neshta | a73a05a4b6ec6ae1c1ba6d3d12b68cc52b899e2a6dbbaaa1f48f2c260a733123

Resubmissions

19-10-2024 11:46

241019-nxh3lawepj 10

19-10-2024 11:42

19-10-2024 11:38

19-10-2024 11:33

19-10-2024 11:27

19-10-2024 11:23

19-10-2024 11:11

19-10-2024 11:07

Analysis

max time kernel
164s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-10-2024 11:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6812964531.exe
Size

67KB
MD5

7de65122a13ab9d81368ee3dff3cc80a
SHA1

ecbb4db641431d4d672e4b88e8d309419fd32f04
SHA256

a73a05a4b6ec6ae1c1ba6d3d12b68cc52b899e2a6dbbaaa1f48f2c260a733123
SHA512

b156d77a665c3256ddfd016e46105b6e87db6a4c1ca77e9bb25b221c368f3cc53dddc7159602cfb926ef0cc9bacac57b6bd41e7e28998883c996727d58d29401
SSDEEP

1536:pr3rob4nqB6veqHnq+Pgm5NN9vbDTc+1vIQ/EXyBej:h7PEg3qcv5PvB/EVj

Score

10^/10

neshta umbral discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 10 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\cheats.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	family_neshta

Detect Umbral payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\cheat.exe	family_umbral

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	cheats.exe

Executes dropped EXE 36 IoCs

Processes:

cheats.execheats.exesvchost.comcheats.exesvchost.comcheats.exesvchost.comcheats.exesvchost.comcheats.exesvchost.comcheats.exesvchost.comcheat.exesvchost.comcheats.exesvchost.comcheats.exesvchost.comcheats.exesvchost.comcheats.exesvchost.comcheats.exesvchost.comcheats.exesvchost.comcheats.exesvchost.comcheats.exesvchost.comcheats.exesvchost.comcheats.exesvchost.comcheats.exe

pid	process
1756	cheats.exe
3152	cheats.exe
4620	svchost.com
2840	cheats.exe
4044	svchost.com
1808	cheats.exe
2828	svchost.com
1364	cheats.exe
1980	svchost.com
3444	cheats.exe
556	svchost.com
2608	cheats.exe
1112	svchost.com
4100	cheat.exe
3904	svchost.com
3476	cheats.exe
4644	svchost.com
4852	cheats.exe
1748	svchost.com
4564	cheats.exe
1572	svchost.com
2188	cheats.exe
4116	svchost.com
4848	cheats.exe
3860	svchost.com
4648	cheats.exe
4196	svchost.com
4924	cheats.exe
3760	svchost.com
2508	cheats.exe
3512	svchost.com
1852	cheats.exe
4584	svchost.com
4560	cheats.exe
4564	svchost.com
4860	cheats.exe

Modifies system executable filetype association 2 TTPs 1 IoCs
persistence

Modify Registry
T1112

Change Default File Association
T1546.001

Processes:

cheats.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" cheats.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

93 ip-api.com

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	cheats.exe

flow	ioc
93	ip-api.com

Drops file in Program Files directory 64 IoCs

Processes:

cheats.execheats.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	cheats.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	cheats.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	cheats.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	cheats.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	cheats.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	cheats.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	cheats.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	cheats.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	cheats.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	cheats.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	cheats.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	cheats.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	cheats.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	cheats.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	cheats.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	cheats.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	cheats.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	cheats.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	cheats.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	cheats.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	cheats.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	cheats.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	cheats.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	cheats.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	cheats.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	cheats.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	cheats.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	cheats.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	cheats.exe

Drops file in Windows directory 64 IoCs

Processes:

cheats.exesvchost.comsvchost.comcheats.exesvchost.comsvchost.comsvchost.comcheats.execheats.exesvchost.comsvchost.comcheats.exesvchost.comcheats.exesvchost.comsvchost.comcheats.execheats.execheats.exesvchost.comcheats.exesvchost.comsvchost.comcheats.execheats.execheats.exesvchost.comcheats.exesvchost.comcheats.execheats.exesvchost.comsvchost.comcheats.exe

description	ioc	process
File opened for modification	C:\Windows\directx.sys	cheats.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	cheats.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	cheats.exe
File opened for modification	C:\Windows\directx.sys	cheats.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	cheats.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	cheats.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	cheats.exe
File opened for modification	C:\Windows\directx.sys	cheats.exe
File opened for modification	C:\Windows\svchost.com	cheats.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	cheats.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	cheats.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	cheats.exe
File opened for modification	C:\Windows\svchost.com	cheats.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	cheats.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	cheats.exe
File opened for modification	C:\Windows\svchost.com	cheats.exe
File opened for modification	C:\Windows\directx.sys	cheats.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	cheats.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	cheats.exe
File opened for modification	C:\Windows\svchost.com	cheats.exe
File opened for modification	C:\Windows\svchost.com	cheats.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	cheats.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	cheats.exe
File opened for modification	C:\Windows\svchost.com	cheats.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	cheats.exe
File opened for modification	C:\Windows\svchost.com	cheats.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	cheats.exe
File opened for modification	C:\Windows\svchost.com	cheats.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	cheats.exe
File opened for modification	C:\Windows\directx.sys	cheats.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	cheats.exe
File opened for modification	C:\Windows\directx.sys	cheats.exe
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cheats.execheats.exesvchost.comsvchost.comsvchost.comcheats.exesvchost.comcheats.exe6812964531.execheats.execheats.exesvchost.comcheats.execheats.execheats.execheats.execheats.execheats.execheats.exesvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comcheats.execheats.execheats.exesvchost.comcheats.exesvchost.comcheats.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6812964531.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe

Modifies registry class 19 IoCs

Processes:

cheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.exejava.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.exejavaw.execheats.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	java.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	cheats.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	cheats.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1436 schtasks.exe

pid	process
1436	schtasks.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2280	WMIC.exe
Token: SeSecurityPrivilege	2280	WMIC.exe
Token: SeTakeOwnershipPrivilege	2280	WMIC.exe
Token: SeLoadDriverPrivilege	2280	WMIC.exe
Token: SeSystemProfilePrivilege	2280	WMIC.exe
Token: SeSystemtimePrivilege	2280	WMIC.exe
Token: SeProfSingleProcessPrivilege	2280	WMIC.exe
Token: SeIncBasePriorityPrivilege	2280	WMIC.exe
Token: SeCreatePagefilePrivilege	2280	WMIC.exe
Token: SeBackupPrivilege	2280	WMIC.exe
Token: SeRestorePrivilege	2280	WMIC.exe
Token: SeShutdownPrivilege	2280	WMIC.exe
Token: SeDebugPrivilege	2280	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2280	WMIC.exe
Token: SeRemoteShutdownPrivilege	2280	WMIC.exe
Token: SeUndockPrivilege	2280	WMIC.exe
Token: SeManageVolumePrivilege	2280	WMIC.exe
Token: 33	2280	WMIC.exe
Token: 34	2280	WMIC.exe
Token: 35	2280	WMIC.exe
Token: 36	2280	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2280	WMIC.exe
Token: SeSecurityPrivilege	2280	WMIC.exe
Token: SeTakeOwnershipPrivilege	2280	WMIC.exe
Token: SeLoadDriverPrivilege	2280	WMIC.exe
Token: SeSystemProfilePrivilege	2280	WMIC.exe
Token: SeSystemtimePrivilege	2280	WMIC.exe
Token: SeProfSingleProcessPrivilege	2280	WMIC.exe
Token: SeIncBasePriorityPrivilege	2280	WMIC.exe
Token: SeCreatePagefilePrivilege	2280	WMIC.exe
Token: SeBackupPrivilege	2280	WMIC.exe
Token: SeRestorePrivilege	2280	WMIC.exe
Token: SeShutdownPrivilege	2280	WMIC.exe
Token: SeDebugPrivilege	2280	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2280	WMIC.exe
Token: SeRemoteShutdownPrivilege	2280	WMIC.exe
Token: SeUndockPrivilege	2280	WMIC.exe
Token: SeManageVolumePrivilege	2280	WMIC.exe
Token: 33	2280	WMIC.exe
Token: 34	2280	WMIC.exe
Token: 35	2280	WMIC.exe
Token: 36	2280	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1852	WMIC.exe
Token: SeSecurityPrivilege	1852	WMIC.exe
Token: SeTakeOwnershipPrivilege	1852	WMIC.exe
Token: SeLoadDriverPrivilege	1852	WMIC.exe
Token: SeSystemProfilePrivilege	1852	WMIC.exe
Token: SeSystemtimePrivilege	1852	WMIC.exe
Token: SeProfSingleProcessPrivilege	1852	WMIC.exe
Token: SeIncBasePriorityPrivilege	1852	WMIC.exe
Token: SeCreatePagefilePrivilege	1852	WMIC.exe
Token: SeBackupPrivilege	1852	WMIC.exe
Token: SeRestorePrivilege	1852	WMIC.exe
Token: SeShutdownPrivilege	1852	WMIC.exe
Token: SeDebugPrivilege	1852	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1852	WMIC.exe
Token: SeRemoteShutdownPrivilege	1852	WMIC.exe
Token: SeUndockPrivilege	1852	WMIC.exe
Token: SeManageVolumePrivilege	1852	WMIC.exe
Token: 33	1852	WMIC.exe
Token: 34	1852	WMIC.exe
Token: 35	1852	WMIC.exe
Token: 36	1852	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1852	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

java.exejavaw.exe

pid process

4560 java.exe
1836 javaw.exe

pid	process
4560	java.exe
1836	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6812964531.exejavaw.exejava.execmd.execmd.exejavaw.execmd.execmd.execheats.execheats.exesvchost.comcheats.exesvchost.comcheats.exesvchost.comcheats.exesvchost.comcheats.exesvchost.comsvchost.comcheats.exe

description	pid	process	target process
PID 2296 wrote to memory of 3020	2296	6812964531.exe	javaw.exe
PID 2296 wrote to memory of 3020	2296	6812964531.exe	javaw.exe
PID 3020 wrote to memory of 4560	3020	javaw.exe	java.exe
PID 3020 wrote to memory of 4560	3020	javaw.exe	java.exe
PID 4560 wrote to memory of 4808	4560	java.exe	cmd.exe
PID 4560 wrote to memory of 4808	4560	java.exe	cmd.exe
PID 4808 wrote to memory of 2292	4808	cmd.exe	cacls.exe
PID 4808 wrote to memory of 2292	4808	cmd.exe	cacls.exe
PID 4560 wrote to memory of 2176	4560	java.exe	cmd.exe
PID 4560 wrote to memory of 2176	4560	java.exe	cmd.exe
PID 2176 wrote to memory of 1436	2176	cmd.exe	schtasks.exe
PID 2176 wrote to memory of 1436	2176	cmd.exe	schtasks.exe
PID 4560 wrote to memory of 1836	4560	java.exe	javaw.exe
PID 4560 wrote to memory of 1836	4560	java.exe	javaw.exe
PID 1836 wrote to memory of 3124	1836	javaw.exe	cmd.exe
PID 1836 wrote to memory of 3124	1836	javaw.exe	cmd.exe
PID 3124 wrote to memory of 2280	3124	cmd.exe	WMIC.exe
PID 3124 wrote to memory of 2280	3124	cmd.exe	WMIC.exe
PID 1836 wrote to memory of 4804	1836	javaw.exe	cmd.exe
PID 1836 wrote to memory of 4804	1836	javaw.exe	cmd.exe
PID 4804 wrote to memory of 1852	4804	cmd.exe	WMIC.exe
PID 4804 wrote to memory of 1852	4804	cmd.exe	WMIC.exe
PID 1836 wrote to memory of 1756	1836	javaw.exe	cheats.exe
PID 1836 wrote to memory of 1756	1836	javaw.exe	cheats.exe
PID 1836 wrote to memory of 1756	1836	javaw.exe	cheats.exe
PID 1756 wrote to memory of 3152	1756	cheats.exe	cheats.exe
PID 1756 wrote to memory of 3152	1756	cheats.exe	cheats.exe
PID 1756 wrote to memory of 3152	1756	cheats.exe	cheats.exe
PID 3152 wrote to memory of 4620	3152	cheats.exe	svchost.com
PID 3152 wrote to memory of 4620	3152	cheats.exe	svchost.com
PID 3152 wrote to memory of 4620	3152	cheats.exe	svchost.com
PID 4620 wrote to memory of 2840	4620	svchost.com	cheats.exe
PID 4620 wrote to memory of 2840	4620	svchost.com	cheats.exe
PID 4620 wrote to memory of 2840	4620	svchost.com	cheats.exe
PID 2840 wrote to memory of 4044	2840	cheats.exe	svchost.com
PID 2840 wrote to memory of 4044	2840	cheats.exe	svchost.com
PID 2840 wrote to memory of 4044	2840	cheats.exe	svchost.com
PID 4044 wrote to memory of 1808	4044	svchost.com	cheats.exe
PID 4044 wrote to memory of 1808	4044	svchost.com	cheats.exe
PID 4044 wrote to memory of 1808	4044	svchost.com	cheats.exe
PID 1808 wrote to memory of 2828	1808	cheats.exe	svchost.com
PID 1808 wrote to memory of 2828	1808	cheats.exe	svchost.com
PID 1808 wrote to memory of 2828	1808	cheats.exe	svchost.com
PID 2828 wrote to memory of 1364	2828	svchost.com	cheats.exe
PID 2828 wrote to memory of 1364	2828	svchost.com	cheats.exe
PID 2828 wrote to memory of 1364	2828	svchost.com	cheats.exe
PID 1364 wrote to memory of 1980	1364	cheats.exe	svchost.com
PID 1364 wrote to memory of 1980	1364	cheats.exe	svchost.com
PID 1364 wrote to memory of 1980	1364	cheats.exe	svchost.com
PID 1980 wrote to memory of 3444	1980	svchost.com	cheats.exe
PID 1980 wrote to memory of 3444	1980	svchost.com	cheats.exe
PID 1980 wrote to memory of 3444	1980	svchost.com	cheats.exe
PID 3444 wrote to memory of 556	3444	cheats.exe	svchost.com
PID 3444 wrote to memory of 556	3444	cheats.exe	svchost.com
PID 3444 wrote to memory of 556	3444	cheats.exe	svchost.com
PID 556 wrote to memory of 2608	556	svchost.com	cheats.exe
PID 556 wrote to memory of 2608	556	svchost.com	cheats.exe
PID 556 wrote to memory of 2608	556	svchost.com	cheats.exe
PID 1836 wrote to memory of 1112	1836	javaw.exe	svchost.com
PID 1836 wrote to memory of 1112	1836	javaw.exe	svchost.com
PID 1836 wrote to memory of 1112	1836	javaw.exe	svchost.com
PID 1112 wrote to memory of 4100	1112	svchost.com	cheat.exe
PID 1112 wrote to memory of 4100	1112	svchost.com	cheat.exe
PID 2608 wrote to memory of 3904	2608	cheats.exe	svchost.com

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6812964531.exe
"C:\Users\Admin\AppData\Local\Temp\6812964531.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\6812964531.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Program Files\Java\jre-1.8\bin\java.exe
    java -jar C:\Users\Admin\download_libra.jar
    3⤵
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4560
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4808
    - - C:\Windows\system32\cacls.exe
        
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        5⤵
        
        PID:2292
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c SCHTASKS /CREATE /F /SC MINUTE /TN OneDrive\OneDriveUpdateTask /RL HIGHEST /TR C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\cache.jar
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2176
    - - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /CREATE /F /SC MINUTE /TN OneDrive\OneDriveUpdateTask /RL HIGHEST /TR C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\cache.jar
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1436
  - - C:\Program Files\Java\jre-1.8\bin\javaw.exe
      "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\cache.jar"
      4⤵
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1836
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3124
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c wmic cpu get name
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4804
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
    - - C:\Users\Admin\AppData\Local\Temp\cheats.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cheats.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies system executable filetype association
        Drops file in Program Files directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1756
      - C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        9⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        11⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        13⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        15⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        17⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        19⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        21⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        23⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        25⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        27⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        29⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        31⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2508
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        33⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        35⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        37⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        39⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        40⤵
        
        PID:2840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        41⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        42⤵
        
        PID:4484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        43⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        44⤵
        
        PID:1772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        45⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        46⤵
        
        PID:2640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        47⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        48⤵
        
        PID:1764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        49⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        50⤵
        
        PID:3188
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        51⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        52⤵
        
        PID:4196
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        53⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        54⤵
        
        PID:3168
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        55⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        56⤵
        
        PID:4592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        57⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        58⤵
        
        PID:1296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        59⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        60⤵
        
        PID:3052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        61⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        62⤵
        
        PID:1996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        63⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        64⤵
        
        PID:3388
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        65⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        66⤵
        
        PID:4420
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        67⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        68⤵
        
        PID:4076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        69⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        70⤵
        
        PID:3292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        71⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        72⤵
        
        PID:3012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        73⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        74⤵
        
        PID:752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        75⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        76⤵
        
        PID:1396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        77⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        78⤵
        
        PID:5052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        79⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        80⤵
        
        PID:4216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        81⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        82⤵
        
        PID:3452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        83⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        84⤵
        
        PID:3776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        85⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        86⤵
        
        PID:1148
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        87⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        88⤵
        
        PID:720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        89⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        90⤵
        
        PID:2724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        91⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        92⤵
        
        PID:1964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        93⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        94⤵
        
        PID:3644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        95⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        96⤵
        
        PID:3764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        97⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        98⤵
        
        PID:1160
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        99⤵
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        100⤵
        
        PID:2820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        101⤵
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        102⤵
        
        PID:556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        103⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        104⤵
        
        PID:2192
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        105⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        106⤵
        
        PID:2260
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        107⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        108⤵
        
        PID:684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        109⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        110⤵
        
        PID:3476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        111⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        112⤵
        
        PID:4100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        113⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        114⤵
        
        PID:1844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        115⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        116⤵
        
        PID:1296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        117⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        118⤵
        
        PID:4544
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        119⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        120⤵
        
        PID:4560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        121⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        122⤵
        
        PID:1572
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        123⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        124⤵
        
        PID:1728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        125⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        126⤵
        
        PID:3580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        127⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        128⤵
        
        PID:3772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        129⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        130⤵
        
        PID:1656
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        131⤵
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        132⤵
        
        PID:4648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        133⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        134⤵
        
        PID:1356
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        135⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        136⤵
        
        PID:3128
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        137⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        138⤵
        
        PID:3984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        139⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        140⤵
        
        PID:4392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        141⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        142⤵
        
        PID:1292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        143⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        144⤵
        
        PID:3408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        145⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        146⤵
        
        PID:764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        147⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        148⤵
        
        PID:4296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        149⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        150⤵
        
        PID:1392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        151⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        152⤵
        
        PID:8
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        153⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        154⤵
        
        PID:2600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        155⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        156⤵
        
        PID:1808
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        157⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        158⤵
        
        PID:3876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        159⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        160⤵
        
        PID:5072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        161⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        162⤵
        
        PID:752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        163⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        164⤵
        
        PID:1108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        165⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        166⤵
        
        PID:3460
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        167⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        168⤵
        
        PID:2292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        169⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        170⤵
        
        PID:3956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        171⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        172⤵
        
        PID:4976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        173⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        174⤵
        
        PID:3716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        175⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        176⤵
        
        PID:1228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        177⤵
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        178⤵
        
        PID:920
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\cheat.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1112
      - C:\Users\Admin\AppData\Local\Temp\cheat.exe
        
        C:\Users\Admin\AppData\Local\Temp\cheat.exe
        6⤵
        Executes dropped EXE
        
        PID:4100
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        7⤵
        
        PID:3460

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\cache.jar"
1⤵
PID:4444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

Filesize
2.4MB

MD5
8ffc3bdf4a1903d9e28b99d1643fc9c7

SHA1
919ba8594db0ae245a8abd80f9f3698826fc6fe5

SHA256
8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6

SHA512
0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE

Filesize
254KB

MD5
4ddc609ae13a777493f3eeda70a81d40

SHA1
8957c390f9b2c136d37190e32bccae3ae671c80a

SHA256
16d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950

SHA512
9d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE

Filesize
92KB

MD5
176436d406fd1aabebae353963b3ebcf

SHA1
9ffdfdb8cc832a0c6501c4c0e85b23a0f7eff57a

SHA256
2f947e3ca624ce7373080b4a3934e21644fb070a53feeaae442b15b849c2954f

SHA512
a2d1a714e0c1e5463260c64048ba8fd5064cfa06d4a43d02fc04a30748102ff5ba86d20a08e611e200dc778e2b7b3ae808da48132a05a61aa09ac424a182a06a

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe

Filesize
125KB

MD5
cce8964848413b49f18a44da9cb0a79b

SHA1
0b7452100d400acebb1c1887542f322a92cbd7ae

SHA256
fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5

SHA512
bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE

Filesize
142KB

MD5
92dc0a5b61c98ac6ca3c9e09711e0a5d

SHA1
f809f50cfdfbc469561bced921d0bad343a0d7b4

SHA256
3e9da97a7106122245e77f13f3f3cc96c055d732ab841eb848d03ac25401c1bc

SHA512
d9eefb19f82e0786d9be0dbe5e339d25473fb3a09682f40c6d190d4c320cca5556abb72b5d97c6b0da4f8faefdc6d39ac9d0415fdf94ebcc90ecdf2e513c6a31

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE

Filesize
278KB

MD5
12c29dd57aa69f45ddd2e47620e0a8d9

SHA1
ba297aa3fe237ca916257bc46370b360a2db2223

SHA256
22a585c183e27b3c732028ff193733c2f9d03700a0e95e65c556b0592c43d880

SHA512
255176cd1a88dfa2af3838769cc20dc7ad9d969344801f07b9ebb372c12cee3f47f2dba3559f391deab10650875cad245d9724acfa23a42b336bfa96559a5488

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE

Filesize
454KB

MD5
bcd0f32f28d3c2ba8f53d1052d05252d

SHA1
c29b4591df930dabc1a4bd0fa2c0ad91500eafb2

SHA256
bb07d817b8b1b6b4c25e62b6120e51dec10118557d7b6b696ad084a5ba5bfdeb

SHA512
79f407735853f82f46870c52058ceee4d91857a89db14868ee1169abd5c0fd2e3fa1ed230ab90b5f479a9581b88998643d69b0df498defea29e73b0d487f3b10

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
c855fafac484a000ed4b158cb3149870

SHA1
ad8f0cf9bf4117b01ec0b151212bbcdce10ea5e1

SHA256
69083df872d3e082bc43d1f6eabb5d9ba2501122586d38cfbbd140a6564c2297

SHA512
a47beb49489d3f15a038fc4bb5fe548b7727cfbe233b0fae88a397a7affdc123b7001c8c555a0ff18ad3b40b89da7746422e7df26b3a2090ae65831f61d22796

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
35986b20cbfbf71a2475a57d657031ac

SHA1
501e05ab9432674576540756d2af62bb104d887b

SHA256
810c1936d297338b80a375f10d2ac2b208ab40ded40e88d91a88068564f4ffc6

SHA512
acb3d82df2b2bc03d93e69ff71709fb5691697f0edb5d4e894e76bc31af16582dd38c6d25baacb56460fe9eee2938bd983feef1736dd67c1c07d2ab806b3aff3

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe

Filesize
144KB

MD5
1df5bef57c72b8d23f5263046e5dd043

SHA1
68e859eca519f8f5cc1c9ceb3dfaaac87e17b544

SHA256
43bb08a4762778843eca24c57d61f854a3c4a21f4da9f6bb15a34764a07596f3

SHA512
4bee5ae57f39b842c481280ac98c75106ed41aa34b783c2967a705511268fe2a4a2a489386c9b5bd2d291454989b9d7f7d644ef36300ca9feada4f016c592332

Download Submit
C:\Users\Admin\AppData\Local\Temp\cheat.exe

Filesize
229KB

MD5
57b52820e80bbf21cb91858308b64a43

SHA1
681de078a2bab05ff51d6b211a6136cd0a4cf5c5

SHA256
cad17c73e90686eee88e8e73039d69d0969a544a20d324cb30efe4849bf22be2

SHA512
981daa6346b6887d92fc77e865a9de661ebdf5216cca2c05a2817b28833a02a07ae5c64d181990dd0d86971e740a44e709b058a50cbef146066e00bce6628454

Download Submit
C:\Users\Admin\AppData\Local\Temp\cheats.exe

Filesize
184KB

MD5
747dd5a520297697c280a00436847460

SHA1
ba34ad6acda4b8f7c505fc0fe07e0d3731593ebc

SHA256
a35b444973ad875aefc91b2e25a9072a881fd351bb6da9d1ab48e30dbe56fd73

SHA512
79923dd5a5cdde950cac7c692951717a051a36207f125ab8b114d01cf38095e763d568a9f03e757c27f0f90ce387cf8d9685883c561c96b9bf1362e26a1d6058

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-493223053-2004649691-1575712786-1000\83aa4cc77f591dfc2374580bbd95f6ba_755b0f1a-bb38-4bb2-bc7e-240c892146ee

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\download_libra.jar

Filesize
25.9MB

MD5
7f5cb2f0fc60c8c5e495cb828ba10dfe

SHA1
ae00f557b8112005d6cfb2a231ba99cd28abc0e4

SHA256
61f7e2ca8ed572dd4bbea19a4676ff48b923010c5dfa62db9e8930caada77d82

SHA512
9aee7efd4d8a01dd7232d1a39e95e81adefd8ff267be7bcae19749efb3a5140013000757a5f2c60190faaa68f881153acc7f70d3ddbcaed6a12a89fb82028c43

Download Submit
C:\Windows\directx.sys

Filesize
55B

MD5
4c33ba9cfe2ca5b6c0902c46c7220d8e

SHA1
4cfb259fab3a38a9ee5e28a8103c7a5580d8276e

SHA256
4512f61f607eadab923adf375b758ed453d02df58ecfd347bdf2702ad5922bc2

SHA512
2b56678f9a6fd6490d949c96ff9be99ff8573b5d8cf5c06ad15c7b6f4dac4ad9c54427209b1cd8e695809de5a39a8d3864ae2e65c00dc1c5792c5fcfd3259b78

Download Submit
C:\Windows\directx.sys

Filesize
45B

MD5
23c65e4918a61737b403cf9114dbc62e

SHA1
d160282349d0061db290ab429c18685935ff428a

SHA256
8e746f8fdf5625f8b3d2725d613ea9f181d923d23dd589b60ab2e89034cfc350

SHA512
1cfaae21366394dee5a1ffe2a1aa38aab6f989e136a0edb28797ea1a00e346f81760525658a7a060eeba16cbf072fbe3b227aea7d409bcf54b5f81b399cec26e

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
223dd32576ace5da898257671c5cdf36

SHA1
87474af22e6a24ef24de43d2e798c87bd986514c

SHA256
8d4dbd3013a493f904e0863bb55d910bbb640ef3bdc6fcbaf3c78e95fbdd5254

SHA512
aaef06b777e4b015af8843b2955af6fbc4c6c7a0630729737a76464d9a443cf673b5b583ae7cf2ea2333f81bd083cf104bb4da9add41a5da48bc4eb1bf0dbdc7

Download Submit
memory/1836-284-0x000001C6AAC30000-0x000001C6AAC31000-memory.dmp

Filesize
4KB

Download
memory/1836-287-0x000001C6AAC30000-0x000001C6AAC31000-memory.dmp

Filesize
4KB

Download
memory/1836-283-0x000001C6AAC30000-0x000001C6AAC31000-memory.dmp

Filesize
4KB

Download
memory/1836-282-0x000001C6AAC30000-0x000001C6AAC31000-memory.dmp

Filesize
4KB

Download
memory/1836-276-0x000001C6AAC30000-0x000001C6AAC31000-memory.dmp

Filesize
4KB

Download
memory/1836-267-0x000001C6AAC30000-0x000001C6AAC31000-memory.dmp

Filesize
4KB

Download
memory/1836-290-0x000001C6AAC30000-0x000001C6AAC31000-memory.dmp

Filesize
4KB

Download
memory/1836-259-0x000001C6AAC30000-0x000001C6AAC31000-memory.dmp

Filesize
4KB

Download
memory/1836-297-0x000001C6AAC30000-0x000001C6AAC31000-memory.dmp

Filesize
4KB

Download
memory/2296-0-0x00000000001D0000-0x00000000001EF000-memory.dmp

Filesize
124KB

Download
memory/3020-114-0x0000024D5A4C0000-0x0000024D5A4D0000-memory.dmp

Filesize
64KB

Download
memory/3020-161-0x0000024D5A590000-0x0000024D5A5A0000-memory.dmp

Filesize
64KB

Download
memory/3020-63-0x0000024D5A430000-0x0000024D5A440000-memory.dmp

Filesize
64KB

Download
memory/3020-62-0x0000024D5A370000-0x0000024D5A380000-memory.dmp

Filesize
64KB

Download
memory/3020-70-0x0000024D5A3C0000-0x0000024D5A3D0000-memory.dmp

Filesize
64KB

Download
memory/3020-69-0x0000024D5A390000-0x0000024D5A3A0000-memory.dmp

Filesize
64KB

Download
memory/3020-68-0x0000024D5A450000-0x0000024D5A460000-memory.dmp

Filesize
64KB

Download
memory/3020-67-0x0000024D5A440000-0x0000024D5A450000-memory.dmp

Filesize
64KB

Download
memory/3020-66-0x0000024D5A380000-0x0000024D5A390000-memory.dmp

Filesize
64KB

Download
memory/3020-72-0x0000024D5A3A0000-0x0000024D5A3B0000-memory.dmp

Filesize
64KB

Download
memory/3020-74-0x0000024D5A460000-0x0000024D5A470000-memory.dmp

Filesize
64KB

Download
memory/3020-73-0x0000024D5A3B0000-0x0000024D5A3C0000-memory.dmp

Filesize
64KB

Download
memory/3020-77-0x0000024D5A3D0000-0x0000024D5A3E0000-memory.dmp

Filesize
64KB

Download
memory/3020-78-0x0000024D5A470000-0x0000024D5A480000-memory.dmp

Filesize
64KB

Download
memory/3020-79-0x0000024D587F0000-0x0000024D587F1000-memory.dmp

Filesize
4KB

Download
memory/3020-80-0x0000024D5A3E0000-0x0000024D5A3F0000-memory.dmp

Filesize
64KB

Download
memory/3020-84-0x0000024D5A480000-0x0000024D5A490000-memory.dmp

Filesize
64KB

Download
memory/3020-83-0x0000024D5A3F0000-0x0000024D5A400000-memory.dmp

Filesize
64KB

Download
memory/3020-86-0x0000024D5A400000-0x0000024D5A410000-memory.dmp

Filesize
64KB

Download
memory/3020-87-0x0000024D5A490000-0x0000024D5A4A0000-memory.dmp

Filesize
64KB

Download
memory/3020-90-0x0000024D5A410000-0x0000024D5A420000-memory.dmp

Filesize
64KB

Download
memory/3020-92-0x0000024D5A420000-0x0000024D5A430000-memory.dmp

Filesize
64KB

Download
memory/3020-93-0x0000024D5A4A0000-0x0000024D5A4B0000-memory.dmp

Filesize
64KB

Download
memory/3020-95-0x0000024D5A430000-0x0000024D5A440000-memory.dmp

Filesize
64KB

Download
memory/3020-97-0x0000024D5A440000-0x0000024D5A450000-memory.dmp

Filesize
64KB

Download
memory/3020-98-0x0000024D5A450000-0x0000024D5A460000-memory.dmp

Filesize
64KB

Download
memory/3020-99-0x0000024D5A4B0000-0x0000024D5A4C0000-memory.dmp

Filesize
64KB

Download
memory/3020-101-0x0000024D5A460000-0x0000024D5A470000-memory.dmp

Filesize
64KB

Download
memory/3020-102-0x0000024D5A470000-0x0000024D5A480000-memory.dmp

Filesize
64KB

Download
memory/3020-104-0x0000024D587F0000-0x0000024D587F1000-memory.dmp

Filesize
4KB

Download
memory/3020-105-0x0000024D5A480000-0x0000024D5A490000-memory.dmp

Filesize
64KB

Download
memory/3020-106-0x0000024D5A490000-0x0000024D5A4A0000-memory.dmp

Filesize
64KB

Download
memory/3020-108-0x0000024D5A4C0000-0x0000024D5A4D0000-memory.dmp

Filesize
64KB

Download
memory/3020-111-0x0000024D5A4D0000-0x0000024D5A4E0000-memory.dmp

Filesize
64KB

Download
memory/3020-110-0x0000024D5A4A0000-0x0000024D5A4B0000-memory.dmp

Filesize
64KB

Download
memory/3020-113-0x0000024D5A4B0000-0x0000024D5A4C0000-memory.dmp

Filesize
64KB

Download
memory/3020-56-0x0000024D5A350000-0x0000024D5A360000-memory.dmp

Filesize
64KB

Download
memory/3020-116-0x0000024D5A4D0000-0x0000024D5A4E0000-memory.dmp

Filesize
64KB

Download
memory/3020-117-0x0000024D5A4E0000-0x0000024D5A4F0000-memory.dmp

Filesize
64KB

Download
memory/3020-120-0x0000024D5A4F0000-0x0000024D5A500000-memory.dmp

Filesize
64KB

Download
memory/3020-122-0x0000024D5A4E0000-0x0000024D5A4F0000-memory.dmp

Filesize
64KB

Download
memory/3020-123-0x0000024D5A4F0000-0x0000024D5A500000-memory.dmp

Filesize
64KB

Download
memory/3020-129-0x0000024D5A500000-0x0000024D5A510000-memory.dmp

Filesize
64KB

Download
memory/3020-141-0x0000024D5A510000-0x0000024D5A520000-memory.dmp

Filesize
64KB

Download
memory/3020-142-0x0000024D5A520000-0x0000024D5A530000-memory.dmp

Filesize
64KB

Download
memory/3020-144-0x0000024D5A530000-0x0000024D5A540000-memory.dmp

Filesize
64KB

Download
memory/3020-146-0x0000024D5A540000-0x0000024D5A550000-memory.dmp

Filesize
64KB

Download
memory/3020-148-0x0000024D5A550000-0x0000024D5A560000-memory.dmp

Filesize
64KB

Download
memory/3020-150-0x0000024D5A560000-0x0000024D5A570000-memory.dmp

Filesize
64KB

Download
memory/3020-152-0x0000024D5A570000-0x0000024D5A580000-memory.dmp

Filesize
64KB

Download
memory/3020-157-0x0000024D5A580000-0x0000024D5A590000-memory.dmp

Filesize
64KB

Download
memory/3020-60-0x0000024D5A420000-0x0000024D5A430000-memory.dmp

Filesize
64KB

Download
memory/3020-160-0x0000024D5A510000-0x0000024D5A520000-memory.dmp

Filesize
64KB

Download
memory/3020-165-0x0000024D5A5A0000-0x0000024D5A5B0000-memory.dmp

Filesize
64KB

Download
memory/3020-164-0x0000024D5A520000-0x0000024D5A530000-memory.dmp

Filesize
64KB

Download
memory/3020-168-0x0000024D5A530000-0x0000024D5A540000-memory.dmp

Filesize
64KB

Download
memory/3020-184-0x0000024D5A540000-0x0000024D5A550000-memory.dmp

Filesize
64KB

Download
memory/3020-196-0x0000024D5A550000-0x0000024D5A560000-memory.dmp

Filesize
64KB

Download
memory/3020-199-0x0000024D5A560000-0x0000024D5A570000-memory.dmp

Filesize
64KB

Download
memory/3020-204-0x0000024D5A570000-0x0000024D5A580000-memory.dmp

Filesize
64KB

Download
memory/3020-210-0x0000024D5A580000-0x0000024D5A590000-memory.dmp

Filesize
64KB

Download
memory/3020-3-0x0000024D5A0A0000-0x0000024D5A310000-memory.dmp

Filesize
2.4MB

Download
memory/3020-12-0x0000024D587F0000-0x0000024D587F1000-memory.dmp

Filesize
4KB

Download
memory/3020-57-0x0000024D5A360000-0x0000024D5A370000-memory.dmp

Filesize
64KB

Download
memory/3020-14-0x0000024D5A310000-0x0000024D5A320000-memory.dmp

Filesize
64KB

Download
memory/3020-16-0x0000024D5A320000-0x0000024D5A330000-memory.dmp

Filesize
64KB

Download
memory/3020-225-0x0000024D5A330000-0x0000024D5A340000-memory.dmp

Filesize
64KB

Download
memory/3020-232-0x0000024D5A3B0000-0x0000024D5A3C0000-memory.dmp

Filesize
64KB

Download
memory/3020-231-0x0000024D5A390000-0x0000024D5A3A0000-memory.dmp

Filesize
64KB

Download
memory/3020-230-0x0000024D5A380000-0x0000024D5A390000-memory.dmp

Filesize
64KB

Download
memory/3020-229-0x0000024D5A370000-0x0000024D5A380000-memory.dmp

Filesize
64KB

Download
memory/3020-228-0x0000024D5A360000-0x0000024D5A370000-memory.dmp

Filesize
64KB

Download
memory/3020-227-0x0000024D5A350000-0x0000024D5A360000-memory.dmp

Filesize
64KB

Download
memory/3020-226-0x0000024D5A340000-0x0000024D5A350000-memory.dmp

Filesize
64KB

Download
memory/3020-224-0x0000024D5A320000-0x0000024D5A330000-memory.dmp

Filesize
64KB

Download
memory/3020-223-0x0000024D5A310000-0x0000024D5A320000-memory.dmp

Filesize
64KB

Download
memory/3020-222-0x0000024D5A3A0000-0x0000024D5A3B0000-memory.dmp

Filesize
64KB

Download
memory/3020-221-0x0000024D587F0000-0x0000024D587F1000-memory.dmp

Filesize
4KB

Download
memory/3020-58-0x0000024D5A410000-0x0000024D5A420000-memory.dmp

Filesize
64KB

Download
memory/3020-54-0x0000024D5A340000-0x0000024D5A350000-memory.dmp

Filesize
64KB

Download
memory/3020-55-0x0000024D5A400000-0x0000024D5A410000-memory.dmp

Filesize
64KB

Download
memory/3020-50-0x0000024D5A3F0000-0x0000024D5A400000-memory.dmp

Filesize
64KB

Download
memory/3020-18-0x0000024D5A330000-0x0000024D5A340000-memory.dmp

Filesize
64KB

Download
memory/3020-49-0x0000024D5A330000-0x0000024D5A340000-memory.dmp

Filesize
64KB

Download
memory/3020-44-0x0000024D5A320000-0x0000024D5A330000-memory.dmp

Filesize
64KB

Download
memory/3020-45-0x0000024D5A3E0000-0x0000024D5A3F0000-memory.dmp

Filesize
64KB

Download
memory/3020-40-0x0000024D5A310000-0x0000024D5A320000-memory.dmp

Filesize
64KB

Download
memory/3020-41-0x0000024D5A3D0000-0x0000024D5A3E0000-memory.dmp

Filesize
64KB

Download
memory/3020-34-0x0000024D5A0A0000-0x0000024D5A310000-memory.dmp

Filesize
2.4MB

Download
memory/3020-35-0x0000024D5A3C0000-0x0000024D5A3D0000-memory.dmp

Filesize
64KB

Download
memory/3020-36-0x0000024D5A3A0000-0x0000024D5A3B0000-memory.dmp

Filesize
64KB

Download
memory/3020-37-0x0000024D5A3B0000-0x0000024D5A3C0000-memory.dmp

Filesize
64KB

Download
memory/3020-31-0x0000024D5A390000-0x0000024D5A3A0000-memory.dmp

Filesize
64KB

Download
memory/3020-29-0x0000024D5A380000-0x0000024D5A390000-memory.dmp

Filesize
64KB

Download
memory/3020-26-0x0000024D5A370000-0x0000024D5A380000-memory.dmp

Filesize
64KB

Download
memory/3020-23-0x0000024D5A350000-0x0000024D5A360000-memory.dmp

Filesize
64KB

Download
memory/3020-24-0x0000024D5A360000-0x0000024D5A370000-memory.dmp

Filesize
64KB

Download
memory/3020-20-0x0000024D5A340000-0x0000024D5A350000-memory.dmp

Filesize
64KB

Download
memory/4444-275-0x000001529FEA0000-0x000001529FEA1000-memory.dmp

Filesize
4KB

Download
memory/4560-220-0x000001F20B9C0000-0x000001F20BC30000-memory.dmp

Filesize
2.4MB

Download
memory/4560-206-0x000001F20B9A0000-0x000001F20B9A1000-memory.dmp

Filesize
4KB

Download
memory/4560-198-0x000001F20B9A0000-0x000001F20B9A1000-memory.dmp

Filesize
4KB

Download
memory/4560-185-0x000001F20B9C0000-0x000001F20BC30000-memory.dmp

Filesize
2.4MB

Download