neshta | 5ebf9f85b062b4e0417fad150002e55b7563af040dcde97834c76ed827745188

Analysis

max time kernel
146s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
Size

217KB
MD5

2219802df8a09e0ce53ddf7dc5fde337
SHA1

ad7c0b0bf751f5cf10cf4f541f78b4a6e4981080
SHA256

5ebf9f85b062b4e0417fad150002e55b7563af040dcde97834c76ed827745188
SHA512

268720b30db5885920f6b5a667bf167b72b3f3acc15ab426b86296ea1a2627df302dc19d85768298b1c35a0e5eb9d320722fa3cd17be3159a1bed0f2374ea898
SSDEEP

3072:sr85Ct2M+lmsolAIrRuw+mqv9j1MWLQy5qMjvAFs9xfOMHr85Ct:k9tV+lDAAtos9z9t

Score

10^/10

neshta xworm persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

45.138.16.245:3232

Mutex

0UFV4aMOGjS4dAoi

Attributes

Install_directory
%AppData%
install_file
updater.exe
telegram
https://api.telegram.org/bot6540672623:AAGukZDFGHruAlAUrHlj3x5shLqUsP0iku8/sendMessage?chat_id=6300910507

aes.plain

Signatures

Detect Neshta payload 64 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe	family_neshta
C:\Windows\svchost.com	family_neshta
behavioral2/memory/2004-16-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4536-20-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3168-28-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4088-32-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2672-40-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2264-44-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2324-52-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4244-56-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4992-64-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4964-68-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2736-76-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4648-87-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1356-88-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4552-99-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3668-100-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	family_neshta
behavioral2/memory/1844-111-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	family_neshta
behavioral2/memory/2380-132-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4508-136-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/404-144-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4216-148-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3124-156-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4896-176-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	family_neshta
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	family_neshta
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	family_neshta
C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	family_neshta
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	family_neshta
behavioral2/memory/1256-240-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/224-247-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1672-260-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4608-267-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5000-272-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1072-279-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4956-285-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2316-287-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2000-293-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4432-295-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2820-301-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4500-303-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5108-309-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3972-311-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4648-317-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4416-324-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1144-325-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4552-332-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1636-333-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3100-335-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1788-341-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1776-343-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1868-349-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1876-354-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2140-357-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Detect Xworm Payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe	family_xworm
behavioral2/memory/1692-1473-0x00000000008E0000-0x0000000000908000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Roaming\updater.exe	family_xworm

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Detects Windows executables referencing non-Windows User-Agents 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1692-1473-0x00000000008E0000-0x0000000000908000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Users\Admin\AppData\Roaming\updater.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects executables using Telegram Chat Bot 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
behavioral2/memory/1692-1473-0x00000000008E0000-0x0000000000908000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
C:\Users\Admin\AppData\Roaming\updater.exe	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-0~1.EXE

Drops startup file 2 IoCs

Processes:

2024-0~1.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updater.lnk	2024-0~1.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updater.lnk	2024-0~1.EXE

Executes dropped EXE 64 IoCs

Processes:

2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exesvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com

pid	process
2964	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
2004	svchost.com
4536	2024-0~1.EXE
3168	svchost.com
4088	2024-0~1.EXE
2672	svchost.com
2264	2024-0~1.EXE
2324	svchost.com
4244	2024-0~1.EXE
4992	svchost.com
4964	2024-0~1.EXE
2736	svchost.com
4648	2024-0~1.EXE
1356	svchost.com
4552	2024-0~1.EXE
3668	svchost.com
1844	2024-0~1.EXE
2380	svchost.com
4508	2024-0~1.EXE
404	svchost.com
4216	2024-0~1.EXE
3124	svchost.com
4896	2024-0~1.EXE
1256	svchost.com
224	2024-0~1.EXE
1672	svchost.com
4608	2024-0~1.EXE
5000	svchost.com
1072	2024-0~1.EXE
4956	svchost.com
2316	2024-0~1.EXE
2000	svchost.com
4432	2024-0~1.EXE
2820	svchost.com
4500	2024-0~1.EXE
5108	svchost.com
3972	2024-0~1.EXE
4648	svchost.com
4416	2024-0~1.EXE
1144	svchost.com
4552	2024-0~1.EXE
1636	svchost.com
3100	2024-0~1.EXE
1788	svchost.com
1776	2024-0~1.EXE
1868	svchost.com
1876	2024-0~1.EXE
2140	svchost.com
1428	2024-0~1.EXE
4844	svchost.com
2772	2024-0~1.EXE
3476	svchost.com
4564	2024-0~1.EXE
2516	svchost.com
4492	2024-0~1.EXE
716	svchost.com
2576	2024-0~1.EXE
744	svchost.com
1700	2024-0~1.EXE
2600	svchost.com
1092	2024-0~1.EXE
2672	svchost.com
2128	2024-0~1.EXE
1072	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe

description	ioc	process
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~2.EXE	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13187~1.37\MICROS~1.EXE	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI391D~1.EXE	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~1.EXE	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13187~1.37\MICROS~1.EXE	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MIA062~1.EXE	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~4.EXE	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MIA062~1.EXE	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe

Drops file in Windows directory 64 IoCs

Processes:

svchost.comsvchost.comsvchost.com2024-0~1.EXEsvchost.comsvchost.comsvchost.com2024-0~1.EXE2024-0~1.EXE2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.comsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXE2024-0~1.EXE2024-0~1.EXEsvchost.com2024-0~1.EXE2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXE2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXE2024-0~1.EXEsvchost.com2024-0~1.EXE2024-0~1.EXE2024-0~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com2024-0~1.EXEsvchost.comsvchost.com2024-0~1.EXE2024-0~1.EXEsvchost.com2024-0~1.EXE2024-0~1.EXE2024-0~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com2024-0~1.EXEsvchost.com

description	ioc	process
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	2024-0~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	2024-0~1.EXE
File opened for modification	C:\Windows\directx.sys	2024-0~1.EXE
File opened for modification	C:\Windows\svchost.com	2024-0~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	2024-0~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	2024-0~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	2024-0~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	2024-0~1.EXE
File opened for modification	C:\Windows\directx.sys	2024-0~1.EXE
File opened for modification	C:\Windows\directx.sys	2024-0~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	2024-0~1.EXE
File opened for modification	C:\Windows\svchost.com	2024-0~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	2024-0~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	2024-0~1.EXE
File opened for modification	C:\Windows\directx.sys	2024-0~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	2024-0~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	2024-0~1.EXE
File opened for modification	C:\Windows\directx.sys	2024-0~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	2024-0~1.EXE
File opened for modification	C:\Windows\svchost.com	2024-0~1.EXE
File opened for modification	C:\Windows\svchost.com	2024-0~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	2024-0~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	2024-0~1.EXE
File opened for modification	C:\Windows\directx.sys	2024-0~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	2024-0~1.EXE
File opened for modification	C:\Windows\svchost.com	2024-0~1.EXE
File opened for modification	C:\Windows\directx.sys	2024-0~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	2024-0~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	2024-0~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE2024-0~1.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	2024-0~1.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

2024-0~1.EXE

pid process

1692 2024-0~1.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-0~1.EXE

description pid process

Token: SeDebugPrivilege 1692 2024-0~1.EXE
Token: SeDebugPrivilege 1692 2024-0~1.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

2024-0~1.EXE

pid process

1692 2024-0~1.EXE

pid	process
1692	2024-0~1.EXE

description	pid	process
Token: SeDebugPrivilege	1692	2024-0~1.EXE
Token: SeDebugPrivilege	1692	2024-0~1.EXE

pid	process
1692	2024-0~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exesvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXEsvchost.com2024-0~1.EXE

description	pid	process	target process
PID 1968 wrote to memory of 2964	1968	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
PID 1968 wrote to memory of 2964	1968	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
PID 1968 wrote to memory of 2964	1968	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
PID 2964 wrote to memory of 2004	2964	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe	svchost.com
PID 2964 wrote to memory of 2004	2964	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe	svchost.com
PID 2964 wrote to memory of 2004	2964	2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe	svchost.com
PID 2004 wrote to memory of 4536	2004	svchost.com	2024-0~1.EXE
PID 2004 wrote to memory of 4536	2004	svchost.com	2024-0~1.EXE
PID 2004 wrote to memory of 4536	2004	svchost.com	2024-0~1.EXE
PID 4536 wrote to memory of 3168	4536	2024-0~1.EXE	svchost.com
PID 4536 wrote to memory of 3168	4536	2024-0~1.EXE	svchost.com
PID 4536 wrote to memory of 3168	4536	2024-0~1.EXE	svchost.com
PID 3168 wrote to memory of 4088	3168	svchost.com	2024-0~1.EXE
PID 3168 wrote to memory of 4088	3168	svchost.com	2024-0~1.EXE
PID 3168 wrote to memory of 4088	3168	svchost.com	2024-0~1.EXE
PID 4088 wrote to memory of 2672	4088	2024-0~1.EXE	svchost.com
PID 4088 wrote to memory of 2672	4088	2024-0~1.EXE	svchost.com
PID 4088 wrote to memory of 2672	4088	2024-0~1.EXE	svchost.com
PID 2672 wrote to memory of 2264	2672	svchost.com	2024-0~1.EXE
PID 2672 wrote to memory of 2264	2672	svchost.com	2024-0~1.EXE
PID 2672 wrote to memory of 2264	2672	svchost.com	2024-0~1.EXE
PID 2264 wrote to memory of 2324	2264	2024-0~1.EXE	svchost.com
PID 2264 wrote to memory of 2324	2264	2024-0~1.EXE	svchost.com
PID 2264 wrote to memory of 2324	2264	2024-0~1.EXE	svchost.com
PID 2324 wrote to memory of 4244	2324	svchost.com	2024-0~1.EXE
PID 2324 wrote to memory of 4244	2324	svchost.com	2024-0~1.EXE
PID 2324 wrote to memory of 4244	2324	svchost.com	2024-0~1.EXE
PID 4244 wrote to memory of 4992	4244	2024-0~1.EXE	svchost.com
PID 4244 wrote to memory of 4992	4244	2024-0~1.EXE	svchost.com
PID 4244 wrote to memory of 4992	4244	2024-0~1.EXE	svchost.com
PID 4992 wrote to memory of 4964	4992	svchost.com	2024-0~1.EXE
PID 4992 wrote to memory of 4964	4992	svchost.com	2024-0~1.EXE
PID 4992 wrote to memory of 4964	4992	svchost.com	2024-0~1.EXE
PID 4964 wrote to memory of 2736	4964	2024-0~1.EXE	svchost.com
PID 4964 wrote to memory of 2736	4964	2024-0~1.EXE	svchost.com
PID 4964 wrote to memory of 2736	4964	2024-0~1.EXE	svchost.com
PID 2736 wrote to memory of 4648	2736	svchost.com	svchost.com
PID 2736 wrote to memory of 4648	2736	svchost.com	svchost.com
PID 2736 wrote to memory of 4648	2736	svchost.com	svchost.com
PID 4648 wrote to memory of 1356	4648	2024-0~1.EXE	svchost.com
PID 4648 wrote to memory of 1356	4648	2024-0~1.EXE	svchost.com
PID 4648 wrote to memory of 1356	4648	2024-0~1.EXE	svchost.com
PID 1356 wrote to memory of 4552	1356	svchost.com	2024-0~1.EXE
PID 1356 wrote to memory of 4552	1356	svchost.com	2024-0~1.EXE
PID 1356 wrote to memory of 4552	1356	svchost.com	2024-0~1.EXE
PID 4552 wrote to memory of 3668	4552	2024-0~1.EXE	svchost.com
PID 4552 wrote to memory of 3668	4552	2024-0~1.EXE	svchost.com
PID 4552 wrote to memory of 3668	4552	2024-0~1.EXE	svchost.com
PID 3668 wrote to memory of 1844	3668	svchost.com	2024-0~1.EXE
PID 3668 wrote to memory of 1844	3668	svchost.com	2024-0~1.EXE
PID 3668 wrote to memory of 1844	3668	svchost.com	2024-0~1.EXE
PID 1844 wrote to memory of 2380	1844	2024-0~1.EXE	svchost.com
PID 1844 wrote to memory of 2380	1844	2024-0~1.EXE	svchost.com
PID 1844 wrote to memory of 2380	1844	2024-0~1.EXE	svchost.com
PID 2380 wrote to memory of 4508	2380	svchost.com	2024-0~1.EXE
PID 2380 wrote to memory of 4508	2380	svchost.com	2024-0~1.EXE
PID 2380 wrote to memory of 4508	2380	svchost.com	2024-0~1.EXE
PID 4508 wrote to memory of 404	4508	2024-0~1.EXE	svchost.com
PID 4508 wrote to memory of 404	4508	2024-0~1.EXE	svchost.com
PID 4508 wrote to memory of 404	4508	2024-0~1.EXE	svchost.com
PID 404 wrote to memory of 4216	404	svchost.com	2024-0~1.EXE
PID 404 wrote to memory of 4216	404	svchost.com	2024-0~1.EXE
PID 404 wrote to memory of 4216	404	svchost.com	2024-0~1.EXE
PID 4216 wrote to memory of 3124	4216	2024-0~1.EXE	svchost.com

C:\Users\Admin\AppData\Local\Temp\2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4536

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
14⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4648

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1356

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4552

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
23⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3124

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
24⤵
- Executes dropped EXE
PID:4896

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
25⤵
- Executes dropped EXE
PID:1256

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
26⤵
- Checks computer location settings
- Executes dropped EXE
PID:224

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
27⤵
- Executes dropped EXE
PID:1672

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
28⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4608

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
29⤵
- Executes dropped EXE
PID:5000

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
30⤵
- Executes dropped EXE
PID:1072

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
31⤵
- Executes dropped EXE
PID:4956

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
32⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:2316

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
33⤵
- Executes dropped EXE
PID:2000

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
34⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4432

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
35⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2820

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
36⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4500

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
37⤵
- Executes dropped EXE
PID:5108

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
38⤵
- Executes dropped EXE
PID:3972

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
39⤵
- Executes dropped EXE
PID:4648

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
40⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:4416

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
41⤵
- Executes dropped EXE
PID:1144

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
42⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4552

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
43⤵
- Executes dropped EXE
PID:1636

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
44⤵
- Executes dropped EXE
PID:3100

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
45⤵
- Executes dropped EXE
PID:1788

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
46⤵
- Checks computer location settings
- Executes dropped EXE
PID:1776

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
47⤵
- Executes dropped EXE
PID:1868

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
48⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1876

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
49⤵
- Executes dropped EXE
PID:2140

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
50⤵
- Executes dropped EXE
PID:1428

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
51⤵
- Executes dropped EXE
PID:4844

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
52⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2772

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
53⤵
- Executes dropped EXE
PID:3476

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
54⤵
- Checks computer location settings
- Executes dropped EXE
PID:4564

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
55⤵
- Executes dropped EXE
PID:2516

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
56⤵
- Executes dropped EXE
PID:4492

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
57⤵
- Executes dropped EXE
PID:716

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
58⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2576

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
59⤵
- Executes dropped EXE
PID:744

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
60⤵
- Executes dropped EXE
PID:1700

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
61⤵
- Executes dropped EXE
PID:2600

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
62⤵
- Executes dropped EXE
- Modifies registry class
PID:1092

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
63⤵
- Executes dropped EXE
PID:2672

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
64⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:2128

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
65⤵
- Executes dropped EXE
PID:1072

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
66⤵
PID:4904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
67⤵
PID:1932

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
68⤵
- Modifies registry class
PID:1084

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
69⤵
PID:2636

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
70⤵
PID:1436

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
71⤵
PID:2736

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
72⤵
PID:4188

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
73⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
74⤵
- Checks computer location settings
PID:560

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
75⤵
PID:4444

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
76⤵
- Checks computer location settings
- Drops file in Windows directory
PID:3388

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
77⤵
- Drops file in Windows directory
PID:3668

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
78⤵
PID:1676

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
79⤵
PID:3100

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
80⤵
- Checks computer location settings
- Modifies registry class
PID:3880

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
81⤵
PID:2380

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
82⤵
- Checks computer location settings
PID:456

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
83⤵
- Drops file in Windows directory
PID:116

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
84⤵
- Modifies registry class
PID:2164

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
85⤵
PID:2452

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
86⤵
PID:3504

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
87⤵
PID:5008

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
88⤵
- Checks computer location settings
PID:3356

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
89⤵
PID:1228

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
90⤵
- Modifies registry class
PID:3488

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
91⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
92⤵
PID:5072

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
93⤵
- Drops file in Windows directory
PID:2576

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
94⤵
- Checks computer location settings
- Modifies registry class
PID:1508

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
95⤵
PID:3168

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
96⤵
PID:3068

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
97⤵
- Drops file in Windows directory
PID:4856

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
98⤵
PID:4768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
99⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
100⤵
PID:1800

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
101⤵
PID:436

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
102⤵
PID:2696

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
103⤵
PID:4720

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
104⤵
- Checks computer location settings
PID:4500

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
105⤵
PID:4576

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
106⤵
- Checks computer location settings
- Modifies registry class
PID:3984

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
107⤵
PID:1068

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
108⤵
- Drops file in Windows directory
PID:1308

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
109⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
110⤵
PID:396

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
111⤵
PID:3388

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
112⤵
- Checks computer location settings
PID:1820

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
113⤵
PID:400

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
114⤵
- Checks computer location settings
PID:3012

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
115⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
116⤵
PID:4396

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
117⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
118⤵
- Modifies registry class
PID:1316

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
119⤵
PID:1924

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
120⤵
- Checks computer location settings
PID:4104

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
121⤵
- Drops file in Windows directory
PID:2656

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
122⤵
- Modifies registry class
PID:2080

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
123⤵
- Drops file in Windows directory
PID:2492

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
124⤵
- Drops file in Windows directory
PID:4848

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
125⤵
PID:4368

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
126⤵
- Modifies registry class
PID:4152

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
127⤵
PID:2972

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
128⤵
PID:4920

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
129⤵
PID:3176

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
130⤵
- Checks computer location settings
PID:1596

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
131⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
132⤵
- Drops file in Windows directory
PID:4772

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
133⤵
- Drops file in Windows directory
PID:1400

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
134⤵
- Checks computer location settings
PID:5076

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
135⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
136⤵
- Modifies registry class
PID:2860

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
137⤵
PID:5064

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
138⤵
PID:2684

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
139⤵
PID:1480

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
140⤵
PID:1072

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
141⤵
PID:4580

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
142⤵
PID:4904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
143⤵
PID:2316

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
144⤵
PID:1800

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
145⤵
PID:1872

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
146⤵
- Modifies registry class
PID:4964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
147⤵
PID:1084

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
148⤵
- Checks computer location settings
- Drops file in Windows directory
PID:2956

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
149⤵
PID:1436

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
150⤵
- Checks computer location settings
PID:1584

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
151⤵
PID:3144

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
152⤵
- Modifies registry class
PID:4464

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
153⤵
PID:1144

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
154⤵
- Modifies registry class
PID:1308

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
155⤵
PID:324

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
156⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4872

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
157⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
158⤵
- Modifies registry class
PID:1752

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
159⤵
PID:5108

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
160⤵
- Drops file in Windows directory
PID:2816

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
161⤵
PID:2232

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
162⤵
- Checks computer location settings
PID:2948

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
163⤵
- Drops file in Windows directory
PID:2896

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
164⤵
- Modifies registry class
PID:3076

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
165⤵
PID:5008

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
166⤵
- Checks computer location settings
- Modifies registry class
PID:4404

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
167⤵
PID:3500

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
168⤵
- Modifies registry class
PID:4920

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
169⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
170⤵
- Checks computer location settings
PID:1856

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
171⤵
PID:4268

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
172⤵
- Drops file in Windows directory
PID:2120

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
173⤵
PID:4972

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
174⤵
- Modifies registry class
PID:3996

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
175⤵
PID:5000

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
176⤵
PID:1480

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
177⤵
PID:2328

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
178⤵
- Checks computer location settings
- Modifies registry class
PID:3888

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
179⤵
PID:2316

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
180⤵
PID:4432

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
181⤵
PID:1880

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
182⤵
- Modifies registry class
PID:3168

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
183⤵
PID:3876

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
184⤵
PID:3304

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
185⤵
PID:4948

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
186⤵
- Checks computer location settings
PID:4648

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
187⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
188⤵
- Checks computer location settings
PID:4464

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
189⤵
PID:4552

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
190⤵
PID:5048

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
191⤵
- Drops file in Windows directory
PID:1676

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
192⤵
- Modifies registry class
PID:1504

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
193⤵
PID:4508

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
194⤵
- Checks computer location settings
PID:1316

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
195⤵
PID:924

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
196⤵
- Modifies registry class
PID:3904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
197⤵
PID:4072

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
198⤵
- Checks computer location settings
- Modifies registry class
PID:4100

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
199⤵
PID:3656

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
200⤵
- Modifies registry class
PID:220

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
201⤵
PID:1692

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
202⤵
- Checks computer location settings
- Modifies registry class
PID:740

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
203⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
204⤵
- Checks computer location settings
- Modifies registry class
PID:3220

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
205⤵
PID:5000

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
206⤵
PID:4768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
207⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
208⤵
PID:1800

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
209⤵
PID:2636

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
210⤵
PID:3864

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
211⤵
PID:4188

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
212⤵
- Modifies registry class
PID:3876

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
213⤵
PID:4740

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
214⤵
PID:3952

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
215⤵
PID:2104

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
216⤵
- Checks computer location settings
PID:4744

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
217⤵
- Drops file in Windows directory
PID:4552

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
218⤵
PID:4248

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
219⤵
- Drops file in Windows directory
PID:60

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
220⤵
- Drops file in Windows directory
- Modifies registry class
PID:4280

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
221⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
222⤵
- Checks computer location settings
PID:1316

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
223⤵
PID:3504

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
224⤵
PID:3904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
225⤵
PID:4348

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
226⤵
- Modifies registry class
PID:1256

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
227⤵
PID:2484

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
228⤵
- Modifies registry class
PID:220

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
229⤵
PID:4268

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
230⤵
- Modifies registry class
PID:1856

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
231⤵
PID:3996

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
232⤵
- Checks computer location settings
PID:1672

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
233⤵
PID:4132

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
234⤵
PID:3352

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
235⤵
PID:3616

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
236⤵
- Checks computer location settings
PID:3004

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
237⤵
PID:1432

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
238⤵
PID:1404

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
239⤵
PID:4188

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
240⤵
- Modifies registry class
PID:3924

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
241⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
242⤵
- Checks computer location settings
PID:2160

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
243⤵
- Drops file in Windows directory
PID:1788

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
244⤵
PID:4608

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
245⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
246⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4356

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
247⤵
- Drops file in Windows directory
PID:4236

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
248⤵
- Drops file in Windows directory
PID:1876

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
249⤵
PID:3596

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
250⤵
- Checks computer location settings
PID:4272

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
251⤵
PID:2492

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
252⤵
PID:212

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
253⤵
PID:3356

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
254⤵
PID:4404

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
255⤵
PID:1692

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
256⤵
- Checks computer location settings
PID:5076

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
257⤵
PID:844

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
258⤵
- Drops file in Windows directory
- Modifies registry class
PID:1080

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
259⤵
PID:2324

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
260⤵
PID:1608

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
261⤵
PID:636

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
262⤵
- Checks computer location settings
PID:780

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
263⤵
PID:1880

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
264⤵
- Modifies registry class
PID:3712

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
265⤵
PID:1796

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
266⤵
- Modifies registry class
PID:3876

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
267⤵
PID:1408

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
268⤵
PID:3952

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
269⤵
PID:1104

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
270⤵
- Checks computer location settings
PID:4744

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
271⤵
PID:2816

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
272⤵
PID:2380

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
273⤵
- Drops file in Windows directory
PID:2156

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
274⤵
PID:640

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
275⤵
PID:4984

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
276⤵
- Modifies registry class
PID:4072

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
277⤵
PID:4764

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
278⤵
- Checks computer location settings
- Modifies registry class
PID:4344

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
279⤵
PID:2968

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
280⤵
- Checks computer location settings
- Modifies registry class
PID:4404

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
281⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
282⤵
- Modifies registry class
PID:2032

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
283⤵
- Drops file in Windows directory
PID:2672

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
284⤵
- Drops file in Windows directory
PID:3888

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
285⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
286⤵
PID:1620

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
287⤵
PID:780

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
288⤵
PID:4604

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
289⤵
PID:3984

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
290⤵
PID:1076

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
291⤵
- Drops file in Windows directory
PID:2348

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
292⤵
PID:2308

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
293⤵
- Drops file in Windows directory
PID:1276

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
294⤵
PID:1848

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
295⤵
PID:4560

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
296⤵
PID:4232

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
297⤵
PID:2360

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
298⤵
- Drops file in Windows directory
PID:1356

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
299⤵
PID:2176

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
300⤵
- Modifies registry class
PID:3344

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
301⤵
PID:2772

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
302⤵
- Checks computer location settings
PID:3424

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
303⤵
PID:4308

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
304⤵
- Drops file in Windows directory
- Modifies registry class
PID:3488

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
305⤵
- Drops file in Windows directory
PID:4628

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
306⤵
PID:2120

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
307⤵
- Drops file in Windows directory
PID:2220

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
308⤵
PID:3248

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
309⤵
- Drops file in Windows directory
PID:432

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
310⤵
PID:1756

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
311⤵
PID:4468

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
312⤵
- Checks computer location settings
PID:4016

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
313⤵
PID:3888

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
314⤵
- Modifies registry class
PID:436

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
315⤵
PID:2956

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
316⤵
PID:164

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
317⤵
PID:3924

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
318⤵
- Checks computer location settings
PID:1584

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
319⤵
- Drops file in Windows directory
PID:1912

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
320⤵
- Checks computer location settings
PID:3984

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
321⤵
PID:812

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
322⤵
PID:3932

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
323⤵
PID:4552

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
324⤵
- Checks computer location settings
- Modifies registry class
PID:3952

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
325⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
326⤵
- Checks computer location settings
PID:4248

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
327⤵
PID:1400

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
328⤵
PID:2164

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
329⤵
PID:4964

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
330⤵
PID:4232

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
331⤵
PID:4280

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
332⤵
PID:2896

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
333⤵
PID:4536

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
334⤵
PID:3044

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
335⤵
- Drops file in Windows directory
PID:716

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
336⤵
PID:4340

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
337⤵
- Drops file in Windows directory
PID:3232

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
338⤵
- Checks computer location settings
PID:2852

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
339⤵
- Drops file in Windows directory
PID:3540

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
340⤵
- Modifies registry class
PID:2860

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
341⤵
- Drops file in Windows directory
PID:4852

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
342⤵
- Modifies registry class
PID:4496

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
343⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
344⤵
- Drops file in Windows directory
PID:1800

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
345⤵
PID:4016

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
346⤵
PID:1932

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
347⤵
PID:436

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
348⤵
- Checks computer location settings
PID:2956

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
349⤵
PID:164

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
350⤵
PID:2160

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
351⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
352⤵
- Checks computer location settings
PID:3432

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
353⤵
PID:1408

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
354⤵
- Drops file in Windows directory
- Modifies registry class
PID:1076

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
355⤵
PID:2440

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
356⤵
PID:1788

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
357⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
358⤵
- Checks computer location settings
PID:1504

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
359⤵
PID:4248

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
360⤵
- Modifies registry class
PID:1400

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
361⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
362⤵
- Checks computer location settings
PID:4964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
363⤵
PID:4232

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
364⤵
- Checks computer location settings
PID:3904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
365⤵
PID:2896

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
366⤵
PID:3176

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
367⤵
PID:4308

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
368⤵
- Modifies registry class
PID:220

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
369⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
370⤵
PID:3232

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
371⤵
PID:2852

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
372⤵
- Modifies registry class
PID:3540

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
373⤵
PID:4816

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
374⤵
- Checks computer location settings
PID:4852

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
375⤵
PID:4496

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
376⤵
PID:2032

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
377⤵
PID:4132

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
378⤵
- Modifies registry class
PID:2636

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
379⤵
PID:3616

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
380⤵
PID:1068

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
381⤵
- Drops file in Windows directory
PID:780

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
382⤵
PID:3796

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
383⤵
- Drops file in Windows directory
PID:1452

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
384⤵
PID:3876

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
385⤵
PID:3388

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
386⤵
- Modifies registry class
PID:3900

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
387⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
388⤵
- Checks computer location settings
- Modifies registry class
PID:1104

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
389⤵
PID:4472

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
390⤵
PID:4508

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
391⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
392⤵
PID:2452

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
393⤵
PID:4368

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
394⤵
- Modifies registry class
PID:2772

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
395⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
396⤵
PID:1692

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
397⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
398⤵
- Modifies registry class
PID:460

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
399⤵
PID:4192

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
400⤵
- Modifies registry class
PID:3520

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
401⤵
PID:2240

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
402⤵
PID:1964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
403⤵
PID:1932

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
404⤵
- Checks computer location settings
PID:3924

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
405⤵
PID:4604

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
406⤵
- Modifies registry class
PID:3304

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
407⤵
PID:3432

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
408⤵
PID:4072

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
409⤵
PID:324

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
410⤵
- Modifies registry class
PID:5108

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
411⤵
PID:4744

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
412⤵
- Drops file in Windows directory
PID:456

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
413⤵
PID:5104

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
414⤵
- Modifies registry class
PID:2780

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
415⤵
PID:3600

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
416⤵
PID:1868

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
417⤵
PID:2312

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
418⤵
- Checks computer location settings
PID:4280

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
419⤵
PID:4764

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
420⤵
- Checks computer location settings
PID:3904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
421⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
422⤵
PID:2772

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE"
423⤵
- Drops file in Windows directory
PID:652

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-0~1.EXE
424⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1692

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe b7efe459acabac4ca888c6230117c406 GydKM8C6uE2ll1kWTm+u+w.0.1.0.0.0
1⤵
PID:560

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
2⤵
PID:1868

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:1228

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:4500

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv GydKM8C6uE2ll1kWTm+u+w.0.2
1⤵
PID:844

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:1316

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:4188

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:1932

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4368

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe
Filesize
2.4MB

MD5
8ffc3bdf4a1903d9e28b99d1643fc9c7

SHA1
919ba8594db0ae245a8abd80f9f3698826fc6fe5

SHA256
8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6

SHA512
0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe
Filesize
125KB

MD5
cce8964848413b49f18a44da9cb0a79b

SHA1
0b7452100d400acebb1c1887542f322a92cbd7ae

SHA256
fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5

SHA512
bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE
Filesize
278KB

MD5
12c29dd57aa69f45ddd2e47620e0a8d9

SHA1
ba297aa3fe237ca916257bc46370b360a2db2223

SHA256
22a585c183e27b3c732028ff193733c2f9d03700a0e95e65c556b0592c43d880

SHA512
255176cd1a88dfa2af3838769cc20dc7ad9d969344801f07b9ebb372c12cee3f47f2dba3559f391deab10650875cad245d9724acfa23a42b336bfa96559a5488

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe
Filesize
1.2MB

MD5
e316c67c785d3e39e90341b0bbaac705

SHA1
7ffd89492438a97ad848068cfdaab30c66afca35

SHA256
4fc8b9433b45c2607cbdf3d1c042c3918b854c9db3ade13b5bb2761d28f1c478

SHA512
25ec433c10adc69305de97107463be74d7b4768acca27886498485e8bc2c8b099994e6c1c6c09a7e603816203d6b18e509fb79f24992915eb802f59bcb790090

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe
Filesize
814KB

MD5
1871539ce7d10fa86a69d88817c88699

SHA1
77cd85e3be185549f58b9717d2ba442bbb4b3702

SHA256
5fa917ecb3603cec549bc4ba0b23b1a028100322e6f07bb1bc8f4c101fac38db

SHA512
1ab5408adad0fcbc95018ad748a7561e72897f866eab85318ce2ccdbadd7a3a5622ee31d7903d2d9ad9dece3d81acdbdb32807e62824b8a36fd13ec1484fb44a

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE
Filesize
121KB

MD5
cbd96ba6abe7564cb5980502eec0b5f6

SHA1
74e1fe1429cec3e91f55364e5cb8385a64bb0006

SHA256
405b8bd647fa703e233b8b609a18999abe465a8458168f1daf23197bd2ea36aa

SHA512
a551001853f6b93dfbc6cf6a681820af31330a19d5411076ff3dbce90937b3d92173085a15f29ebf56f2ef12a4e86860ac6723ebc89c98ea31ea7a6c7e3d7cdc

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe
Filesize
325KB

MD5
0511abca39ed6d36fff86a8b6f2266cd

SHA1
bfe55ac898d7a570ec535328b6283a1cdfa33b00

SHA256
76ae68fc7c6c552c4a98c5df640cd96cf27b62e7e1536b7f7d08eff56fcde8b8

SHA512
6608412e3ed0057f387bafcddcb07bfe7da4f207c7300c460e5acc4bd234cec3362191800789eb465eb120ec069e3ed49eabb6bd7db30d9e9245a89bb20e4346

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe
Filesize
325KB

MD5
6f87ccb8ab73b21c9b8288b812de8efa

SHA1
a709254f843a4cb50eec3bb0a4170ad3e74ea9b3

SHA256
14e7a1f2f930380903ae3c912b4a70fd0a59916315c46874805020fe41215c22

SHA512
619b45b9728880691a88fbfc396c9d34b41d5e349e04d2eb2d18c535fffc079395835af2af7ca69319954a98852d2f9b7891eff91864d63bf25759c156e192ee

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe
Filesize
505KB

MD5
de69c005b0bbb513e946389227183eeb

SHA1
2a64efdcdc71654356f77a5b77da8b840dcc6674

SHA256
ad7b167ab599b6dad7e7f0ad47368643d91885253f95fadf0fadd1f8eb6ee9c7

SHA512
6ca8cec0cf20ee9b8dfe263e48f211b6f1e19e3b4fc0f6e89807f39d3f4e862f0139eb5b35e3133ef60555589ad54406fb11d95845568a5538602f287863b7d7

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE
Filesize
155KB

MD5
96a14f39834c93363eebf40ae941242c

SHA1
5a3a676403d4e6ad0a51d0f0e2bbdd636ae5d6fc

SHA256
8ee4aa23eb92c4aba9a46b18ac249a5fa11c5abb7e2c1ca82cd5196401db790a

SHA512
fbf307a8053e9478a52cfdf8e8bad3d7c6664c893458786ae6ee4fffc6fe93006e99a2a60c97fb62dad1addd5247621517f4edee5d9545717c4587a272cef9a2

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE
Filesize
207KB

MD5
3b0e91f9bb6c1f38f7b058c91300e582

SHA1
6e2e650941b1a96bb0bb19ff26a5d304bb09df5f

SHA256
57c993cadf4bf84810cea23a7112c6e260624beaab48d0e4332d3462900fec1d

SHA512
a4fbe28a0135f4632e0a5b6bd775f8d010250b0fbfe223db1fe81d18552a6bc166ebce807853ba02e6a476e9829454805e415ca828a5e043bd1e63dc53599d0f

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE
Filesize
439KB

MD5
400836f307cf7dbfb469cefd3b0391e7

SHA1
7af3cbb12d3b2d8b5d9553c687c6129d1dd90a10

SHA256
cb5c5abb625a812d47007c75e3855be3f29da527a41cf03730ad5c81f3eb629a

SHA512
aa53cb304478585d6f83b19a6de4a7938ba2570d380a565a56ff5365aed073d5f56b95ad3228eb7d1e7e6110c6172a58b97bd6a5e57e4a8d39e762ed31dc17c8

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE
Filesize
550KB

MD5
96139c14b977d1c467630b436b092129

SHA1
9cefa1b1f0cd9ab78855ffc4436cdbf93d3261b1

SHA256
e592bb4e6dbde3b35f7c7bd111c78a3211ced64ef543d0c9ec98471929145748

SHA512
de2a61c19b0bcec32228845ced9dac980d1e54168c78e073473ecf9b97e22f80770ab0aa2f2a36e06f323abc33124c874d52e5e2bc70a69d3bd2128e52b7493b

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE
Filesize
138KB

MD5
5e08d87c074f0f8e3a8e8c76c5bf92ee

SHA1
f52a554a5029fb4749842b2213d4196c95d48561

SHA256
5d548c2cc25d542f2061ed9c8e38bd5ca72bddb37dd17654346cae8a19645714

SHA512
dd98d6fa7d943604914b2e3b27e1f21a95f1fe1feb942dd6956e864da658f4fbd9d1d0cf775e79ceaae6a025aafd4e633763389c37034134bd5245969bec383e

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE
Filesize
1.6MB

MD5
41b1e87b538616c6020369134cbce857

SHA1
a255c7fef7ba2fc1a7c45d992270d5af023c5f67

SHA256
08465cc139ee50a7497f8c842f74730d3a8f1a73c0b7caca95e9e6d37d3beed3

SHA512
3a354d3577b45f6736203d5a35a2d1d543da2d1e268cefeffe6bdb723ff63c720ceb2838701144f5fec611470d77649846e0fb4770d6439f321f6b819f03e4db

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-22_2219802df8a09e0ce53ddf7dc5fde337_hiddentear_neshta.exe
Filesize
177KB

MD5
74960a8957bda5fc43fdbbee00c8e43a

SHA1
7aa001d4146115aba8c60764f2be00e73a9ced76

SHA256
43a7fc63f2bbf150e97eeb9a63cd0923bcb97732b61cca264381eb303d2ce749

SHA512
cb4c7affbc0f351f612c3a864801b7c20de1dfff8546def3981d3bcac1bc0b1e1591af54dce46e0ce5fe088c76847a549e782180666c031b8729e07fbe04943c

Download Submit
C:\Users\Admin\AppData\Roaming\updater.exe
Filesize
136KB

MD5
6a1dcbda969e49f2f93320b523fad8cf

SHA1
aac07c2bc15defa172211edc6e1462907fc5d012

SHA256
2bc8125605ae7ee338485591b4e8bb7e749eb75d590d36bc8f5ad7e72b9fe08d

SHA512
fbad56e5716f5c98520406d5ba01b19ce6ecb3a5ac9913e46451f75623c31c86f692007333b367b615822a3a772b97ab5b6750cb3c9d5e23e129724d0e79b9ed

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
aa5d44cd21bb1f0a90a1640a3dde0b2d

SHA1
c1ac58e1bc96fbc646edcab48fcca80065bdc0a5

SHA256
4376f4b31a258954dd36ca9916dfb71d72e8aa98920bf2091e0836df665551f6

SHA512
bffca5e0acc727e5aa256d05f751480208bbcd4915f02b39a9269a8e0d26caf7f74ae9bcc7276f808024463b756038b5e49fc240556cd20db8b3cdbe8a182d8d

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
8fa91495aa472bea34f0746d9d8afa41

SHA1
a76f8c6827049cd9463f807d669da38a4fe29cb8

SHA256
81325e9702d79b2844cddc4b9215241d80017e91fc35d97ae6a4c0a247a989de

SHA512
d2986a7edb0cabfb96969a42e00d1764bc50e9f570cb98f69f6dd16aa41dffb0215d12efb8cab23f79b7731255850fdcc1a7a7bd837f44c1158be34c7f1736f6

Download Submit
memory/224-247-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/404-144-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/716-389-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/744-397-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1072-421-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1072-279-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1092-407-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1144-325-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1256-240-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1356-88-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1428-359-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1636-333-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1672-260-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1692-1473-0x00000000008E0000-0x0000000000908000-memory.dmp

Filesize
160KB

Download
memory/1700-399-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1776-343-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1788-341-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1844-111-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1868-349-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1876-354-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2000-293-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2004-16-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2128-415-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2140-357-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2264-44-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2316-287-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-52-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2380-132-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2516-381-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2576-391-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2600-405-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2672-413-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2672-40-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2736-76-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2772-367-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2820-301-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3100-335-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3124-156-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3168-28-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3476-373-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3668-100-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3972-311-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4088-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4216-148-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4244-56-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4416-324-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4432-295-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4492-383-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4500-303-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4508-136-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4536-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4552-99-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4552-332-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4564-375-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4608-267-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4648-87-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4648-317-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4844-365-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4896-176-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4904-423-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4956-285-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4964-68-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4992-64-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5000-272-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5108-309-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download