47caecf18636f927291636acbc40c3b5fff93b9b5371e5054775aa2deedb8e55

Analysis

max time kernel
17s
max time network
80s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4fd9c7c8860fdb39d108aa863444c4f0N.exe
Size

201KB
MD5

4fd9c7c8860fdb39d108aa863444c4f0
SHA1

03d2cbd3b28a1f68365a5a2583a520739e9a3b88
SHA256

47caecf18636f927291636acbc40c3b5fff93b9b5371e5054775aa2deedb8e55
SHA512

2bde0bd8a64a3b21e643bc6bf5640cb7ca0c908ca21623f1d60e746a8b4b69ae6684baf69ad8e5cf4c750a1c975dbc62ba537797f1681b4e842c43ca115d3ddb
SSDEEP

6144:dXC4vgmhbIxs3NBByQop9QBfdZY9ScmsbeL:dXCNi9BsVQ5s9SIK

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 21 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	4fd9c7c8860fdb39d108aa863444c4f0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	4fd9c7c8860fdb39d108aa863444c4f0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	4fd9c7c8860fdb39d108aa863444c4f0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	4fd9c7c8860fdb39d108aa863444c4f0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	4fd9c7c8860fdb39d108aa863444c4f0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	4fd9c7c8860fdb39d108aa863444c4f0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	4fd9c7c8860fdb39d108aa863444c4f0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	4fd9c7c8860fdb39d108aa863444c4f0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	4fd9c7c8860fdb39d108aa863444c4f0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	4fd9c7c8860fdb39d108aa863444c4f0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	4fd9c7c8860fdb39d108aa863444c4f0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	4fd9c7c8860fdb39d108aa863444c4f0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	4fd9c7c8860fdb39d108aa863444c4f0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	4fd9c7c8860fdb39d108aa863444c4f0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	4fd9c7c8860fdb39d108aa863444c4f0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	4fd9c7c8860fdb39d108aa863444c4f0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	4fd9c7c8860fdb39d108aa863444c4f0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	4fd9c7c8860fdb39d108aa863444c4f0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	4fd9c7c8860fdb39d108aa863444c4f0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	4fd9c7c8860fdb39d108aa863444c4f0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	4fd9c7c8860fdb39d108aa863444c4f0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	4fd9c7c8860fdb39d108aa863444c4f0N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\Y:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\Z:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\G:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\I:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\J:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\O:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\P:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\V:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\A:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\B:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\H:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\L:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\N:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\X:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\E:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\K:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\S:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\U:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\W:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\M:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\Q:	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File opened (read-only)	\??\T:	4fd9c7c8860fdb39d108aa863444c4f0N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\chinese blowjob blowjob licking hole .avi.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\lesbian hidden hole sm (Gina,Sandy).mpeg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\brasilian beast masturbation .zip.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\lingerie fucking [free] swallow .avi.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\tyrkish xxx licking penetration .rar.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\french horse big blondie .rar.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\action [bangbus] titts black hairunshaved (Samantha,Sandy).mpg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\SysWOW64\FxsTmp\italian bukkake catfight blondie .rar.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\italian gang bang catfight YEâPSè& .avi.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\System32\DriverStore\Temp\xxx uncut .mpeg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\SysWOW64\FxsTmp\spanish gang bang lesbian .mpg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\american gay kicking sleeping .rar.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\italian lingerie catfight hotel .zip.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Program Files\Microsoft Office\root\Templates\german porn full movie hole (Christine,Kathrin).rar.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\horse [free] (Liz,Ashley).mpeg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\italian cumshot several models titts .rar.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\sperm horse [bangbus] cock lady (Sarah).mpeg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\canadian action [milf] .mpg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\african action hardcore licking .avi.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\british gang bang [free] .mpg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\japanese sperm catfight fishy .rar.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU7A02.tmp\black sperm sleeping ash (Karin).mpeg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Program Files\Common Files\microsoft shared\black blowjob public girly .mpeg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\malaysia lesbian beastiality catfight (Sonja).mpeg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\black kicking big boobs .avi.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Program Files (x86)\Google\Update\Download\kicking horse full movie bedroom .mpeg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\danish fetish gang bang several models ash .zip.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\tyrkish lesbian uncut (Sonja,Tatjana).zip.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\japanese blowjob beastiality [bangbus] lady (Sonja).rar.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Program Files (x86)\Google\Temp\british fucking lesbian vagina boots .avi.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Program Files (x86)\Microsoft\Temp\american kicking big .avi.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\norwegian nude horse masturbation latex .mpg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\russian animal girls bondage .mpeg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\sperm cumshot full movie (Ashley,Gina).mpg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\german fucking trambling girls (Gina).zip.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\xxx licking shower .avi.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\horse catfight girly .rar.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\african beast lesbian nipples .zip.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\trambling gay several models glans shoes .rar.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\asian beastiality fetish [milf] legs 50+ (Ashley).avi.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\lingerie action lesbian glans .rar.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\tyrkish horse gang bang voyeur .mpeg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_9aa486d790131d4e\chinese fetish beast catfight .zip.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\mssrv.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\CbsTemp\horse horse hot (!) glans .mpeg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\PLA\Templates\lingerie kicking hot (!) .mpg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\xxx kicking uncut (Sarah).rar.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\InputMethod\SHARED\danish cum big .rar.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\lesbian big girly .mpg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\canadian beastiality [free] femdom .mpeg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\german fucking fucking lesbian boobs .rar.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\brasilian bukkake catfight mature .rar.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\tyrkish hardcore action [milf] (Jenna,Sonja).zip.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\gay [free] fishy .rar.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\porn [free] ash swallow .mpeg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\cumshot catfight (Jade).zip.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\cum xxx voyeur pregnant .mpg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\tyrkish cum sperm voyeur black hairunshaved .rar.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\spanish horse catfight penetration .zip.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\beast cumshot several models pregnant .mpeg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\horse fucking hot (!) hairy .rar.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\assembly\tmp\nude girls gorgeoushorny (Samantha).avi.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\Downloaded Program Files\cum sleeping girly .zip.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\horse blowjob sleeping high heels .avi.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\nude hot (!) .mpeg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\handjob xxx full movie 40+ .avi.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\cum several models ash upskirt .avi.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\russian sperm fetish hot (!) mature .rar.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\british lesbian handjob [bangbus] .rar.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\beast licking bondage .mpg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\blowjob handjob sleeping glans .avi.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\american hardcore fucking public .avi.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\assembly\temp\cumshot handjob hidden latex .zip.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\porn hardcore catfight nipples bedroom .mpeg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\german lesbian sleeping high heels .rar.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\american beastiality cum public .rar.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\black beast porn big (Sonja,Kathrin).rar.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\blowjob fucking girls .mpg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\american fetish full movie nipples gorgeoushorny .rar.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\japanese beastiality licking beautyfull .avi.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\black gay horse hidden wifey (Curtney).mpeg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\security\templates\tyrkish cumshot sperm lesbian ash .mpeg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\asian fetish licking stockings (Tatjana).zip.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\italian kicking bukkake masturbation ash .avi.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\chinese porn hidden hole ejaculation (Kathrin).rar.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\french hardcore gang bang public hole granny .mpg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\action sleeping vagina (Samantha,Sandy).zip.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\action licking YEâPSè& (Sylvia,Curtney).mpg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\italian gang bang fucking voyeur nipples .zip.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\malaysia beastiality licking fishy (Samantha).mpeg.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\blowjob blowjob lesbian gorgeoushorny (Sarah).zip.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\SoftwareDistribution\Download\french sperm public (Britney,Samantha).zip.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\blowjob voyeur balls (Karin).zip.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\asian horse blowjob [free] nipples (Liz,Tatjana).zip.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\swedish horse horse masturbation vagina ejaculation (Sarah).zip.exe	4fd9c7c8860fdb39d108aa863444c4f0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2964	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2964	4fd9c7c8860fdb39d108aa863444c4f0N.exe
1980	4fd9c7c8860fdb39d108aa863444c4f0N.exe
1980	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2964	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2964	4fd9c7c8860fdb39d108aa863444c4f0N.exe
3236	4fd9c7c8860fdb39d108aa863444c4f0N.exe
3236	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2964	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2964	4fd9c7c8860fdb39d108aa863444c4f0N.exe
4888	4fd9c7c8860fdb39d108aa863444c4f0N.exe
4888	4fd9c7c8860fdb39d108aa863444c4f0N.exe
1980	4fd9c7c8860fdb39d108aa863444c4f0N.exe
1980	4fd9c7c8860fdb39d108aa863444c4f0N.exe
3264	4fd9c7c8860fdb39d108aa863444c4f0N.exe
3264	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2972	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2972	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2964	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2964	4fd9c7c8860fdb39d108aa863444c4f0N.exe
3236	4fd9c7c8860fdb39d108aa863444c4f0N.exe
3236	4fd9c7c8860fdb39d108aa863444c4f0N.exe
3716	4fd9c7c8860fdb39d108aa863444c4f0N.exe
3716	4fd9c7c8860fdb39d108aa863444c4f0N.exe
3924	4fd9c7c8860fdb39d108aa863444c4f0N.exe
3924	4fd9c7c8860fdb39d108aa863444c4f0N.exe
1980	4fd9c7c8860fdb39d108aa863444c4f0N.exe
1980	4fd9c7c8860fdb39d108aa863444c4f0N.exe
4888	4fd9c7c8860fdb39d108aa863444c4f0N.exe
4888	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2964	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2964	4fd9c7c8860fdb39d108aa863444c4f0N.exe
3236	4fd9c7c8860fdb39d108aa863444c4f0N.exe
3236	4fd9c7c8860fdb39d108aa863444c4f0N.exe
3264	4fd9c7c8860fdb39d108aa863444c4f0N.exe
3264	4fd9c7c8860fdb39d108aa863444c4f0N.exe
4048	4fd9c7c8860fdb39d108aa863444c4f0N.exe
4048	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2496	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2496	4fd9c7c8860fdb39d108aa863444c4f0N.exe
3316	4fd9c7c8860fdb39d108aa863444c4f0N.exe
3316	4fd9c7c8860fdb39d108aa863444c4f0N.exe
1980	4fd9c7c8860fdb39d108aa863444c4f0N.exe
1980	4fd9c7c8860fdb39d108aa863444c4f0N.exe
3100	4fd9c7c8860fdb39d108aa863444c4f0N.exe
3100	4fd9c7c8860fdb39d108aa863444c4f0N.exe
4672	4fd9c7c8860fdb39d108aa863444c4f0N.exe
4672	4fd9c7c8860fdb39d108aa863444c4f0N.exe
4888	4fd9c7c8860fdb39d108aa863444c4f0N.exe
4888	4fd9c7c8860fdb39d108aa863444c4f0N.exe
1828	4fd9c7c8860fdb39d108aa863444c4f0N.exe
1828	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2972	4fd9c7c8860fdb39d108aa863444c4f0N.exe
2972	4fd9c7c8860fdb39d108aa863444c4f0N.exe
3716	4fd9c7c8860fdb39d108aa863444c4f0N.exe
3716	4fd9c7c8860fdb39d108aa863444c4f0N.exe
3924	4fd9c7c8860fdb39d108aa863444c4f0N.exe
3924	4fd9c7c8860fdb39d108aa863444c4f0N.exe
4500	4fd9c7c8860fdb39d108aa863444c4f0N.exe
4500	4fd9c7c8860fdb39d108aa863444c4f0N.exe
3412	4fd9c7c8860fdb39d108aa863444c4f0N.exe
3412	4fd9c7c8860fdb39d108aa863444c4f0N.exe
4012	4fd9c7c8860fdb39d108aa863444c4f0N.exe
4012	4fd9c7c8860fdb39d108aa863444c4f0N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 1980	2964	4fd9c7c8860fdb39d108aa863444c4f0N.exe	86
PID 2964 wrote to memory of 1980	2964	4fd9c7c8860fdb39d108aa863444c4f0N.exe	86
PID 2964 wrote to memory of 1980	2964	4fd9c7c8860fdb39d108aa863444c4f0N.exe	86
PID 2964 wrote to memory of 3236	2964	4fd9c7c8860fdb39d108aa863444c4f0N.exe	87
PID 2964 wrote to memory of 3236	2964	4fd9c7c8860fdb39d108aa863444c4f0N.exe	87
PID 2964 wrote to memory of 3236	2964	4fd9c7c8860fdb39d108aa863444c4f0N.exe	87
PID 1980 wrote to memory of 4888	1980	4fd9c7c8860fdb39d108aa863444c4f0N.exe	88
PID 1980 wrote to memory of 4888	1980	4fd9c7c8860fdb39d108aa863444c4f0N.exe	88
PID 1980 wrote to memory of 4888	1980	4fd9c7c8860fdb39d108aa863444c4f0N.exe	88
PID 2964 wrote to memory of 3264	2964	4fd9c7c8860fdb39d108aa863444c4f0N.exe	89
PID 2964 wrote to memory of 3264	2964	4fd9c7c8860fdb39d108aa863444c4f0N.exe	89
PID 2964 wrote to memory of 3264	2964	4fd9c7c8860fdb39d108aa863444c4f0N.exe	89
PID 3236 wrote to memory of 2972	3236	4fd9c7c8860fdb39d108aa863444c4f0N.exe	90
PID 3236 wrote to memory of 2972	3236	4fd9c7c8860fdb39d108aa863444c4f0N.exe	90
PID 3236 wrote to memory of 2972	3236	4fd9c7c8860fdb39d108aa863444c4f0N.exe	90
PID 1980 wrote to memory of 3716	1980	4fd9c7c8860fdb39d108aa863444c4f0N.exe	91
PID 1980 wrote to memory of 3716	1980	4fd9c7c8860fdb39d108aa863444c4f0N.exe	91
PID 1980 wrote to memory of 3716	1980	4fd9c7c8860fdb39d108aa863444c4f0N.exe	91
PID 4888 wrote to memory of 3924	4888	4fd9c7c8860fdb39d108aa863444c4f0N.exe	92
PID 4888 wrote to memory of 3924	4888	4fd9c7c8860fdb39d108aa863444c4f0N.exe	92
PID 4888 wrote to memory of 3924	4888	4fd9c7c8860fdb39d108aa863444c4f0N.exe	92
PID 2964 wrote to memory of 3316	2964	4fd9c7c8860fdb39d108aa863444c4f0N.exe	95
PID 2964 wrote to memory of 3316	2964	4fd9c7c8860fdb39d108aa863444c4f0N.exe	95
PID 2964 wrote to memory of 3316	2964	4fd9c7c8860fdb39d108aa863444c4f0N.exe	95
PID 3264 wrote to memory of 2496	3264	4fd9c7c8860fdb39d108aa863444c4f0N.exe	93
PID 3264 wrote to memory of 2496	3264	4fd9c7c8860fdb39d108aa863444c4f0N.exe	93
PID 3264 wrote to memory of 2496	3264	4fd9c7c8860fdb39d108aa863444c4f0N.exe	93
PID 3236 wrote to memory of 4048	3236	4fd9c7c8860fdb39d108aa863444c4f0N.exe	94
PID 3236 wrote to memory of 4048	3236	4fd9c7c8860fdb39d108aa863444c4f0N.exe	94
PID 3236 wrote to memory of 4048	3236	4fd9c7c8860fdb39d108aa863444c4f0N.exe	94
PID 1980 wrote to memory of 3100	1980	4fd9c7c8860fdb39d108aa863444c4f0N.exe	96
PID 1980 wrote to memory of 3100	1980	4fd9c7c8860fdb39d108aa863444c4f0N.exe	96
PID 1980 wrote to memory of 3100	1980	4fd9c7c8860fdb39d108aa863444c4f0N.exe	96
PID 4888 wrote to memory of 4672	4888	4fd9c7c8860fdb39d108aa863444c4f0N.exe	97
PID 4888 wrote to memory of 4672	4888	4fd9c7c8860fdb39d108aa863444c4f0N.exe	97
PID 4888 wrote to memory of 4672	4888	4fd9c7c8860fdb39d108aa863444c4f0N.exe	97
PID 2972 wrote to memory of 1828	2972	4fd9c7c8860fdb39d108aa863444c4f0N.exe	98
PID 2972 wrote to memory of 1828	2972	4fd9c7c8860fdb39d108aa863444c4f0N.exe	98
PID 2972 wrote to memory of 1828	2972	4fd9c7c8860fdb39d108aa863444c4f0N.exe	98
PID 3716 wrote to memory of 2332	3716	4fd9c7c8860fdb39d108aa863444c4f0N.exe	100
PID 3716 wrote to memory of 2332	3716	4fd9c7c8860fdb39d108aa863444c4f0N.exe	100
PID 3716 wrote to memory of 2332	3716	4fd9c7c8860fdb39d108aa863444c4f0N.exe	100
PID 3924 wrote to memory of 4500	3924	4fd9c7c8860fdb39d108aa863444c4f0N.exe	99
PID 3924 wrote to memory of 4500	3924	4fd9c7c8860fdb39d108aa863444c4f0N.exe	99
PID 3924 wrote to memory of 4500	3924	4fd9c7c8860fdb39d108aa863444c4f0N.exe	99
PID 3924 wrote to memory of 4012	3924	4fd9c7c8860fdb39d108aa863444c4f0N.exe	104
PID 3924 wrote to memory of 4012	3924	4fd9c7c8860fdb39d108aa863444c4f0N.exe	104
PID 3924 wrote to memory of 4012	3924	4fd9c7c8860fdb39d108aa863444c4f0N.exe	104
PID 3716 wrote to memory of 3412	3716	4fd9c7c8860fdb39d108aa863444c4f0N.exe	101
PID 3716 wrote to memory of 3412	3716	4fd9c7c8860fdb39d108aa863444c4f0N.exe	101
PID 3716 wrote to memory of 3412	3716	4fd9c7c8860fdb39d108aa863444c4f0N.exe	101
PID 2964 wrote to memory of 3192	2964	4fd9c7c8860fdb39d108aa863444c4f0N.exe	107
PID 2964 wrote to memory of 3192	2964	4fd9c7c8860fdb39d108aa863444c4f0N.exe	107
PID 2964 wrote to memory of 3192	2964	4fd9c7c8860fdb39d108aa863444c4f0N.exe	107
PID 1980 wrote to memory of 2508	1980	4fd9c7c8860fdb39d108aa863444c4f0N.exe	105
PID 1980 wrote to memory of 2508	1980	4fd9c7c8860fdb39d108aa863444c4f0N.exe	105
PID 1980 wrote to memory of 2508	1980	4fd9c7c8860fdb39d108aa863444c4f0N.exe	105
PID 3236 wrote to memory of 1456	3236	4fd9c7c8860fdb39d108aa863444c4f0N.exe	108
PID 3236 wrote to memory of 1456	3236	4fd9c7c8860fdb39d108aa863444c4f0N.exe	108
PID 3236 wrote to memory of 1456	3236	4fd9c7c8860fdb39d108aa863444c4f0N.exe	108
PID 4888 wrote to memory of 3376	4888	4fd9c7c8860fdb39d108aa863444c4f0N.exe	103
PID 4888 wrote to memory of 3376	4888	4fd9c7c8860fdb39d108aa863444c4f0N.exe	103
PID 4888 wrote to memory of 3376	4888	4fd9c7c8860fdb39d108aa863444c4f0N.exe	103
PID 2972 wrote to memory of 3848	2972	4fd9c7c8860fdb39d108aa863444c4f0N.exe	102

C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
"C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
  "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4888
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3924
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        
        PID:4500
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:5132
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        7⤵
        
        PID:8564
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        7⤵
        
        PID:11612
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:6396
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        7⤵
        
        PID:11924
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:8228
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:11692
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        
        PID:4012
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:5144
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        7⤵
        
        PID:8008
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        7⤵
        
        PID:11596
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:6404
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        7⤵
        
        PID:11456
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:8464
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:11740
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:2140
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:6324
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        7⤵
        
        PID:11892
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:8296
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:11636
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:5688
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:9908
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:11352
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:7204
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:9780
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:11360
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:4672
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:2916
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:5848
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        7⤵
        
        PID:10488
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        7⤵
        
        PID:1572
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:7680
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:10340
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:3288
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:5284
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:9464
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        7⤵
        
        PID:11884
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:11408
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:6380
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:11940
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:8288
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:11568
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      Checks computer location settings
      PID:3376
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:2392
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:8024
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:11716
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:6060
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:11512
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:7824
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:10448
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:4976
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:4736
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:7012
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:11932
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:8376
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:868
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:5888
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:11560
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:7560
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:10276
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:2076
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3716
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      Checks computer location settings
      PID:2332
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:5196
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:8016
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:11652
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:6484
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:11980
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:8492
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:11732
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:3412
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:5556
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:9768
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:11368
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:6976
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:11832
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:9140
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:11440
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:4520
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:6456
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:12248
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:8440
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:3524
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:5668
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:4828
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:11272
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:7276
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:10068
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:11304
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:3100
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:4936
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:5948
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:11496
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:7696
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:10300
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:3724
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:5336
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:9028
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:11468
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:6476
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:11948
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:8448
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:11628
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    - Checks computer location settings
    PID:2508
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:4384
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:8276
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:11660
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:6220
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:11464
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:8252
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:11668
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:4756
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:7052
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:9260
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:11416
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:6012
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:11520
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:7756
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:10464
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:10720
- C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
  "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3236
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:1828
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:1984
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:5796
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        7⤵
        
        PID:10200
        
        C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        7⤵
        
        PID:11288
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:7268
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:9924
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:11336
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:5324
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:9752
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:11392
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:6560
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:11988
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:8588
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:11620
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:3848
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:5564
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:9744
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:11384
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:7044
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:11964
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:9252
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:11424
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:4412
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:7796
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:10456
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:3008
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:5616
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:11480
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:8160
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:11708
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:4048
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:2384
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:5940
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:11552
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:7764
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:10440
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:10940
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:5276
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:9668
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:11376
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:6600
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:11972
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:8580
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:11536
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    - Checks computer location settings
    PID:1456
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:5536
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:10032
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:11312
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:7036
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:11868
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:9272
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:11428
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:3104
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:8188
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:11684
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:5856
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:11544
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:7552
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:10268
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:32
- C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
  "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3264
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:2496
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:2816
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:5932
      - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        6⤵
        
        PID:11700
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:7568
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:9940
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:2744
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:5268
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:8888
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:3856
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:6556
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:11876
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:8500
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:11528
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:960
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:5704
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:10040
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:11320
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:7228
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:10020
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:11328
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:3852
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:8244
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:11604
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:6176
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:11488
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:8000
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:11724
- C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
  "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  PID:3316
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:3660
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:5804
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:10164
    - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
        5⤵
        
        PID:11184
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:7448
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:10080
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:11296
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:5184
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:8484
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:11644
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:6432
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:11448
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:8304
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:11676
- C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
  "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
  2⤵
  PID:3192
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:5636
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:10192
  - - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
      4⤵
      PID:11280
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:7180
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:9600
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:11400
- C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
  "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
  2⤵
  PID:4908
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:7240
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:9932
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:11344
- C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
  "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
  2⤵
  PID:5992
- - C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
    3⤵
    PID:11504
- C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
  "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
  2⤵
  PID:7716
- C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
  "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
  2⤵
  PID:10472
- C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe
  "C:\Users\Admin\AppData\Local\Temp\4fd9c7c8860fdb39d108aa863444c4f0N.exe"
  2⤵
  PID:4176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\tyrkish lesbian uncut (Sonja,Tatjana).zip.exe

Filesize
252KB

MD5
bc7094a19114c372cfd3fb80b5e948a1

SHA1
da77812a808329736e0efd144f23b3ce6d26e5ee

SHA256
b597f67ea4c008a74bd3239d34d99c5b456f0821b58805aa5ec89013f1763c6e

SHA512
395d54d367465c875487a4630ce6554582bac6e582a59e3391854d8de963acf1e6c0c7c59111b96986e53a7cca129d72c6d91f9c9e5d43f67250bfe2f74bc843

Download Submit
memory/960-195-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1456-196-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1984-198-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2140-201-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2392-205-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2508-193-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2916-199-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2964-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2964-280-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2972-169-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3100-189-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3236-140-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3376-194-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3412-192-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3848-197-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4012-191-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4048-188-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4384-206-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4520-202-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4672-190-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4756-203-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4908-204-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4936-200-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5144-207-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5184-208-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5268-211-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5284-212-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5324-209-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5336-210-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5536-214-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5556-213-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5616-227-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5688-215-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5704-216-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5796-217-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5804-218-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5888-219-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5932-220-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5940-223-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5992-221-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6012-222-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6060-224-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6176-225-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6220-226-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6404-230-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6432-228-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6476-229-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6484-231-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6556-232-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6560-234-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6600-233-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6976-235-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7012-239-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7036-236-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7044-237-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7052-238-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7228-240-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7276-241-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7448-242-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7552-243-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7568-244-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7696-245-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7716-250-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7756-246-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7764-247-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7796-248-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7824-249-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8000-251-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8008-252-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8016-253-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8024-254-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8160-255-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8188-256-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8228-257-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8244-258-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8252-259-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8288-260-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8296-261-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8304-262-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8376-272-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8448-265-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8484-264-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8492-268-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8564-263-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8580-266-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8588-267-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8888-269-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9028-270-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9140-271-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9252-273-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9260-274-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9272-275-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9464-276-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9600-277-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9668-278-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9768-279-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download