00b5701fd6e1de2ba89863291601a29ea25741012fd2aacefe73b0a76ec83051

Analysis

max time kernel
13s
max time network
68s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24/07/2024, 06:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

55bedc6741a5e766c87538aa42610f80N.exe
Size

1003KB
MD5

55bedc6741a5e766c87538aa42610f80
SHA1

bd190a18ad6c65a8520091d1079404ec3edcb0af
SHA256

00b5701fd6e1de2ba89863291601a29ea25741012fd2aacefe73b0a76ec83051
SHA512

864582007a2c9fc0bd53a79329d9540e71063426e33a3a6ac64b3d62e929e5beee132c70f40e64bfbc8160de37ae3997745d6001b3f9f59c16e782abd95c1d9d
SSDEEP

24576:oWzKK+KosX1FHKI8OL78JDzZiYRN3XkoYAIx2:VzKLI7HK5O38DzbRGoYAIo

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	55bedc6741a5e766c87538aa42610f80N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	55bedc6741a5e766c87538aa42610f80N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	55bedc6741a5e766c87538aa42610f80N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	55bedc6741a5e766c87538aa42610f80N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	55bedc6741a5e766c87538aa42610f80N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	55bedc6741a5e766c87538aa42610f80N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	55bedc6741a5e766c87538aa42610f80N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	55bedc6741a5e766c87538aa42610f80N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	55bedc6741a5e766c87538aa42610f80N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	55bedc6741a5e766c87538aa42610f80N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	55bedc6741a5e766c87538aa42610f80N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	55bedc6741a5e766c87538aa42610f80N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	55bedc6741a5e766c87538aa42610f80N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	55bedc6741a5e766c87538aa42610f80N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	55bedc6741a5e766c87538aa42610f80N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	55bedc6741a5e766c87538aa42610f80N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	55bedc6741a5e766c87538aa42610f80N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	55bedc6741a5e766c87538aa42610f80N.exe
File opened (read-only)	\??\I:	55bedc6741a5e766c87538aa42610f80N.exe
File opened (read-only)	\??\N:	55bedc6741a5e766c87538aa42610f80N.exe
File opened (read-only)	\??\P:	55bedc6741a5e766c87538aa42610f80N.exe
File opened (read-only)	\??\S:	55bedc6741a5e766c87538aa42610f80N.exe
File opened (read-only)	\??\T:	55bedc6741a5e766c87538aa42610f80N.exe
File opened (read-only)	\??\U:	55bedc6741a5e766c87538aa42610f80N.exe
File opened (read-only)	\??\W:	55bedc6741a5e766c87538aa42610f80N.exe
File opened (read-only)	\??\Z:	55bedc6741a5e766c87538aa42610f80N.exe
File opened (read-only)	\??\E:	55bedc6741a5e766c87538aa42610f80N.exe
File opened (read-only)	\??\H:	55bedc6741a5e766c87538aa42610f80N.exe
File opened (read-only)	\??\J:	55bedc6741a5e766c87538aa42610f80N.exe
File opened (read-only)	\??\K:	55bedc6741a5e766c87538aa42610f80N.exe
File opened (read-only)	\??\L:	55bedc6741a5e766c87538aa42610f80N.exe
File opened (read-only)	\??\R:	55bedc6741a5e766c87538aa42610f80N.exe
File opened (read-only)	\??\G:	55bedc6741a5e766c87538aa42610f80N.exe
File opened (read-only)	\??\M:	55bedc6741a5e766c87538aa42610f80N.exe
File opened (read-only)	\??\X:	55bedc6741a5e766c87538aa42610f80N.exe
File opened (read-only)	\??\A:	55bedc6741a5e766c87538aa42610f80N.exe
File opened (read-only)	\??\O:	55bedc6741a5e766c87538aa42610f80N.exe
File opened (read-only)	\??\Q:	55bedc6741a5e766c87538aa42610f80N.exe
File opened (read-only)	\??\V:	55bedc6741a5e766c87538aa42610f80N.exe
File opened (read-only)	\??\Y:	55bedc6741a5e766c87538aa42610f80N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\black sperm sleeping upskirt .avi.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\gay masturbation castration .zip.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\gay animal [free] .zip.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\horse [bangbus] .avi.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\System32\DriverStore\Temp\tyrkish trambling fucking several models black hairunshaved .mpeg.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\SysWOW64\FxsTmp\african lingerie cum catfight legs .zip.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\spanish beast porn masturbation .zip.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\swedish action voyeur gorgeoushorny (Anniston).avi.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\indian nude gay sleeping (Melissa).rar.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\SysWOW64\FxsTmp\beastiality masturbation (Tatjana).rar.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\norwegian beast public shower .avi.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\cum porn licking mistress (Liz,Britney).mpg.exe	55bedc6741a5e766c87538aa42610f80N.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\american gay lingerie full movie .mpg.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Program Files\Common Files\microsoft shared\african animal [free] shoes .mpeg.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Program Files\dotnet\shared\animal gang bang full movie latex .rar.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\brasilian horse blowjob catfight titts bedroom (Melissa,Janette).rar.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Program Files (x86)\Google\Update\Download\brasilian action several models .avi.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\african gang bang catfight redhair .mpeg.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\bukkake lingerie voyeur blondie .avi.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\lingerie kicking hidden lady .avi.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\blowjob animal licking nipples .avi.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\sperm several models boobs .mpeg.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\canadian handjob girls (Anniston,Gina).zip.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Program Files (x86)\Microsoft\Temp\japanese sperm catfight nipples redhair (Anniston).rar.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\german hardcore [milf] feet pregnant .avi.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Program Files\Microsoft Office\root\Templates\bukkake hardcore girls vagina (Sarah).mpg.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\tyrkish nude hidden legs (Curtney).mpeg.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Program Files (x86)\Google\Temp\sperm bukkake sleeping upskirt .mpeg.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\american lesbian catfight .mpg.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\german sperm xxx uncut (Britney,Sarah).avi.exe	55bedc6741a5e766c87538aa42610f80N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\american blowjob licking hole (Gina).zip.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\beastiality public redhair (Jenna).rar.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\SoftwareDistribution\Download\bukkake kicking girls boobs black hairunshaved .mpeg.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\spanish lesbian xxx hot (!) bedroom (Sarah).mpeg.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\french gang bang fetish several models ash .zip.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\norwegian fucking public cock .mpeg.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\horse kicking voyeur boobs .avi.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\security\templates\trambling big hole (Britney).avi.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\spanish lingerie catfight nipples .rar.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\hardcore full movie .avi.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\american lingerie hot (!) upskirt .mpeg.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\assembly\tmp\german action licking high heels .rar.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\PLA\Templates\blowjob public 50+ .avi.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\american animal lingerie hot (!) black hairunshaved .rar.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\horse handjob [free] ash swallow .avi.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\chinese trambling gay public nipples wifey .mpeg.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\american xxx uncut (Sarah).mpg.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\british beast cumshot [milf] 40+ .rar.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\mssrv.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\Downloaded Program Files\indian trambling [free] stockings .mpg.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\spanish gay gang bang hidden nipples 50+ .zip.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\malaysia lingerie catfight girly .mpg.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\tyrkish fetish full movie boobs .mpg.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\american lesbian hardcore voyeur .avi.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\chinese kicking sleeping .avi.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\CbsTemp\italian bukkake uncut .mpg.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\hardcore action hidden sm .avi.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\swedish horse beast voyeur feet .avi.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\InputMethod\SHARED\african lesbian gay voyeur bedroom .mpeg.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\british horse lingerie full movie balls (Kathrin).mpg.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\brasilian action [free] (Janette).zip.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\beastiality girls vagina beautyfull .rar.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\malaysia horse public .zip.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\fetish trambling [free] .avi.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\cumshot horse hidden (Ashley,Melissa).zip.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\african trambling girls .avi.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\black lesbian [milf] hairy .mpeg.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\hardcore animal [free] ash balls .avi.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\assembly\temp\brasilian cumshot uncut hole .zip.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\sperm [free] 50+ .zip.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\norwegian bukkake [free] lady .mpg.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\handjob lesbian catfight .rar.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\russian nude hidden Ôï .rar.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\black action beastiality full movie YEâPSè& .mpg.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\danish cum nude girls glans (Sonja).mpg.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\cum [free] ash (Jenna).mpg.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\swedish horse big lady (Jade,Jade).mpg.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\norwegian beastiality [free] .mpg.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\horse girls bondage (Curtney).rar.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\african horse sleeping titts hairy .mpg.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\kicking full movie vagina (Sylvia,Tatjana).mpg.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\blowjob action [bangbus] (Samantha).avi.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\malaysia nude trambling [milf] fishy .mpg.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\american lingerie sleeping legs latex .avi.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\porn action hot (!) YEâPSè& .mpg.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\russian action lesbian feet high heels .zip.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\tyrkish bukkake beastiality big nipples balls .avi.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\sperm lesbian balls .mpg.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\horse animal catfight vagina gorgeoushorny (Anniston).mpg.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\swedish blowjob hidden .mpg.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\japanese nude several models bondage (Ashley,Sandy).mpg.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\gang bang horse lesbian .zip.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\animal fucking voyeur boobs .zip.exe	55bedc6741a5e766c87538aa42610f80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\fucking beastiality masturbation shower .mpeg.exe	55bedc6741a5e766c87538aa42610f80N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55bedc6741a5e766c87538aa42610f80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55bedc6741a5e766c87538aa42610f80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55bedc6741a5e766c87538aa42610f80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55bedc6741a5e766c87538aa42610f80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55bedc6741a5e766c87538aa42610f80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55bedc6741a5e766c87538aa42610f80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55bedc6741a5e766c87538aa42610f80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55bedc6741a5e766c87538aa42610f80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55bedc6741a5e766c87538aa42610f80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55bedc6741a5e766c87538aa42610f80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55bedc6741a5e766c87538aa42610f80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55bedc6741a5e766c87538aa42610f80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55bedc6741a5e766c87538aa42610f80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55bedc6741a5e766c87538aa42610f80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55bedc6741a5e766c87538aa42610f80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55bedc6741a5e766c87538aa42610f80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55bedc6741a5e766c87538aa42610f80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55bedc6741a5e766c87538aa42610f80N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4620	55bedc6741a5e766c87538aa42610f80N.exe
4620	55bedc6741a5e766c87538aa42610f80N.exe
2512	55bedc6741a5e766c87538aa42610f80N.exe
2512	55bedc6741a5e766c87538aa42610f80N.exe
4620	55bedc6741a5e766c87538aa42610f80N.exe
4620	55bedc6741a5e766c87538aa42610f80N.exe
440	55bedc6741a5e766c87538aa42610f80N.exe
440	55bedc6741a5e766c87538aa42610f80N.exe
4860	55bedc6741a5e766c87538aa42610f80N.exe
4860	55bedc6741a5e766c87538aa42610f80N.exe
4620	55bedc6741a5e766c87538aa42610f80N.exe
4620	55bedc6741a5e766c87538aa42610f80N.exe
2512	55bedc6741a5e766c87538aa42610f80N.exe
2512	55bedc6741a5e766c87538aa42610f80N.exe
2736	55bedc6741a5e766c87538aa42610f80N.exe
2736	55bedc6741a5e766c87538aa42610f80N.exe
932	55bedc6741a5e766c87538aa42610f80N.exe
932	55bedc6741a5e766c87538aa42610f80N.exe
4620	55bedc6741a5e766c87538aa42610f80N.exe
4620	55bedc6741a5e766c87538aa42610f80N.exe
2512	55bedc6741a5e766c87538aa42610f80N.exe
2512	55bedc6741a5e766c87538aa42610f80N.exe
4544	55bedc6741a5e766c87538aa42610f80N.exe
4544	55bedc6741a5e766c87538aa42610f80N.exe
1008	55bedc6741a5e766c87538aa42610f80N.exe
1008	55bedc6741a5e766c87538aa42610f80N.exe
4860	55bedc6741a5e766c87538aa42610f80N.exe
4860	55bedc6741a5e766c87538aa42610f80N.exe
440	55bedc6741a5e766c87538aa42610f80N.exe
440	55bedc6741a5e766c87538aa42610f80N.exe
4876	55bedc6741a5e766c87538aa42610f80N.exe
4876	55bedc6741a5e766c87538aa42610f80N.exe
4156	55bedc6741a5e766c87538aa42610f80N.exe
4156	55bedc6741a5e766c87538aa42610f80N.exe
2216	55bedc6741a5e766c87538aa42610f80N.exe
2216	55bedc6741a5e766c87538aa42610f80N.exe
2736	55bedc6741a5e766c87538aa42610f80N.exe
2736	55bedc6741a5e766c87538aa42610f80N.exe
2512	55bedc6741a5e766c87538aa42610f80N.exe
2512	55bedc6741a5e766c87538aa42610f80N.exe
4620	55bedc6741a5e766c87538aa42610f80N.exe
4620	55bedc6741a5e766c87538aa42610f80N.exe
1476	55bedc6741a5e766c87538aa42610f80N.exe
1476	55bedc6741a5e766c87538aa42610f80N.exe
5028	55bedc6741a5e766c87538aa42610f80N.exe
5028	55bedc6741a5e766c87538aa42610f80N.exe
1116	55bedc6741a5e766c87538aa42610f80N.exe
1116	55bedc6741a5e766c87538aa42610f80N.exe
4860	55bedc6741a5e766c87538aa42610f80N.exe
4860	55bedc6741a5e766c87538aa42610f80N.exe
2292	55bedc6741a5e766c87538aa42610f80N.exe
2292	55bedc6741a5e766c87538aa42610f80N.exe
440	55bedc6741a5e766c87538aa42610f80N.exe
440	55bedc6741a5e766c87538aa42610f80N.exe
932	55bedc6741a5e766c87538aa42610f80N.exe
932	55bedc6741a5e766c87538aa42610f80N.exe
4544	55bedc6741a5e766c87538aa42610f80N.exe
4544	55bedc6741a5e766c87538aa42610f80N.exe
972	55bedc6741a5e766c87538aa42610f80N.exe
972	55bedc6741a5e766c87538aa42610f80N.exe
1008	55bedc6741a5e766c87538aa42610f80N.exe
1008	55bedc6741a5e766c87538aa42610f80N.exe
4836	55bedc6741a5e766c87538aa42610f80N.exe
4836	55bedc6741a5e766c87538aa42610f80N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4620 wrote to memory of 2512	4620	55bedc6741a5e766c87538aa42610f80N.exe	88
PID 4620 wrote to memory of 2512	4620	55bedc6741a5e766c87538aa42610f80N.exe	88
PID 4620 wrote to memory of 2512	4620	55bedc6741a5e766c87538aa42610f80N.exe	88
PID 4620 wrote to memory of 440	4620	55bedc6741a5e766c87538aa42610f80N.exe	92
PID 4620 wrote to memory of 440	4620	55bedc6741a5e766c87538aa42610f80N.exe	92
PID 4620 wrote to memory of 440	4620	55bedc6741a5e766c87538aa42610f80N.exe	92
PID 2512 wrote to memory of 4860	2512	55bedc6741a5e766c87538aa42610f80N.exe	93
PID 2512 wrote to memory of 4860	2512	55bedc6741a5e766c87538aa42610f80N.exe	93
PID 2512 wrote to memory of 4860	2512	55bedc6741a5e766c87538aa42610f80N.exe	93
PID 4620 wrote to memory of 2736	4620	55bedc6741a5e766c87538aa42610f80N.exe	95
PID 4620 wrote to memory of 2736	4620	55bedc6741a5e766c87538aa42610f80N.exe	95
PID 4620 wrote to memory of 2736	4620	55bedc6741a5e766c87538aa42610f80N.exe	95
PID 2512 wrote to memory of 932	2512	55bedc6741a5e766c87538aa42610f80N.exe	96
PID 2512 wrote to memory of 932	2512	55bedc6741a5e766c87538aa42610f80N.exe	96
PID 2512 wrote to memory of 932	2512	55bedc6741a5e766c87538aa42610f80N.exe	96
PID 4860 wrote to memory of 4544	4860	55bedc6741a5e766c87538aa42610f80N.exe	97
PID 4860 wrote to memory of 4544	4860	55bedc6741a5e766c87538aa42610f80N.exe	97
PID 4860 wrote to memory of 4544	4860	55bedc6741a5e766c87538aa42610f80N.exe	97
PID 440 wrote to memory of 1008	440	55bedc6741a5e766c87538aa42610f80N.exe	98
PID 440 wrote to memory of 1008	440	55bedc6741a5e766c87538aa42610f80N.exe	98
PID 440 wrote to memory of 1008	440	55bedc6741a5e766c87538aa42610f80N.exe	98
PID 4620 wrote to memory of 4156	4620	55bedc6741a5e766c87538aa42610f80N.exe	100
PID 4620 wrote to memory of 4156	4620	55bedc6741a5e766c87538aa42610f80N.exe	100
PID 4620 wrote to memory of 4156	4620	55bedc6741a5e766c87538aa42610f80N.exe	100
PID 2736 wrote to memory of 4876	2736	55bedc6741a5e766c87538aa42610f80N.exe	101
PID 2736 wrote to memory of 4876	2736	55bedc6741a5e766c87538aa42610f80N.exe	101
PID 2736 wrote to memory of 4876	2736	55bedc6741a5e766c87538aa42610f80N.exe	101
PID 2512 wrote to memory of 2216	2512	55bedc6741a5e766c87538aa42610f80N.exe	102
PID 2512 wrote to memory of 2216	2512	55bedc6741a5e766c87538aa42610f80N.exe	102
PID 2512 wrote to memory of 2216	2512	55bedc6741a5e766c87538aa42610f80N.exe	102
PID 4860 wrote to memory of 5028	4860	55bedc6741a5e766c87538aa42610f80N.exe	103
PID 4860 wrote to memory of 5028	4860	55bedc6741a5e766c87538aa42610f80N.exe	103
PID 4860 wrote to memory of 5028	4860	55bedc6741a5e766c87538aa42610f80N.exe	103
PID 440 wrote to memory of 1476	440	55bedc6741a5e766c87538aa42610f80N.exe	104
PID 440 wrote to memory of 1476	440	55bedc6741a5e766c87538aa42610f80N.exe	104
PID 440 wrote to memory of 1476	440	55bedc6741a5e766c87538aa42610f80N.exe	104
PID 932 wrote to memory of 1116	932	55bedc6741a5e766c87538aa42610f80N.exe	105
PID 932 wrote to memory of 1116	932	55bedc6741a5e766c87538aa42610f80N.exe	105
PID 932 wrote to memory of 1116	932	55bedc6741a5e766c87538aa42610f80N.exe	105
PID 4544 wrote to memory of 2292	4544	55bedc6741a5e766c87538aa42610f80N.exe	106
PID 4544 wrote to memory of 2292	4544	55bedc6741a5e766c87538aa42610f80N.exe	106
PID 4544 wrote to memory of 2292	4544	55bedc6741a5e766c87538aa42610f80N.exe	106
PID 1008 wrote to memory of 972	1008	55bedc6741a5e766c87538aa42610f80N.exe	107
PID 1008 wrote to memory of 972	1008	55bedc6741a5e766c87538aa42610f80N.exe	107
PID 1008 wrote to memory of 972	1008	55bedc6741a5e766c87538aa42610f80N.exe	107
PID 2736 wrote to memory of 4652	2736	55bedc6741a5e766c87538aa42610f80N.exe	110
PID 2736 wrote to memory of 4652	2736	55bedc6741a5e766c87538aa42610f80N.exe	110
PID 2736 wrote to memory of 4652	2736	55bedc6741a5e766c87538aa42610f80N.exe	110
PID 4620 wrote to memory of 4836	4620	55bedc6741a5e766c87538aa42610f80N.exe	111
PID 4620 wrote to memory of 4836	4620	55bedc6741a5e766c87538aa42610f80N.exe	111
PID 4620 wrote to memory of 4836	4620	55bedc6741a5e766c87538aa42610f80N.exe	111
PID 2512 wrote to memory of 2620	2512	55bedc6741a5e766c87538aa42610f80N.exe	112
PID 2512 wrote to memory of 2620	2512	55bedc6741a5e766c87538aa42610f80N.exe	112
PID 2512 wrote to memory of 2620	2512	55bedc6741a5e766c87538aa42610f80N.exe	112
PID 4876 wrote to memory of 1212	4876	55bedc6741a5e766c87538aa42610f80N.exe	113
PID 4876 wrote to memory of 1212	4876	55bedc6741a5e766c87538aa42610f80N.exe	113
PID 4876 wrote to memory of 1212	4876	55bedc6741a5e766c87538aa42610f80N.exe	113
PID 4860 wrote to memory of 4648	4860	55bedc6741a5e766c87538aa42610f80N.exe	114
PID 4860 wrote to memory of 4648	4860	55bedc6741a5e766c87538aa42610f80N.exe	114
PID 4860 wrote to memory of 4648	4860	55bedc6741a5e766c87538aa42610f80N.exe	114
PID 4156 wrote to memory of 1436	4156	55bedc6741a5e766c87538aa42610f80N.exe	115
PID 4156 wrote to memory of 1436	4156	55bedc6741a5e766c87538aa42610f80N.exe	115
PID 4156 wrote to memory of 1436	4156	55bedc6741a5e766c87538aa42610f80N.exe	115
PID 440 wrote to memory of 3104	440	55bedc6741a5e766c87538aa42610f80N.exe	116

C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
"C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
  "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
    "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4860
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4544
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2292
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:5164
        
        C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        7⤵
        
        PID:6380
        
        C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        8⤵
        
        PID:11896
        
        C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        8⤵
        
        PID:13528
        
        C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        7⤵
        
        PID:8220
        
        C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        7⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        7⤵
        
        PID:13792
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:5892
        
        C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        7⤵
        
        PID:10952
        
        C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        7⤵
        
        PID:13712
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:7268
        
        C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        7⤵
        
        PID:10824
        
        C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        7⤵
        
        PID:13744
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:9300
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:13888
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:2652
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:6280
        
        C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        7⤵
        
        PID:11888
        
        C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        7⤵
        
        PID:13512
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:7964
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:9200
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:14128
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:5580
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:8196
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:8572
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:14024
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:6920
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:11588
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:13584
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:9340
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:13904
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5028
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:1820
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:6316
        
        C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        7⤵
        
        PID:11436
        
        C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        7⤵
        
        PID:13632
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:8076
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:9156
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:13960
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:5940
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:10984
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:13680
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:7424
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:9588
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:13808
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:4648
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:6000
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:10464
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:13768
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:7392
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:9284
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:13976
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:5440
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:8036
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:1752
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:13984
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:6840
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:10832
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:13752
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:9388
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:13832
- - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
    "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:932
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1116
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:884
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:6472
        
        C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        7⤵
        
        PID:11520
        
        C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        7⤵
        
        PID:13552
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:8308
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:2184
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:14080
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:5916
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:10164
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:13776
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:6268
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:10960
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:13720
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:9316
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:13848
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:448
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:6372
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:11800
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:13576
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:8204
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:7404
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:14032
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:5448
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:7956
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:9220
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:14000
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:6816
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:11280
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:13672
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:9380
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:13816
- - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
    "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2216
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:2852
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:6300
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:11744
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:13616
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:7992
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:9228
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:13912
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:5704
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:8656
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:9208
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:14104
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:7160
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:10908
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:15172
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:13704
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:9332
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:13896
- - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
    "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
    3⤵
    PID:2620
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:6028
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:9828
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:13784
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:7484
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:9176
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:14072
- - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
    "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
    3⤵
    PID:5348
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:6396
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:11368
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:13664
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:9348
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:13880
- - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
    "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
    3⤵
    PID:6528
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:11760
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:13592
- - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
    "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
    3⤵
    PID:8288
- - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
    "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
    3⤵
    PID:8436
- - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
    "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
    3⤵
    PID:14088
- C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
  "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:440
- - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
    "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1008
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:972
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:5184
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:6440
        
        C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        7⤵
        
        PID:11872
        
        C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        7⤵
        
        PID:13560
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:8540
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:7236
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:14096
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:5900
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:11752
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:13608
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:7436
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:9292
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:13872
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:2316
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:6400
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:11880
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:13520
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:8212
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:7064
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:14040
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:5808
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:10840
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:13484
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:7276
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:9308
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:13800
- - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
    "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1476
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:4752
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:6364
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:11388
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:13648
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:7724
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:9140
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:14008
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:5848
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:11376
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:13656
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:7316
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:9596
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:13840
- - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
    "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
    3⤵
    PID:3104
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:6240
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:12136
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:13496
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:7576
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:9260
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:13952
- - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
    "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
    3⤵
    PID:5476
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:7476
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:9276
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:13992
- - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
    "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
    3⤵
    PID:6792
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:10592
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:13728
- - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
    "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
    3⤵
    PID:9364
- - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
    "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
    3⤵
    PID:13856
- C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
  "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
    "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4876
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:1212
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:5980
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:10472
      - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        6⤵
        
        PID:13760
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:7552
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:9244
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:13920
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:5404
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:7792
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:9236
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:13936
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:6724
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:4904
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:13696
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:8648
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:8084
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:14112
- - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
    "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4652
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:5388
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:8044
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:9148
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:14016
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:6624
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:11808
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:13544
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:8280
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:8440
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:14056
- - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
    "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
    3⤵
    PID:5248
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:7068
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:10968
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:13688
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:9324
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:13944
- - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
    "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
    3⤵
    PID:6408
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:11424
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:13640
- - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
    "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
    3⤵
    PID:8228
- - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
    "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
    3⤵
    PID:9192
- - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
    "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
    3⤵
    PID:12008
- - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
    "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
    3⤵
    PID:13536
- C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
  "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4156
- - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
    "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
    3⤵
    PID:1436
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:6228
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:10976
    - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
        5⤵
        
        PID:13736
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:7560
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:9252
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:13928
- - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
    "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
    3⤵
    PID:5412
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:8260
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:8620
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:14048
- - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
    "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
    3⤵
    PID:6780
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:11580
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:13600
- - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
    "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
    3⤵
    PID:9372
- - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
    "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
    3⤵
    PID:13824
- C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
  "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4836
- - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
    "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
    3⤵
    PID:5380
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:9356
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:13864
- - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
    "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
    3⤵
    PID:6616
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:11528
  - - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
      "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
      4⤵
      PID:13568
- - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
    "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
    3⤵
    PID:8328
- - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
    "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
    3⤵
    PID:6336
- - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
    "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
    3⤵
    PID:14064
- C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
  "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
  2⤵
  PID:5316
- - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
    "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
    3⤵
    PID:7492
- - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
    "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
    3⤵
    PID:9268
- - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
    "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
    3⤵
    PID:13968
- C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
  "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
  2⤵
  PID:6356
- - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
    "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
    3⤵
    PID:11444
- - C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
    "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
    3⤵
    PID:13624
- C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
  "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
  2⤵
  PID:8236
- C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
  "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
  2⤵
  PID:9184
- C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
  "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
  2⤵
  PID:12024
- C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe
  "C:\Users\Admin\AppData\Local\Temp\55bedc6741a5e766c87538aa42610f80N.exe"
  2⤵
  PID:13504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\tyrkish nude hidden legs (Curtney).mpeg.exe

Filesize
1.9MB

MD5
b71c2a713e8815cc9f7feb080ecc8b9f

SHA1
679dd0bfb727e06b4dee0f28cec4c6ba2e73c0b8

SHA256
43160d53ac73babe1a959105596405cbae68e2d274feb1aa7e5dfc4be40efb04

SHA512
c5287693902903e685bc928f4a309181dea033696ff732a37baef05873b9394fa690fefb4cb21776ad2882dc7cde0c4f5fcf12c7abd8cd5554bdac1abf89cf8e

Download Submit
memory/448-201-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/884-204-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/932-172-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1008-176-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1116-194-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1212-197-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1436-199-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1476-193-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1752-271-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1820-205-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2184-263-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2216-191-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2292-195-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2316-203-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2652-202-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2736-171-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3104-200-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3652-270-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4156-189-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4620-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4648-198-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4836-196-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4860-148-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4876-190-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5028-192-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5184-206-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5248-207-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5316-208-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5348-209-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5440-211-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5476-210-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5580-212-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5704-213-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5808-214-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5892-215-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5900-216-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6000-217-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6028-218-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6228-219-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6280-221-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6300-220-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6336-261-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6356-222-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6372-223-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6380-225-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6396-234-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6472-224-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6528-228-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6616-226-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6624-227-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6780-231-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6792-229-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6816-232-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/6840-230-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7068-233-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7268-235-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7316-236-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7404-266-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7476-237-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7552-238-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7560-239-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7576-240-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7792-241-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7956-243-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7964-244-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7992-242-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8036-245-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8044-246-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8076-247-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8084-260-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8204-248-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8260-249-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8288-250-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8308-251-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8328-252-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8436-262-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8440-264-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8540-253-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8572-267-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8620-265-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8648-254-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/8656-255-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9148-268-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9156-269-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9184-256-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9192-257-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9200-258-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9208-259-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9220-272-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9236-273-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9244-274-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9268-275-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9284-276-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9324-278-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9332-277-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9340-279-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download