01afcde14230c7e8092b4b538b23587cdd4199ec2fbd5b619c1698b420a84594

Analysis

max time kernel
16s
max time network
84s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
16/07/2024, 02:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5317c3c4874a89f7d05ee15cd1004fb0N.exe
Size

1.8MB
MD5

5317c3c4874a89f7d05ee15cd1004fb0
SHA1

667b5aeda839d342abc4ecfa028ee1e9cf1aad14
SHA256

01afcde14230c7e8092b4b538b23587cdd4199ec2fbd5b619c1698b420a84594
SHA512

6f81fe7e44dfc0956a4edea8ee8205b0310bc0382324cb68a96d3b65bbeca6a717bef4698d86ce80fb8e202f3ad5eb86bb1f46d93c3eb478c9287f84e3e61a9e
SSDEEP

49152:HuIO10y5OruHgkCIWewlrr+OhIIjxw39WVpM:H5OefKg5new0Ou2xwtWVy

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	5317c3c4874a89f7d05ee15cd1004fb0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	5317c3c4874a89f7d05ee15cd1004fb0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	5317c3c4874a89f7d05ee15cd1004fb0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	5317c3c4874a89f7d05ee15cd1004fb0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	5317c3c4874a89f7d05ee15cd1004fb0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	5317c3c4874a89f7d05ee15cd1004fb0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	5317c3c4874a89f7d05ee15cd1004fb0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	5317c3c4874a89f7d05ee15cd1004fb0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	5317c3c4874a89f7d05ee15cd1004fb0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	5317c3c4874a89f7d05ee15cd1004fb0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	5317c3c4874a89f7d05ee15cd1004fb0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	5317c3c4874a89f7d05ee15cd1004fb0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	5317c3c4874a89f7d05ee15cd1004fb0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	5317c3c4874a89f7d05ee15cd1004fb0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	5317c3c4874a89f7d05ee15cd1004fb0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	5317c3c4874a89f7d05ee15cd1004fb0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2396-0-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/files/0x00080000000233a3-5.dat	upx
behavioral2/memory/4932-23-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/3492-149-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/1568-174-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4084-179-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4384-184-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/1900-186-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2396-185-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/3788-189-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4932-188-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/1692-187-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/3980-191-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2456-190-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4944-193-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/1568-194-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/1032-196-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4496-195-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/3492-192-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/1844-198-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2496-200-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/5056-199-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2396-197-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/1448-202-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/3456-203-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4384-201-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/3900-206-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/3156-205-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4356-204-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/1900-207-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4060-208-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4692-210-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/1692-209-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/3788-211-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/1084-212-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4944-214-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/3980-213-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4132-217-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2416-216-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/1032-215-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4812-218-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2496-222-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4060-230-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/1448-224-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2952-226-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2888-223-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2388-237-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/224-236-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/1084-233-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4492-229-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/3900-228-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/3156-227-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4948-235-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/672-234-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2988-232-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4692-231-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/3456-225-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4132-243-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2416-242-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4812-244-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/5856-245-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2712-248-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4632-247-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/1896-246-0x0000000000400000-0x000000000041E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	5317c3c4874a89f7d05ee15cd1004fb0N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File opened (read-only)	\??\R:	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File opened (read-only)	\??\V:	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File opened (read-only)	\??\W:	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File opened (read-only)	\??\Y:	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File opened (read-only)	\??\G:	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File opened (read-only)	\??\J:	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File opened (read-only)	\??\Q:	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File opened (read-only)	\??\S:	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File opened (read-only)	\??\T:	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File opened (read-only)	\??\A:	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File opened (read-only)	\??\B:	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File opened (read-only)	\??\H:	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File opened (read-only)	\??\K:	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File opened (read-only)	\??\L:	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File opened (read-only)	\??\N:	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File opened (read-only)	\??\P:	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File opened (read-only)	\??\E:	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File opened (read-only)	\??\I:	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File opened (read-only)	\??\M:	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File opened (read-only)	\??\U:	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File opened (read-only)	\??\X:	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File opened (read-only)	\??\Z:	5317c3c4874a89f7d05ee15cd1004fb0N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\lesbian hot (!) feet .avi.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\System32\DriverStore\Temp\swedish kicking hardcore [bangbus] upskirt .avi.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\lingerie voyeur mistress .mpeg.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\brasilian kicking gay catfight feet girly .avi.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\danish nude lesbian big titts granny (Jade).avi.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\lingerie uncut leather (Sonja,Tatjana).mpeg.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\horse big .rar.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\SysWOW64\FxsTmp\blowjob [milf] wifey .mpeg.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\brasilian action hardcore [milf] ejaculation (Ashley,Jade).mpg.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\indian handjob blowjob big bedroom .zip.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\russian action trambling full movie .zip.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\SysWOW64\FxsTmp\brasilian beastiality trambling masturbation .mpeg.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\swedish animal fucking big .zip.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Program Files\Microsoft Office\root\Templates\sperm hot (!) .zip.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\black nude trambling voyeur titts castration .rar.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Program Files\Common Files\microsoft shared\bukkake [free] glans sweet .mpeg.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\tyrkish beastiality lesbian big (Liz).rar.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\blowjob public sm (Jenna,Samantha).zip.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Program Files (x86)\Google\Temp\indian handjob hardcore masturbation hole YEâPSè& (Tatjana).zip.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\beast catfight glans YEâPSè& .mpg.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Program Files\dotnet\shared\japanese porn beast hot (!) glans .avi.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\blowjob several models gorgeoushorny .mpeg.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\sperm big hole .mpg.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\sperm voyeur blondie .mpeg.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\brasilian gang bang horse voyeur shower (Jenna,Samantha).zip.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Program Files (x86)\Google\Update\Download\kicking lesbian girls hole circumcision .rar.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\italian porn sperm lesbian titts .mpeg.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\american handjob hardcore hot (!) titts boots .mpg.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\tyrkish cumshot fucking lesbian sweet (Britney,Janette).mpg.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\asian horse hidden titts ejaculation .zip.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\assembly\temp\italian action fucking catfight feet (Gina,Tatjana).mpg.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\norwegian xxx big feet .mpg.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\asian lingerie lesbian glans castration .rar.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\kicking lingerie uncut (Curtney).mpeg.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\japanese porn fucking girls cock .zip.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\xxx [bangbus] .mpg.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\trambling hot (!) (Liz).rar.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\black animal sperm big pregnant .zip.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\sperm full movie .avi.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\Downloaded Program Files\italian cum lingerie uncut hole shower .zip.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\handjob horse sleeping hole upskirt (Curtney).zip.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\italian gang bang bukkake public gorgeoushorny .mpeg.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\chinese trambling [free] titts wifey .zip.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\asian beast hot (!) titts (Christine,Karin).mpeg.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\kicking sperm several models hole girly .zip.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\lingerie masturbation (Sylvia).zip.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\PLA\Templates\indian porn sperm [bangbus] latex .rar.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\cumshot gay hidden feet .zip.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\french hardcore masturbation .rar.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\kicking sperm hot (!) glans .mpg.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\assembly\tmp\japanese kicking horse hot (!) femdom (Anniston,Jade).mpeg.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\black cumshot lingerie big castration .rar.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\swedish cumshot gay [free] cock .rar.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\beast sleeping (Tatjana).mpeg.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\lingerie voyeur leather .zip.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\horse fucking hidden traffic (Anniston,Jade).rar.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\italian cum xxx big stockings (Sonja,Melissa).avi.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\gang bang sperm full movie stockings .mpg.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\mssrv.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\tyrkish gang bang blowjob big castration .zip.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\brasilian horse trambling masturbation hole .mpeg.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\canadian xxx uncut (Janette).rar.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\british bukkake uncut glans .mpeg.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\sperm several models titts Ôï .avi.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\trambling several models cock 50+ .zip.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\gay masturbation titts traffic .rar.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\handjob beast sleeping cock lady .avi.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\xxx girls bedroom .mpeg.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\swedish handjob xxx [free] sweet .rar.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\swedish horse trambling uncut titts beautyfull .rar.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\fucking [milf] .zip.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\asian beast hot (!) (Sylvia).mpeg.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\russian porn fucking voyeur bondage .zip.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\trambling licking cock beautyfull (Curtney).zip.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\danish handjob bukkake masturbation feet boots .mpg.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\chinese xxx several models titts .mpg.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\black animal beast lesbian glans (Sonja,Sarah).zip.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\swedish handjob gay [milf] cock .zip.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\action gay masturbation castration .mpg.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\fetish lesbian full movie sm .zip.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\animal lesbian [bangbus] leather .mpg.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\french hardcore licking titts castration (Janette).zip.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\lesbian girls hole swallow .rar.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\SoftwareDistribution\Download\russian kicking horse sleeping .mpg.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\horse sperm several models titts .zip.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\security\templates\tyrkish gang bang lingerie public .rar.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\african fucking masturbation swallow .rar.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\trambling girls hole bedroom (Samantha).mpeg.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\lesbian full movie hole 50+ (Sarah).avi.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\italian handjob lingerie voyeur titts blondie (Curtney).mpg.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\african xxx hot (!) shower (Britney,Curtney).mpeg.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\bukkake lesbian feet .rar.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe
File created	C:\Windows\InputMethod\SHARED\beast licking bondage .avi.exe	5317c3c4874a89f7d05ee15cd1004fb0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2396	5317c3c4874a89f7d05ee15cd1004fb0N.exe
2396	5317c3c4874a89f7d05ee15cd1004fb0N.exe
4932	5317c3c4874a89f7d05ee15cd1004fb0N.exe
4932	5317c3c4874a89f7d05ee15cd1004fb0N.exe
2396	5317c3c4874a89f7d05ee15cd1004fb0N.exe
2396	5317c3c4874a89f7d05ee15cd1004fb0N.exe
2456	5317c3c4874a89f7d05ee15cd1004fb0N.exe
2456	5317c3c4874a89f7d05ee15cd1004fb0N.exe
3492	5317c3c4874a89f7d05ee15cd1004fb0N.exe
3492	5317c3c4874a89f7d05ee15cd1004fb0N.exe
4932	5317c3c4874a89f7d05ee15cd1004fb0N.exe
4932	5317c3c4874a89f7d05ee15cd1004fb0N.exe
2396	5317c3c4874a89f7d05ee15cd1004fb0N.exe
2396	5317c3c4874a89f7d05ee15cd1004fb0N.exe
1568	5317c3c4874a89f7d05ee15cd1004fb0N.exe
1568	5317c3c4874a89f7d05ee15cd1004fb0N.exe
4496	5317c3c4874a89f7d05ee15cd1004fb0N.exe
4496	5317c3c4874a89f7d05ee15cd1004fb0N.exe
4932	5317c3c4874a89f7d05ee15cd1004fb0N.exe
4932	5317c3c4874a89f7d05ee15cd1004fb0N.exe
2396	5317c3c4874a89f7d05ee15cd1004fb0N.exe
2396	5317c3c4874a89f7d05ee15cd1004fb0N.exe
1844	5317c3c4874a89f7d05ee15cd1004fb0N.exe
4084	5317c3c4874a89f7d05ee15cd1004fb0N.exe
1844	5317c3c4874a89f7d05ee15cd1004fb0N.exe
4084	5317c3c4874a89f7d05ee15cd1004fb0N.exe
2456	5317c3c4874a89f7d05ee15cd1004fb0N.exe
2456	5317c3c4874a89f7d05ee15cd1004fb0N.exe
3492	5317c3c4874a89f7d05ee15cd1004fb0N.exe
3492	5317c3c4874a89f7d05ee15cd1004fb0N.exe
4384	5317c3c4874a89f7d05ee15cd1004fb0N.exe
4384	5317c3c4874a89f7d05ee15cd1004fb0N.exe
4356	5317c3c4874a89f7d05ee15cd1004fb0N.exe
4356	5317c3c4874a89f7d05ee15cd1004fb0N.exe
1900	5317c3c4874a89f7d05ee15cd1004fb0N.exe
1900	5317c3c4874a89f7d05ee15cd1004fb0N.exe
1568	5317c3c4874a89f7d05ee15cd1004fb0N.exe
1568	5317c3c4874a89f7d05ee15cd1004fb0N.exe
4932	5317c3c4874a89f7d05ee15cd1004fb0N.exe
4932	5317c3c4874a89f7d05ee15cd1004fb0N.exe
1692	5317c3c4874a89f7d05ee15cd1004fb0N.exe
1692	5317c3c4874a89f7d05ee15cd1004fb0N.exe
2396	5317c3c4874a89f7d05ee15cd1004fb0N.exe
2396	5317c3c4874a89f7d05ee15cd1004fb0N.exe
3788	5317c3c4874a89f7d05ee15cd1004fb0N.exe
3788	5317c3c4874a89f7d05ee15cd1004fb0N.exe
2456	5317c3c4874a89f7d05ee15cd1004fb0N.exe
2456	5317c3c4874a89f7d05ee15cd1004fb0N.exe
3492	5317c3c4874a89f7d05ee15cd1004fb0N.exe
3492	5317c3c4874a89f7d05ee15cd1004fb0N.exe
3980	5317c3c4874a89f7d05ee15cd1004fb0N.exe
3980	5317c3c4874a89f7d05ee15cd1004fb0N.exe
4944	5317c3c4874a89f7d05ee15cd1004fb0N.exe
4944	5317c3c4874a89f7d05ee15cd1004fb0N.exe
1032	5317c3c4874a89f7d05ee15cd1004fb0N.exe
1032	5317c3c4874a89f7d05ee15cd1004fb0N.exe
4496	5317c3c4874a89f7d05ee15cd1004fb0N.exe
4496	5317c3c4874a89f7d05ee15cd1004fb0N.exe
1844	5317c3c4874a89f7d05ee15cd1004fb0N.exe
1844	5317c3c4874a89f7d05ee15cd1004fb0N.exe
4084	5317c3c4874a89f7d05ee15cd1004fb0N.exe
4084	5317c3c4874a89f7d05ee15cd1004fb0N.exe
1568	5317c3c4874a89f7d05ee15cd1004fb0N.exe
1568	5317c3c4874a89f7d05ee15cd1004fb0N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 4932	2396	5317c3c4874a89f7d05ee15cd1004fb0N.exe	86
PID 2396 wrote to memory of 4932	2396	5317c3c4874a89f7d05ee15cd1004fb0N.exe	86
PID 2396 wrote to memory of 4932	2396	5317c3c4874a89f7d05ee15cd1004fb0N.exe	86
PID 4932 wrote to memory of 2456	4932	5317c3c4874a89f7d05ee15cd1004fb0N.exe	87
PID 4932 wrote to memory of 2456	4932	5317c3c4874a89f7d05ee15cd1004fb0N.exe	87
PID 4932 wrote to memory of 2456	4932	5317c3c4874a89f7d05ee15cd1004fb0N.exe	87
PID 2396 wrote to memory of 3492	2396	5317c3c4874a89f7d05ee15cd1004fb0N.exe	88
PID 2396 wrote to memory of 3492	2396	5317c3c4874a89f7d05ee15cd1004fb0N.exe	88
PID 2396 wrote to memory of 3492	2396	5317c3c4874a89f7d05ee15cd1004fb0N.exe	88
PID 4932 wrote to memory of 1568	4932	5317c3c4874a89f7d05ee15cd1004fb0N.exe	89
PID 4932 wrote to memory of 1568	4932	5317c3c4874a89f7d05ee15cd1004fb0N.exe	89
PID 4932 wrote to memory of 1568	4932	5317c3c4874a89f7d05ee15cd1004fb0N.exe	89
PID 2396 wrote to memory of 4496	2396	5317c3c4874a89f7d05ee15cd1004fb0N.exe	90
PID 2396 wrote to memory of 4496	2396	5317c3c4874a89f7d05ee15cd1004fb0N.exe	90
PID 2396 wrote to memory of 4496	2396	5317c3c4874a89f7d05ee15cd1004fb0N.exe	90
PID 2456 wrote to memory of 1844	2456	5317c3c4874a89f7d05ee15cd1004fb0N.exe	91
PID 2456 wrote to memory of 1844	2456	5317c3c4874a89f7d05ee15cd1004fb0N.exe	91
PID 2456 wrote to memory of 1844	2456	5317c3c4874a89f7d05ee15cd1004fb0N.exe	91
PID 3492 wrote to memory of 4084	3492	5317c3c4874a89f7d05ee15cd1004fb0N.exe	92
PID 3492 wrote to memory of 4084	3492	5317c3c4874a89f7d05ee15cd1004fb0N.exe	92
PID 3492 wrote to memory of 4084	3492	5317c3c4874a89f7d05ee15cd1004fb0N.exe	92
PID 1568 wrote to memory of 4384	1568	5317c3c4874a89f7d05ee15cd1004fb0N.exe	93
PID 1568 wrote to memory of 4384	1568	5317c3c4874a89f7d05ee15cd1004fb0N.exe	93
PID 1568 wrote to memory of 4384	1568	5317c3c4874a89f7d05ee15cd1004fb0N.exe	93
PID 2396 wrote to memory of 4356	2396	5317c3c4874a89f7d05ee15cd1004fb0N.exe	94
PID 2396 wrote to memory of 4356	2396	5317c3c4874a89f7d05ee15cd1004fb0N.exe	94
PID 2396 wrote to memory of 4356	2396	5317c3c4874a89f7d05ee15cd1004fb0N.exe	94
PID 4932 wrote to memory of 1900	4932	5317c3c4874a89f7d05ee15cd1004fb0N.exe	95
PID 4932 wrote to memory of 1900	4932	5317c3c4874a89f7d05ee15cd1004fb0N.exe	95
PID 4932 wrote to memory of 1900	4932	5317c3c4874a89f7d05ee15cd1004fb0N.exe	95
PID 2456 wrote to memory of 1692	2456	5317c3c4874a89f7d05ee15cd1004fb0N.exe	96
PID 2456 wrote to memory of 1692	2456	5317c3c4874a89f7d05ee15cd1004fb0N.exe	96
PID 2456 wrote to memory of 1692	2456	5317c3c4874a89f7d05ee15cd1004fb0N.exe	96
PID 3492 wrote to memory of 3788	3492	5317c3c4874a89f7d05ee15cd1004fb0N.exe	97
PID 3492 wrote to memory of 3788	3492	5317c3c4874a89f7d05ee15cd1004fb0N.exe	97
PID 3492 wrote to memory of 3788	3492	5317c3c4874a89f7d05ee15cd1004fb0N.exe	97
PID 4496 wrote to memory of 3980	4496	5317c3c4874a89f7d05ee15cd1004fb0N.exe	98
PID 4496 wrote to memory of 3980	4496	5317c3c4874a89f7d05ee15cd1004fb0N.exe	98
PID 4496 wrote to memory of 3980	4496	5317c3c4874a89f7d05ee15cd1004fb0N.exe	98
PID 4084 wrote to memory of 4944	4084	5317c3c4874a89f7d05ee15cd1004fb0N.exe	99
PID 4084 wrote to memory of 4944	4084	5317c3c4874a89f7d05ee15cd1004fb0N.exe	99
PID 4084 wrote to memory of 4944	4084	5317c3c4874a89f7d05ee15cd1004fb0N.exe	99
PID 1844 wrote to memory of 1032	1844	5317c3c4874a89f7d05ee15cd1004fb0N.exe	100
PID 1844 wrote to memory of 1032	1844	5317c3c4874a89f7d05ee15cd1004fb0N.exe	100
PID 1844 wrote to memory of 1032	1844	5317c3c4874a89f7d05ee15cd1004fb0N.exe	100
PID 1568 wrote to memory of 5056	1568	5317c3c4874a89f7d05ee15cd1004fb0N.exe	101
PID 1568 wrote to memory of 5056	1568	5317c3c4874a89f7d05ee15cd1004fb0N.exe	101
PID 1568 wrote to memory of 5056	1568	5317c3c4874a89f7d05ee15cd1004fb0N.exe	101
PID 4932 wrote to memory of 2496	4932	5317c3c4874a89f7d05ee15cd1004fb0N.exe	102
PID 4932 wrote to memory of 2496	4932	5317c3c4874a89f7d05ee15cd1004fb0N.exe	102
PID 4932 wrote to memory of 2496	4932	5317c3c4874a89f7d05ee15cd1004fb0N.exe	102
PID 2396 wrote to memory of 2888	2396	5317c3c4874a89f7d05ee15cd1004fb0N.exe	103
PID 2396 wrote to memory of 2888	2396	5317c3c4874a89f7d05ee15cd1004fb0N.exe	103
PID 2396 wrote to memory of 2888	2396	5317c3c4874a89f7d05ee15cd1004fb0N.exe	103
PID 2456 wrote to memory of 1448	2456	5317c3c4874a89f7d05ee15cd1004fb0N.exe	104
PID 2456 wrote to memory of 1448	2456	5317c3c4874a89f7d05ee15cd1004fb0N.exe	104
PID 2456 wrote to memory of 1448	2456	5317c3c4874a89f7d05ee15cd1004fb0N.exe	104
PID 3492 wrote to memory of 3456	3492	5317c3c4874a89f7d05ee15cd1004fb0N.exe	105
PID 3492 wrote to memory of 3456	3492	5317c3c4874a89f7d05ee15cd1004fb0N.exe	105
PID 3492 wrote to memory of 3456	3492	5317c3c4874a89f7d05ee15cd1004fb0N.exe	105
PID 4496 wrote to memory of 3156	4496	5317c3c4874a89f7d05ee15cd1004fb0N.exe	106
PID 4496 wrote to memory of 3156	4496	5317c3c4874a89f7d05ee15cd1004fb0N.exe	106
PID 4496 wrote to memory of 3156	4496	5317c3c4874a89f7d05ee15cd1004fb0N.exe	106
PID 1844 wrote to memory of 3900	1844	5317c3c4874a89f7d05ee15cd1004fb0N.exe	107

C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
"C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
  "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1844
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        
        PID:1032
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        7⤵
        
        PID:5888
        
        C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        8⤵
        
        PID:8832
        
        C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        8⤵
        
        PID:10144
        
        C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        8⤵
        
        PID:14412
        
        C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        7⤵
        
        PID:6152
        
        C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        8⤵
        
        PID:14340
        
        C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        7⤵
        
        PID:8204
        
        C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        7⤵
        
        PID:10280
        
        C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        7⤵
        
        PID:15236
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        7⤵
        
        PID:9348
        
        C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        7⤵
        
        PID:10100
        
        C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        7⤵
        
        PID:12756
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:6264
        
        C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        7⤵
        
        PID:16772
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:8848
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:10180
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:14524
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:3900
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:5880
        
        C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        7⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        7⤵
        
        PID:14596
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:5956
        
        C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        7⤵
        
        PID:16308
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:8564
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:9204
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:14468
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:1904
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:10544
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:3092
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:6224
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:15552
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:8236
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:10256
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:10832
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:1692
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:4812
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:5652
        
        C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        7⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        7⤵
        
        PID:14148
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:6176
        
        C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        7⤵
        
        PID:15248
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:7896
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:3032
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:14188
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:2808
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:8840
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:10132
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:15216
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:6280
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:15332
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:8220
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:10616
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:14164
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:1448
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:5744
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:8380
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:10304
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:3528
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:6168
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:14676
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:7800
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:15264
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:10264
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:14548
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:224
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:2188
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:14580
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:6184
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:16324
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:8520
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:10220
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:14204
- - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1568
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:4384
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:2988
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:5180
        
        C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        7⤵
        
        PID:15272
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:6140
        
        C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        7⤵
        
        PID:16316
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:8084
        
        C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        7⤵
        
        PID:11988
        
        C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        7⤵
        
        PID:12156
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:1468
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:14156
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:4452
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:2936
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:3684
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:6248
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:14132
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:8212
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:10288
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:14196
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:5056
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:5984
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:11444
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:11628
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:6064
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:14348
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:7936
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:9304
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:2504
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:3392
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:10608
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:12048
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:6216
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:16332
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:8256
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:10328
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:14588
- - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:1900
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:4692
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:6016
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:5092
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:6052
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:14120
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:8536
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:9416
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:14652
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:4948
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:10600
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:14108
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:1876
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:14684
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:8008
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:10248
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:14396
- - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
    3⤵
    PID:2496
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:5976
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:8704
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:10116
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:14540
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:5948
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:15340
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:8796
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:9212
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:14404
- - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
    3⤵
    PID:468
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:3700
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:14604
- - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
    3⤵
    PID:6192
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:16340
- - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
    3⤵
    PID:8504
- - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
    3⤵
    PID:9432
- - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
    3⤵
    PID:14564
- C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
  "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3492
- - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4084
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:4944
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:4132
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:6024
        
        C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        7⤵
        
        PID:8472
        
        C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        7⤵
        
        PID:8936
        
        C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        7⤵
        
        PID:2176
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:6044
        
        C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        7⤵
        
        PID:14356
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:8092
        
        C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        7⤵
        
        PID:14492
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:10200
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:14168
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:4632
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:8552
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:9240
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:14212
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:17004
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:6288
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:9440
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:8528
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:8924
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:14508
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:4060
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:6108
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:16292
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:6356
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:14724
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:8856
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:10072
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:14460
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:3840
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:4580
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:1172
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:6232
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:14668
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:8512
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:8416
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:12348
- - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:3788
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:672
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:5936
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:4784
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:14180
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:17072
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:5776
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:16356
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:8196
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:10272
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:14620
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:2712
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:8544
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:8428
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:14100
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:6256
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:14428
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:8804
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:10208
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:14476
- - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
    3⤵
    PID:3456
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:6008
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:10052
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:14612
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:6132
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:14364
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:7628
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:14420
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:10064
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:720
- - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
    3⤵
    PID:4576
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:8872
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:10168
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:16284
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:14500
- - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
    3⤵
    PID:6200
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:16740
- - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
    3⤵
    PID:8228
- - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
    3⤵
    PID:10312
- - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
    3⤵
    PID:14388
- C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
  "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:3980
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:2416
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:5856
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:8864
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:10156
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:14516
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:6160
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:14240
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:8028
      - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        6⤵
        
        PID:14708
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:10552
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:14628
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:1896
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:8372
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:7900
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:14636
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:6296
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:14380
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:8480
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:10536
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:14572
- - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
    3⤵
    PID:3156
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:6304
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:16364
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:8488
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:10320
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:14332
- - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
    3⤵
    PID:1408
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:7356
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:14644
- - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
    3⤵
    PID:6240
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:15284
- - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
    3⤵
    PID:8336
- - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
    3⤵
    PID:10336
- - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
    3⤵
    PID:14556
- C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
  "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  PID:4356
- - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
    3⤵
    PID:1084
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:4288
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:16348
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:6432
    - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
        5⤵
        
        PID:16300
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:8880
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:10192
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:14444
- - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
    3⤵
    PID:3836
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:10080
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:14436
- - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
    3⤵
    PID:6272
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:4012
- - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
    3⤵
    PID:8464
- - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
    3⤵
    PID:10088
- - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
    3⤵
    PID:14660
- C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
  "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
  2⤵
  PID:2888
- - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
    3⤵
    PID:6032
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:9340
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:10108
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:14452
- - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
    3⤵
    PID:6312
  - - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
      4⤵
      PID:16372
- - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
    3⤵
    PID:8496
- - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
    3⤵
    PID:10228
- - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
    3⤵
    PID:14484
- C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
  "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
  2⤵
  PID:4492
- - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
    3⤵
    PID:10028
- - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
    3⤵
    PID:14092
- C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
  "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
  2⤵
  PID:6208
- - C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
    3⤵
    PID:14372
- C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
  "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
  2⤵
  PID:8248
- C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
  "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
  2⤵
  PID:10296
- C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe
  "C:\Users\Admin\AppData\Local\Temp\5317c3c4874a89f7d05ee15cd1004fb0N.exe"
  2⤵
  PID:1404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\american handjob hardcore hot (!) titts boots .mpg.exe

Filesize
1.7MB

MD5
0a7e94e057e0f0021f5c2637c78036a4

SHA1
90951be8673b7dccbc6aebd91cf8e2b8aa0275a2

SHA256
9028254622ed3a2ca4ce79ed7437b03a9dfa2f5525ffb8774922bed52a25b16c

SHA512
0a52348b76a2043af7e82bb8d509e9a525acd2867c3b8c40af997aaeca4273590742a8bf48f2a4e6cf8cb0294612fc3d704203e6a45f4823edff698a260f11cc

Download Submit
memory/224-236-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/224-274-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/468-257-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/672-234-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1032-215-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1032-196-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1084-233-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1084-212-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1408-254-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1448-202-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1448-224-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1568-194-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1568-174-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1692-187-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1692-209-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1844-198-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1896-246-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1900-207-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1900-186-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1904-255-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2388-237-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2396-398-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2396-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2396-265-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2396-185-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2396-197-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2416-242-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2416-216-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2456-190-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2496-222-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2496-200-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2712-248-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2808-263-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2888-223-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2952-249-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2952-226-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2988-232-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3156-227-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3156-205-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3392-259-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3456-225-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3456-203-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3492-192-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3492-149-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3788-211-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3788-189-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3836-253-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3900-228-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3900-206-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3980-213-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3980-191-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4060-208-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4060-230-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4084-179-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4132-217-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4132-243-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4356-204-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4384-201-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4384-184-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4452-252-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4492-256-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4492-229-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4496-195-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4576-279-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4632-247-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4692-210-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4692-231-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4812-244-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4812-218-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4932-188-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4932-23-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4944-193-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4944-214-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4948-235-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4948-264-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5056-199-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5652-280-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5744-281-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5776-276-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5856-282-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5856-245-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5880-250-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5888-251-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5936-258-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5948-278-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5976-260-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5984-261-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6008-262-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6064-275-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6176-277-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6200-287-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6208-286-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6216-289-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6232-290-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6248-285-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6256-284-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6264-283-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6280-291-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/6356-288-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download