to memory of 1764	2104	cmd.exe	95
PID 2104 wrote to memory of 1764	2104	cmd.exe	95
PID 3848 wrote to memory of 4424	3848	%tmp%.exe	96
PID 3848 wrote to memory of 4424	3848	%tmp%.exe	96
PID 1764 wrote to memory of 4580	1764	wscript.exe	97
PID 1764 wrote to memory of 4580	1764	wscript.exe	97
PID 1764 wrote to memory of 4580	1764	wscript.exe	97
PID 3848 wrote to memory of 4424	3848	%tmp%.exe	96
PID 3848 wrote to memory of 4300	3848	%tmp%.exe	100
PID 3848 wrote to memory of 4300	3848	%tmp%.exe	100
PID 3848 wrote to memory of 4300	3848	%tmp%.exe	100
PID 3848 wrote to memory of 3076	3848	%tmp%.exe	101
PID 3848 wrote to memory of 3076	3848	%tmp%.exe	101
PID 3848 wrote to memory of 3076	3848	%tmp%.exe	101
PID 3848 wrote to memory of 3728	3848	%tmp%.exe	102
PID 3848 wrote to memory of 3728	3848	%tmp%.exe	102
PID 3848 wrote to memory of 3728	3848	%tmp%.exe	102
PID 3848 wrote to memory of 3436	3848	%tmp%.exe	103
PID 3848 wrote to memory of 3436	3848	%tmp%.exe	103
PID 3848 wrote to memory of 3436	3848	%tmp%.exe	103
PID 3848 wrote to memory of 3328	3848	%tmp%.exe	104
PID 3848 wrote to memory of 3328	3848	%tmp%.exe	104
PID 3848 wrote to memory of 3328	3848	%tmp%.exe	104
PID 3848 wrote to memory of 2292	3848	%tmp%.exe	105
PID 3848 wrote to memory of 2292	3848	%tmp%.exe	105
PID 3848 wrote to memory of 2292	3848	%tmp%.exe	105
PID 3848 wrote to memory of 1324	3848	%tmp%.exe	106
PID 3848 wrote to memory of 1324	3848	%tmp%.exe	106
PID 3848 wrote to memory of 4780	3848	%tmp%.exe	107
PID 3848 wrote to memory of 4780	3848	%tmp%.exe	107
PID 3848 wrote to memory of 4780	3848	%tmp%.exe	107
PID 4780 wrote to memory of 4644	4780	%tmp%.exe	108
PID 4780 wrote to memory of 4644	4780	%tmp%.exe	108
PID 4780 wrote to memory of 4644	4780	%tmp%.exe	108
PID 4780 wrote to memory of 1888	4780	%tmp%.exe	109
PID 4780 wrote to memory of 1888	4780	%tmp%.exe	109
PID 4780 wrote to memory of 1888	4780	%tmp%.exe	109
PID 4780 wrote to memory of 4884	4780	%tmp%.exe	110
PID 4780 wrote to memory of 4884	4780	%tmp%.exe	110
PID 4780 wrote to memory of 4884	4780	%tmp%.exe	110
PID 4780 wrote to memory of 2840	4780	%tmp%.exe	111
PID 4780 wrote to memory of 2840	4780	%tmp%.exe	111
PID 4780 wrote to memory of 2840	4780	%tmp%.exe	111
PID 4780 wrote to memory of 5044	4780	%tmp%.exe	112
PID 4780 wrote to memory of 5044	4780	%tmp%.exe	112

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ef12e05e6574ccb9217ca43121bf0f69.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ef12e05e6574ccb9217ca43121bf0f69.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\lala.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\SysWOW64\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Roaming\invs.vbs" "C:\Users\Admin\AppData\Roaming\lala2.bat
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\lala2.bat" "
      4⤵
      Drops startup file
      System Location Discovery: System Language Discovery
      PID:4580
- C:\Windows\Temp\svhost.exe
  C:\Windows\Temp\svhost.exe
  2⤵
  PID:4512
- C:\Windows\Temp\svhost.exe
  C:\Windows\Temp\svhost.exe
  2⤵
  PID:3920
- C:\Windows\Temp\svhost.exe
  C:\Windows\Temp\svhost.exe
  2⤵
  PID:3952
- C:\Windows\Temp\svhost.exe
  C:\Windows\Temp\svhost.exe
  2⤵
  PID:3512
- C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
  "C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3848
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4424
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4300
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:3076
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:3728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:3436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:3328
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2292
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1324
- - C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
    "C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4780
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:1888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:2840
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:5044
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:2320
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:1564
  - - C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
      "C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2064
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2776
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3736
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1516
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:220
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:216
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3060
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4340
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4860
    - - C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
        
        "C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5012
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3876
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5048
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1132
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3392
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1780
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4584
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2880
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2980
      - C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
        
        "C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3948
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3084
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:1360
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:4500
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:2848
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:4700
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
        
        "C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3868
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:408
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3632
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2156
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3756
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2244
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2164
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
        
        "C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4704
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:4356
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:4960
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:3144
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:1228
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:1488
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:736
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:3468
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
        
        "C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4696
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3976
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4252
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3604
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:2220
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4996
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:1392
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
        
        "C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:1376
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:2744
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:2604
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:2444
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:2128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:1348
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:684
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
        
        "C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4556
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:3980
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:4668
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:3264
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:4472
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5112
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:1660
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:4816
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
        
        "C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:2448
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:2132
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:4324
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:4536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:2768
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:5028
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:452
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
        
        "C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4184
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:4016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:1972
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:3156
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:3332
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:3124
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:3064
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:4236
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
        
        "C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1208
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:2600
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:4708
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:4028
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:3560
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:1212
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:1948
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
        
        "C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4692
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:2476
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:728
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:4136
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:1164
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:3928
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:772
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:3500
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
        
        "C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:4168
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:2112
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:1076
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:3628
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:4736
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:2588
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:3972
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
        
        "C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4812
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:1800
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:4020
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:3916
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:1548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:1468
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:2016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:812
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        18⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
        
        "C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:1596
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:4108
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:1304
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:3648
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:3828
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:3508
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:4808
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
        
        "C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:4864
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:4392
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:4916
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:3428
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:1832
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:2256
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:4504
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        20⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
        
        "C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:1352
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:2936
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:3412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:3760
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:336
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:3416
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:2552
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
        
        "C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3764
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:4372
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:3700
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:4756
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:2152
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:2560
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:2964
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:4824
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        22⤵
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
        
        "C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:4212
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:4772
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:3620
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:4156
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:4036
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:388
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:1764
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
        
        "C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:4656
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:4244
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:2300
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:4368
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:4568
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:3272
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:756
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        24⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
        
        "C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5012
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        25⤵
        
        PID:2892
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        25⤵
        
        PID:1644
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        25⤵
        
        PID:5016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        25⤵
        
        PID:860
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        25⤵
        
        PID:1500
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        25⤵
        
        PID:648
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        25⤵
        
        PID:1140
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        25⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
        
        "C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:964
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:1848
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:588
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:1600
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:3608
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:1860
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:5024
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:1960
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        26⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
        
        "C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        27⤵
        
        PID:3852
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        27⤵
        
        PID:2296
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        27⤵
        
        PID:2172
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        27⤵
        
        PID:1504
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        27⤵
        
        PID:3168
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        27⤵
        
        PID:2512
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        27⤵
        
        PID:1720
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        27⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
        
        "C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:964
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        28⤵
        
        PID:3888
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        28⤵
        
        PID:1156
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        28⤵
        
        PID:1964
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        28⤵
        
        PID:4872
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        28⤵
        
        PID:868
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        28⤵
        
        PID:4268
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        28⤵
        
        PID:3068
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        28⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
        
        "C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:4344
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:4968
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:964
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:4012
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:2864
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:1944
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:5132
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:5140
        
        C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
        
        "C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5176
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        30⤵
        
        PID:5220
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        30⤵
        
        PID:5228
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        30⤵
        
        PID:5240
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        30⤵
        
        PID:5248
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        30⤵
        
        PID:5260
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        30⤵
        
        PID:5268
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        30⤵
        
        PID:5280
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        30⤵
        
        PID:5288
        
        C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
        
        "C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5316
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        31⤵
        
        PID:5364
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        31⤵
        
        PID:5372
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        31⤵
        
        PID:5384
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        31⤵
        
        PID:5392
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        31⤵
        
        PID:5404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        31⤵
        
        PID:5416
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        31⤵
        
        PID:5428
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        31⤵
        
        PID:5436
        
        C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
        
        "C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5468
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        32⤵
        
        PID:5508
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        32⤵
        
        PID:5516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        32⤵
        
        PID:5528
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        32⤵
        
        PID:5536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        32⤵
        
        PID:5548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        32⤵
        
        PID:5556
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        32⤵
        
        PID:5568
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        32⤵
        
        PID:5576
        
        C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
        
        "C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5604
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        33⤵
        
        PID:5640
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        33⤵
        
        PID:5648
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        33⤵
        
        PID:5660

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Q0Y1OEE4MzAtRDlCRS00OTI5LUFFQ0MtODQ4RjM3NDFCMUFBfSIgdXNlcmlkPSJ7QTdGNzk2RDEtNUM4Qi00RUJBLUEwOTctNDExQjUxMEJBRDE3fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7OUZDM0ZENUUtOUY3Ri00QkJGLUI1MjEtMEE2NTk2NjNFOEJDfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI0IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY4ODkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTM2NTgwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1Mzc3MDQ2NzUwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\%tmp%.exe

Filesize
40KB

MD5
95a4cc9c3b2c3711a05231d7b4999e91

SHA1
0ca7aeccd7a28fc5089bc3f8072f6695ef12fef7

SHA256
58e7509df157c710d9443d23e15012dbdf3329a087f2c9d469bfd0855124ebbf

SHA512
8f04d9b92b05bfbc03b4aa748cb25deafd7a02c3c1ffb98764feacf74ca2f4bdf63d4b4d05446bd515c8a12eee7a86b6784b30b2e7a2b280b52f0eaffbdea754

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Kq8ac4p.cfg

Filesize
1KB

MD5
bb277a3649ba85cec050b06199f2b012

SHA1
b29ae1d9bbfea06b046b9431bd41437415c3e08d

SHA256
02c63af4c9bfe6dcc85f5191ebfa57ee42b324472b91ce5ff4e5e5d2fb2bbda2

SHA512
16e8e90b44a48648e8e2f586cd8c3a8e6e977cc375ab6740860db06196bb18ccc623b5963d3442f5c7eb58488fd1eb31874e38963312573c9691788bd0e54809

Download Submit
C:\Users\Admin\AppData\Roaming\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Roaming\lala.bat

Filesize
53B

MD5
da2f62b3f68d61e7ff27df1155637ae1

SHA1
326f9ab4df92d730d0f22d0ee5e0faf661c7ac59

SHA256
547013d5a8e3c6f94e61a6e9d0a052451e4a73e54b11b8dd4d1ff357f96cad41

SHA512
f2e24b25add6479f5cc6746392be03f2d6a1ed3afd6b279aefa5614b81279d45c572344e24e3daf849974bc5fae3c0451ddf2c66e338268d22589aeb2b41c34d

Download Submit
C:\Users\Admin\AppData\Roaming\lala2.bat

Filesize
162B

MD5
6f7261170e8fe346091572a58cad91ba

SHA1
724e733616e8142ca24577d416e1a7b7b1573442

SHA256
5cd362104b9d7b73c0b8f668eda12f56766c0c9d98ba6208bad1172d11558103

SHA512
47a698fe6f19f0ba7574370e471338233d942dafcfc96bef96631bd11d44ea16e15e37acc50b51efcc08dc8f6e6df49c6a77c38c92ea4571e3ca4fe1cb75c270

Download Submit
C:\Users\Admin\AppData\Roaming\rundll32-.txt

Filesize
285KB

MD5
ef12e05e6574ccb9217ca43121bf0f69

SHA1
e1c7af9bbc5dd38a023f80bf81a1d34191eeeb1c

SHA256
44ad557c0ab3afb9b705071f29b47da96ec36ca513e3159286e51682dc6ade3d

SHA512
ab216d5785e5cf26db9c036054b4470d78435798a765801230f799b5fc3d6bc7ac80e5edd2eca78a750eff298524d136039d353b1c4a1f5f7a960abdcb11372c

Download Submit
C:\Windows\Temp\svhost.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
memory/532-147-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/964-167-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/964-157-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/1208-102-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/1288-92-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/1528-79-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/1528-40-0x00000000749E2000-0x00000000749E3000-memory.dmp

Filesize
4KB

Download
memory/1528-1-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/1528-0-0x00000000749E2000-0x00000000749E3000-memory.dmp

Filesize
4KB

Download
memory/1528-2-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/1528-41-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/1560-59-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/1596-64-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/1644-122-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/1940-171-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2064-48-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2124-132-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2364-162-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2656-142-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2784-127-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/3764-137-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/3848-36-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/4184-97-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/4556-87-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/4692-107-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/4696-74-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/4704-69-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/4780-43-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/4812-117-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/4872-81-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/4948-112-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/5012-152-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/5012-53-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/5176-177-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/5316-181-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/5468-185-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download