neshta | ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451

Analysis

max time kernel
112s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2024 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
Size

249KB
MD5

5b947c4d6e59b8ccbedee940c6862110
SHA1

2279a75a9625f0fd5ca779c1b62dba6aeda3a8f2
SHA256

ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451
SHA512

791a2dff640721f24ebaeeab0477118f8c0b584b7233d69f6eef2db528358243144e81625090c2c47d7d44a11818d2a91a0e1e6c65dc4fe4af61d8b805422830
SSDEEP

3072:sr85C5+l9BdmLlX1V8EzWY1SQpavo4zc5r85C:k95+7mkPY1/GzM9

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 64 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x0008000000023c9f-4.dat	family_neshta
behavioral2/files/0x0007000000023ca3-11.dat	family_neshta
behavioral2/memory/3152-16-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/852-27-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3352-28-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2296-32-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4132-40-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2556-44-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4804-52-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3448-56-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4904-64-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/900-75-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5040-76-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2292-79-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x000700000002029a-90.dat	family_neshta
behavioral2/files/0x0004000000020325-106.dat	family_neshta
behavioral2/files/0x0006000000020249-109.dat	family_neshta
behavioral2/files/0x00010000000202ab-105.dat	family_neshta
behavioral2/files/0x0004000000020364-104.dat	family_neshta
behavioral2/files/0x00010000000202c3-103.dat	family_neshta
behavioral2/files/0x0004000000020352-102.dat	family_neshta
behavioral2/memory/4676-111-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1952-121-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4020-123-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1060-134-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x0002000000020329-138.dat	family_neshta
behavioral2/memory/1476-140-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4080-155-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x00010000000214f5-161.dat	family_neshta
behavioral2/files/0x00010000000214f7-160.dat	family_neshta
behavioral2/files/0x0001000000022f52-169.dat	family_neshta
behavioral2/files/0x00010000000167c6-187.dat	family_neshta
behavioral2/files/0x00010000000167c8-184.dat	family_neshta
behavioral2/files/0x00010000000167e7-194.dat	family_neshta
behavioral2/files/0x0001000000022e90-219.dat	family_neshta
behavioral2/files/0x000100000001696d-216.dat	family_neshta
behavioral2/files/0x0001000000016911-215.dat	family_neshta
behavioral2/files/0x0001000000016914-213.dat	family_neshta
behavioral2/memory/1924-205-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x0001000000016912-202.dat	family_neshta
behavioral2/files/0x000200000001dbc7-199.dat	family_neshta
behavioral2/files/0x00010000000167c2-192.dat	family_neshta
behavioral2/files/0x00010000000167ad-182.dat	family_neshta
behavioral2/files/0x00010000000167ff-181.dat	family_neshta
behavioral2/memory/3400-232-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2204-244-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/744-246-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4844-258-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2704-260-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4668-270-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2500-272-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4756-278-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2592-285-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2780-286-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2796-288-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/372-294-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3172-301-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4336-302-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4624-309-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1496-310-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/32-315-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2248-318-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2324-320-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3712-326-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exeBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXE

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BA12FA~1.EXE

Executes dropped EXE 64 IoCs

Processes:

ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exesvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.com

pid	Process
2824	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
3152	svchost.com
852	BA12FA~1.EXE
3352	svchost.com
2296	BA12FA~1.EXE
4132	svchost.com
2556	BA12FA~1.EXE
4804	svchost.com
3448	BA12FA~1.EXE
4904	svchost.com
900	BA12FA~1.EXE
5040	svchost.com
2292	BA12FA~1.EXE
4676	svchost.com
1952	BA12FA~1.EXE
4020	svchost.com
1060	BA12FA~1.EXE
1476	svchost.com
4080	BA12FA~1.EXE
1924	svchost.com
3400	BA12FA~1.EXE
2204	svchost.com
744	BA12FA~1.EXE
4844	svchost.com
2704	BA12FA~1.EXE
4668	svchost.com
2500	BA12FA~1.EXE
4756	svchost.com
2592	BA12FA~1.EXE
2780	svchost.com
2796	BA12FA~1.EXE
372	svchost.com
3172	BA12FA~1.EXE
4336	svchost.com
4624	BA12FA~1.EXE
1496	svchost.com
32	BA12FA~1.EXE
2248	svchost.com
2324	BA12FA~1.EXE
3712	svchost.com
756	BA12FA~1.EXE
1476	svchost.com
4184	BA12FA~1.EXE
4080	svchost.com
1508	BA12FA~1.EXE
3784	svchost.com
4156	BA12FA~1.EXE
1928	svchost.com
4304	BA12FA~1.EXE
4264	svchost.com
2312	BA12FA~1.EXE
2732	svchost.com
3520	BA12FA~1.EXE
2204	svchost.com
2552	BA12FA~1.EXE
4840	svchost.com
3980	BA12FA~1.EXE
3544	svchost.com
4668	BA12FA~1.EXE
2556	svchost.com
536	BA12FA~1.EXE
2780	svchost.com
3928	BA12FA~1.EXE
1472	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

Processes:

ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exeba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe

description	ioc	Process
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe

Drops file in Windows directory 64 IoCs

Processes:

BA12FA~1.EXEsvchost.comBA12FA~1.EXEBA12FA~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comBA12FA~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comsvchost.comBA12FA~1.EXEsvchost.comsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comsvchost.comBA12FA~1.EXEBA12FA~1.EXEsvchost.comsvchost.comBA12FA~1.EXEsvchost.comsvchost.comBA12FA~1.EXEBA12FA~1.EXEsvchost.comBA12FA~1.EXEBA12FA~1.EXEsvchost.comsvchost.comBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEsvchost.com

description	ioc	Process
File opened for modification	C:\Windows\directx.sys	BA12FA~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	BA12FA~1.EXE
File opened for modification	C:\Windows\directx.sys	BA12FA~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	BA12FA~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	BA12FA~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	BA12FA~1.EXE
File opened for modification	C:\Windows\directx.sys	BA12FA~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	BA12FA~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	BA12FA~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	BA12FA~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	BA12FA~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	BA12FA~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	BA12FA~1.EXE
File opened for modification	C:\Windows\svchost.com	BA12FA~1.EXE
File opened for modification	C:\Windows\svchost.com	BA12FA~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	BA12FA~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	BA12FA~1.EXE
File opened for modification	C:\Windows\directx.sys	BA12FA~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	BA12FA~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	BA12FA~1.EXE
File opened for modification	C:\Windows\directx.sys	BA12FA~1.EXE
File opened for modification	C:\Windows\svchost.com	BA12FA~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	BA12FA~1.EXE
File opened for modification	C:\Windows\directx.sys	BA12FA~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	BA12FA~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	BA12FA~1.EXE
File opened for modification	C:\Windows\directx.sys	BA12FA~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

svchost.comBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEsvchost.comsvchost.comBA12FA~1.EXEsvchost.comsvchost.comBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEsvchost.comBA12FA~1.EXEBA12FA~1.EXEsvchost.comsvchost.comBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEsvchost.comsvchost.comsvchost.comBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comsvchost.comsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comsvchost.comsvchost.comBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comsvchost.comba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exesvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEsvchost.comsvchost.com

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BA12FA~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BA12FA~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BA12FA~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BA12FA~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BA12FA~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BA12FA~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BA12FA~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BA12FA~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BA12FA~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BA12FA~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BA12FA~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BA12FA~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BA12FA~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BA12FA~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BA12FA~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BA12FA~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BA12FA~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BA12FA~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BA12FA~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BA12FA~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BA12FA~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BA12FA~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BA12FA~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BA12FA~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BA12FA~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BA12FA~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BA12FA~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BA12FA~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BA12FA~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BA12FA~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BA12FA~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BA12FA~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com

Modifies registry class 64 IoCs

Processes:

BA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXEBA12FA~1.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	BA12FA~1.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

BA12FA~1.EXE

pid	Process
4804	BA12FA~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exeba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exesvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXEsvchost.comBA12FA~1.EXE

description	pid	Process	procid_target
PID 436 wrote to memory of 2824	436	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe	85
PID 436 wrote to memory of 2824	436	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe	85
PID 436 wrote to memory of 2824	436	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe	85
PID 2824 wrote to memory of 3152	2824	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe	86
PID 2824 wrote to memory of 3152	2824	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe	86
PID 2824 wrote to memory of 3152	2824	ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe	86
PID 3152 wrote to memory of 852	3152	svchost.com	87
PID 3152 wrote to memory of 852	3152	svchost.com	87
PID 3152 wrote to memory of 852	3152	svchost.com	87
PID 852 wrote to memory of 3352	852	BA12FA~1.EXE	88
PID 852 wrote to memory of 3352	852	BA12FA~1.EXE	88
PID 852 wrote to memory of 3352	852	BA12FA~1.EXE	88
PID 3352 wrote to memory of 2296	3352	svchost.com	89
PID 3352 wrote to memory of 2296	3352	svchost.com	89
PID 3352 wrote to memory of 2296	3352	svchost.com	89
PID 2296 wrote to memory of 4132	2296	BA12FA~1.EXE	90
PID 2296 wrote to memory of 4132	2296	BA12FA~1.EXE	90
PID 2296 wrote to memory of 4132	2296	BA12FA~1.EXE	90
PID 4132 wrote to memory of 2556	4132	svchost.com	91
PID 4132 wrote to memory of 2556	4132	svchost.com	91
PID 4132 wrote to memory of 2556	4132	svchost.com	91
PID 2556 wrote to memory of 4804	2556	BA12FA~1.EXE	92
PID 2556 wrote to memory of 4804	2556	BA12FA~1.EXE	92
PID 2556 wrote to memory of 4804	2556	BA12FA~1.EXE	92
PID 4804 wrote to memory of 3448	4804	svchost.com	93
PID 4804 wrote to memory of 3448	4804	svchost.com	93
PID 4804 wrote to memory of 3448	4804	svchost.com	93
PID 3448 wrote to memory of 4904	3448	BA12FA~1.EXE	94
PID 3448 wrote to memory of 4904	3448	BA12FA~1.EXE	94
PID 3448 wrote to memory of 4904	3448	BA12FA~1.EXE	94
PID 4904 wrote to memory of 900	4904	svchost.com	95
PID 4904 wrote to memory of 900	4904	svchost.com	95
PID 4904 wrote to memory of 900	4904	svchost.com	95
PID 900 wrote to memory of 5040	900	BA12FA~1.EXE	96
PID 900 wrote to memory of 5040	900	BA12FA~1.EXE	96
PID 900 wrote to memory of 5040	900	BA12FA~1.EXE	96
PID 5040 wrote to memory of 2292	5040	svchost.com	97
PID 5040 wrote to memory of 2292	5040	svchost.com	97
PID 5040 wrote to memory of 2292	5040	svchost.com	97
PID 2292 wrote to memory of 4676	2292	BA12FA~1.EXE	98
PID 2292 wrote to memory of 4676	2292	BA12FA~1.EXE	98
PID 2292 wrote to memory of 4676	2292	BA12FA~1.EXE	98
PID 4676 wrote to memory of 1952	4676	svchost.com	99
PID 4676 wrote to memory of 1952	4676	svchost.com	99
PID 4676 wrote to memory of 1952	4676	svchost.com	99
PID 1952 wrote to memory of 4020	1952	BA12FA~1.EXE	100
PID 1952 wrote to memory of 4020	1952	BA12FA~1.EXE	100
PID 1952 wrote to memory of 4020	1952	BA12FA~1.EXE	100
PID 4020 wrote to memory of 1060	4020	svchost.com	101
PID 4020 wrote to memory of 1060	4020	svchost.com	101
PID 4020 wrote to memory of 1060	4020	svchost.com	101
PID 1060 wrote to memory of 1476	1060	BA12FA~1.EXE	126
PID 1060 wrote to memory of 1476	1060	BA12FA~1.EXE	126
PID 1060 wrote to memory of 1476	1060	BA12FA~1.EXE	126
PID 1476 wrote to memory of 4080	1476	svchost.com	129
PID 1476 wrote to memory of 4080	1476	svchost.com	129
PID 1476 wrote to memory of 4080	1476	svchost.com	129
PID 4080 wrote to memory of 1924	4080	BA12FA~1.EXE	104
PID 4080 wrote to memory of 1924	4080	BA12FA~1.EXE	104
PID 4080 wrote to memory of 1924	4080	BA12FA~1.EXE	104
PID 1924 wrote to memory of 3400	1924	svchost.com	105
PID 1924 wrote to memory of 3400	1924	svchost.com	105
PID 1924 wrote to memory of 3400	1924	svchost.com	105
PID 3400 wrote to memory of 2204	3400	BA12FA~1.EXE	139

C:\Users\Admin\AppData\Local\Temp\ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
"C:\Users\Admin\AppData\Local\Temp\ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:436
- C:\Users\Admin\AppData\Local\Temp\3582-490\ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3152
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:852
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3352
      - C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        13⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        15⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        23⤵
        Executes dropped EXE
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        25⤵
        Executes dropped EXE
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:2704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        27⤵
        Executes dropped EXE
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        28⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        29⤵
        Executes dropped EXE
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        30⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        31⤵
        Executes dropped EXE
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        33⤵
        Executes dropped EXE
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        34⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3172
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        36⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        37⤵
        Executes dropped EXE
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:32
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        39⤵
        Executes dropped EXE
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        40⤵
        Executes dropped EXE
        
        PID:2324
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        41⤵
        Executes dropped EXE
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        42⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        43⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4184
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        45⤵
        Executes dropped EXE
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        46⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        47⤵
        Executes dropped EXE
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        48⤵
        Executes dropped EXE
        
        PID:4156
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:4304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        51⤵
        Executes dropped EXE
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        52⤵
        Executes dropped EXE
        
        PID:2312
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        53⤵
        Executes dropped EXE
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        55⤵
        Executes dropped EXE
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2552
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        57⤵
        Executes dropped EXE
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        59⤵
        Executes dropped EXE
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        60⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        61⤵
        Executes dropped EXE
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        62⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        63⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        65⤵
        Executes dropped EXE
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        66⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        69⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        70⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        71⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        72⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:1672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        73⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        74⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:4776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        75⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        76⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        77⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        78⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4440
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        79⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        80⤵
        
        PID:4176
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        81⤵
        Drops file in Windows directory
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        82⤵
        
        PID:1176
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        83⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        84⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        85⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        87⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        88⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        90⤵
        
        PID:1556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        91⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        92⤵
        Checks computer location settings
        
        PID:3004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        93⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        94⤵
        Modifies registry class
        
        PID:2064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        95⤵
        Drops file in Windows directory
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        96⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        97⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        98⤵
        
        PID:1496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        100⤵
        
        PID:756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        101⤵
        Drops file in Windows directory
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        102⤵
        Checks computer location settings
        
        PID:2132
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        103⤵
        Drops file in Windows directory
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        104⤵
        Modifies registry class
        
        PID:2692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        105⤵
        Drops file in Windows directory
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        106⤵
        
        PID:4348
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        107⤵
        Drops file in Windows directory
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        108⤵
        Modifies registry class
        
        PID:4264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        110⤵
        Modifies registry class
        
        PID:4192
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        112⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        113⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        114⤵
        Modifies registry class
        
        PID:1948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        115⤵
        Drops file in Windows directory
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        116⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        117⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        118⤵
        Checks computer location settings
        
        PID:5064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        119⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        120⤵
        
        PID:2064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        121⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:4060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        123⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        124⤵
        Modifies registry class
        
        PID:3700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        125⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        126⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        128⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:3012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        129⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        130⤵
        Drops file in Windows directory
        
        PID:4432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        131⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        132⤵
        Modifies registry class
        
        PID:4264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        134⤵
        Checks computer location settings
        
        PID:4780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        135⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        136⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:1600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        137⤵
        Drops file in Windows directory
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        138⤵
        Modifies registry class
        
        PID:2256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        140⤵
        
        PID:4068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        141⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        142⤵
        
        PID:4032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        144⤵
        
        PID:4500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        145⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        146⤵
        Checks computer location settings
        
        PID:4284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        147⤵
        Drops file in Windows directory
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        148⤵
        
        PID:1344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        149⤵
        Drops file in Windows directory
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        150⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4348
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        151⤵
        Drops file in Windows directory
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        152⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        153⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        154⤵
        Modifies registry class
        
        PID:3260
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        155⤵
        Drops file in Windows directory
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        157⤵
        Drops file in Windows directory
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        158⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        159⤵
        Drops file in Windows directory
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        160⤵
        
        PID:4076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        162⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        163⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        164⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:1016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        165⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        166⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:4060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        167⤵
        System Location Discovery: System Language Discovery
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        168⤵
        Checks computer location settings
        
        PID:3064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        170⤵
        
        PID:2692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        172⤵
        Modifies registry class
        
        PID:1512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        173⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        174⤵
        Checks computer location settings
        
        PID:4316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        175⤵
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        176⤵
        Checks computer location settings
        
        PID:2216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        177⤵
        Drops file in Windows directory
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        178⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        179⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        180⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4504
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        181⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        182⤵
        Drops file in Windows directory
        
        PID:3116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        183⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        184⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        185⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        186⤵
        Checks computer location settings
        
        PID:2840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        187⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        188⤵
        Modifies registry class
        
        PID:1016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        189⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        190⤵
        
        PID:4060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        191⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        192⤵
        
        PID:3216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        193⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        194⤵
        Checks computer location settings
        
        PID:2692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        195⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        196⤵
        Checks computer location settings
        
        PID:4176
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        197⤵
        Drops file in Windows directory
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        198⤵
        
        PID:3260
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        199⤵
        System Location Discovery: System Language Discovery
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        200⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        201⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        202⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:1180
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        203⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        204⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        205⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        206⤵
        
        PID:4864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        207⤵
        System Location Discovery: System Language Discovery
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        208⤵
        Checks computer location settings
        
        PID:8
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        209⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        210⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2544
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        211⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        212⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        213⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        214⤵
        Checks computer location settings
        
        PID:1224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        215⤵
        Drops file in Windows directory
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        216⤵
        Checks computer location settings
        
        PID:4660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        217⤵
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        218⤵
        Modifies registry class
        
        PID:4760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        219⤵
        Drops file in Windows directory
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        220⤵
        Checks computer location settings
        
        PID:3016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        221⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        222⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        223⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        224⤵
        Modifies registry class
        
        PID:1496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        225⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        226⤵
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        227⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        228⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        229⤵
        System Location Discovery: System Language Discovery
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        230⤵
        Modifies registry class
        
        PID:4372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        231⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        232⤵
        Modifies registry class
        
        PID:4712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        233⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        234⤵
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        235⤵
        Drops file in Windows directory
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        236⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        237⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        238⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        239⤵
        System Location Discovery: System Language Discovery
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        240⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3188
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        241⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        242⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        243⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        244⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        245⤵
        Drops file in Windows directory
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        246⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1144
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        247⤵
        Drops file in Windows directory
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        248⤵
        Drops file in Windows directory
        
        PID:3700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        249⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        250⤵
        
        PID:880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        251⤵
        System Location Discovery: System Language Discovery
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        252⤵
        
        PID:5040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        253⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        254⤵
        
        PID:2016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        255⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        256⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        257⤵
        Drops file in Windows directory
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        258⤵
        Checks computer location settings
        
        PID:2004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        259⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        260⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3352
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        261⤵
        System Location Discovery: System Language Discovery
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        262⤵
        Modifies registry class
        
        PID:3284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        263⤵
        Drops file in Windows directory
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        264⤵
        Drops file in Windows directory
        
        PID:4804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        265⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        266⤵
        
        PID:4892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        267⤵
        System Location Discovery: System Language Discovery
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        268⤵
        Checks computer location settings
        Modifies registry class
        
        PID:5076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        269⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        270⤵
        Checks computer location settings
        Modifies registry class
        
        PID:5088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        271⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        272⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1124
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        273⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        274⤵
        
        PID:1548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        275⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        276⤵
        Modifies registry class
        
        PID:372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        277⤵
        System Location Discovery: System Language Discovery
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        278⤵
        Checks computer location settings
        
        PID:1408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        279⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        280⤵
        Modifies registry class
        
        PID:1224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        281⤵
        Drops file in Windows directory
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        282⤵
        Modifies registry class
        
        PID:1740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        283⤵
        
        PID:164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        284⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        285⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        286⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        287⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        288⤵
        Checks computer location settings
        
        PID:212
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE"
        289⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\BA12FA~1.EXE
        290⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:3172

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv pTArXgVgXk+3H4RGqZVQ2g.0.2
1⤵
PID:1344

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:3216

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3404

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:5088

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe

Filesize
9.4MB

MD5
322302633e36360a24252f6291cdfc91

SHA1
238ed62353776c646957efefc0174c545c2afa3d

SHA256
31da9632f5d25806b77b617d48da52a14afc574bbe1653120f97705284ea566c

SHA512
5a1f7c44ce7f5036bffc18ebac39e2bf70e6f35fa252617d665b26448f4c4473adfa115467b7e2d9b7068823e448f74410cdcdfef1ac1c09021e051921787373

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

Filesize
131KB

MD5
5791075058b526842f4601c46abd59f5

SHA1
b2748f7542e2eebcd0353c3720d92bbffad8678f

SHA256
5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394

SHA512
83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE

Filesize
254KB

MD5
4ddc609ae13a777493f3eeda70a81d40

SHA1
8957c390f9b2c136d37190e32bccae3ae671c80a

SHA256
16d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950

SHA512
9d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE

Filesize
386KB

MD5
8c753d6448183dea5269445738486e01

SHA1
ebbbdc0022ca7487cd6294714cd3fbcb70923af9

SHA256
473eb551101caeaf2d18f811342e21de323c8dd19ed21011997716871defe997

SHA512
4f6fddefc42455540448eac0b693a4847e21b68467486376a4186776bfe137337733d3075b7b87ed7dac532478dc9afc63883607ec8205df3f155fee64c7a9be

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE

Filesize
133KB

MD5
c215ce6330540cd1d45288f99d1317bb

SHA1
ad3821c39ef47d785f295710a22935d655eabadc

SHA256
df061ac8c0d9b1fd6fccebcc5d03b00d75855c45cd7a950c3b603eda1a320054

SHA512
461337bc43fefb0293312499724ff7cdb1edd021bc6636d6d1c998ccad0022efb86bde835ca2cc0e785e697d4ea247a4828451f3dc163f8be794effaf1ccb28d

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE

Filesize
142KB

MD5
92dc0a5b61c98ac6ca3c9e09711e0a5d

SHA1
f809f50cfdfbc469561bced921d0bad343a0d7b4

SHA256
3e9da97a7106122245e77f13f3f3cc96c055d732ab841eb848d03ac25401c1bc

SHA512
d9eefb19f82e0786d9be0dbe5e339d25473fb3a09682f40c6d190d4c320cca5556abb72b5d97c6b0da4f8faefdc6d39ac9d0415fdf94ebcc90ecdf2e513c6a31

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE

Filesize
278KB

MD5
12c29dd57aa69f45ddd2e47620e0a8d9

SHA1
ba297aa3fe237ca916257bc46370b360a2db2223

SHA256
22a585c183e27b3c732028ff193733c2f9d03700a0e95e65c556b0592c43d880

SHA512
255176cd1a88dfa2af3838769cc20dc7ad9d969344801f07b9ebb372c12cee3f47f2dba3559f391deab10650875cad245d9724acfa23a42b336bfa96559a5488

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE

Filesize
494KB

MD5
3ad3461ef1d630f38ed3749838bbedc3

SHA1
8d85b0b392ae75c5d0b004ee9cf5a7b80b1b79e6

SHA256
32be2bca2b848da78c02140a288f1bb771cb66757f90d20126b1bcfd5bb40e62

SHA512
0e95e5181eab14d5820a3a4952018ac9b290fa3b17add8a5e13d893052f1d2a90a2323c62843f6a9e9af00f27e00108b60e0bce2f848e0a4d8ce0cce153db1ba

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe

Filesize
366KB

MD5
f1dd0a0fe1c98603a4d5666f5175a911

SHA1
12bc988ea7a55e6d7fd4c7a59d74393bb8473d4d

SHA256
f5bf98813e2d5a12f3b78f02108f7d16436e2454770599859b1e694d97df4264

SHA512
3196905919cb6c45d287ab9a26d5970ccf710d092c166202e0919989703584dfeab416adc998a50104a7a76fe175838de5544904a32bbc96e19c2f68362ce895

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe

Filesize
505KB

MD5
452c3ce70edba3c6e358fad9fb47eb4c

SHA1
d24ea3b642f385a666159ef4c39714bec2b08636

SHA256
da73b6e071788372702104b9c72b6697e84e7c75e248e964996700b77c6b6f1c

SHA512
fe8a0b9b1386d6931dc7b646d0dd99c3d1b44bd40698b33077e7eeba877b53e5cb39ff2aa0f6919ccab62953a674577bc1b2516d9cadc0c051009b2083a08085

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE

Filesize
262KB

MD5
cef23c0d66813029721b02e1b397826f

SHA1
31d8263edd8defa6a7e5e902d6ee2a7a5b857ee3

SHA256
f44146a1ed13a6c8969fcfc362e76c4970c33e7ce168e183313b8b390ef7fcd0

SHA512
6c438e4978562fb3715cea54f70c89896212ee7603089cbb59b96b08e5bff2344f8a2a7b5fd9ae044e4c6d57f50c839b2389160407d641b28511c50cdf0c646c

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE

Filesize
139KB

MD5
1e09e65111ab34cb84f7855d3cddc680

SHA1
f9f852104b46d99cc7f57a6f40d5db2090be04c0

SHA256
8f5c7c8e0258a5caa37637b2fa36f3bd87569a97b5c1ecf40dab50e7255fcf9c

SHA512
003176cb9dd7668b1b40e4d60d86d57c1a9ec4d873382aab781b31c8c89f0e388f3d406963f159412e2828d0be9f6daea146a252d8ee47281dda01123c9e7ace

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE

Filesize
1.7MB

MD5
4754ef85cf5992c484e75c0859cd0c12

SHA1
199b550e52f74d5a9932b1210979bc79a9b8f6fd

SHA256
da6de758d909ff5b7fb150a4a6a6b9774951aa2bd7c93966ea8951647386c330

SHA512
22c557807b81aac91c65643abb73f212d13f7c4504b6bb14e82bd9cf91319f2daadafa67425d91fa95f1d39c3700684f928e7d68468cb192c4c0be71b9f9b5ab

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE

Filesize
201KB

MD5
c7f7803a2032d0d942340cfebba0a42c

SHA1
578062d0707e753ab58875fb3a52c23e6fe2adf6

SHA256
0f201a8142c5a8adc36d2a177dd8d430eef2b05cff0e4faefb52440e823b54bb

SHA512
48e3e1eb3a33c1b8c20411209d8ed261c00798393f5fdd691d3fa0abed2849d8eb241bedcbeefddfebbec292c7abd254023e25df77c85b46000fe63a7324172b

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe

Filesize
250KB

MD5
5d656c152b22ddd4f875306ca928243a

SHA1
177ff847aa898afa1b786077ae87b5ae0c7687c7

SHA256
4d87b0eb331443b473c90650d31b893d00373ff88dcbcb3747f494407799af69

SHA512
d5e50ee909ea06e69fc0d9999c6d142f9154e6f63462312b4e950cf6e26a7d395dbb50c8e2a8c4f4e1cfb7b2c6ae8ad19e3b7c204c20e7557daa1a0deb454160

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE

Filesize
509KB

MD5
7c73e01bd682dc67ef2fbb679be99866

SHA1
ad3834bd9f95f8bf64eb5be0a610427940407117

SHA256
da333c92fdfd2e8092f5b56686b94f713f8fa27ef8f333e7222259ad1eb08f5d

SHA512
b2f3398e486cde482cb6bea18f4e5312fa2db7382ca25cea17bcba5ab1ff0e891d59328bc567641a9da05caca4d7c61dc102289d46e7135f947ce6155e295711

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE

Filesize
138KB

MD5
5e08d87c074f0f8e3a8e8c76c5bf92ee

SHA1
f52a554a5029fb4749842b2213d4196c95d48561

SHA256
5d548c2cc25d542f2061ed9c8e38bd5ca72bddb37dd17654346cae8a19645714

SHA512
dd98d6fa7d943604914b2e3b27e1f21a95f1fe1feb942dd6956e864da658f4fbd9d1d0cf775e79ceaae6a025aafd4e633763389c37034134bd5245969bec383e

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE

Filesize
1.6MB

MD5
07899948f9b8eaaa070d29c1a2019b6b

SHA1
ba38568335ab96e7945b243acc5bcc76ae9516e0

SHA256
60f38eb8f0dc139434e6c783e2a93b4f203e8cb20371a621387cb1e35fb15566

SHA512
fef0fd9abe159e916c8804df1a89b5f034afe578955e34a621e781c0e1d1adab2b2c2953c4c5fbbde5e8a8fb2503cb866b82c324290cd23990a18fe2d93ab918

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE

Filesize
1.1MB

MD5
301d7f5daa3b48c83df5f6b35de99982

SHA1
17e68d91f3ec1eabde1451351cc690a1978d2cd4

SHA256
abe398284d90be5e5e78f98654b88664e2e14478f7eb3f55c5fd1c1bcf1bebee

SHA512
4a72a24dec461d116fe8324c651913273ccaa50cb036ccdacb3ae300e417cf4a64aa458869b8d2f3b4c298c59977437d11b241d08b391a481c3226954bba22e4

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE

Filesize
1.1MB

MD5
a5d9eaa7d52bffc494a5f58203c6c1b5

SHA1
97928ba7b61b46a1a77a38445679d040ffca7cc8

SHA256
34b8662d38e7d3d6394fa6c965d943d2c82ea06ba9d7a0af4f8e0571fb5a9c48

SHA512
b6fdc8389bb4d736d608600469be6a4b0452aa3ea082f9a0791022a14c02b8fb7dcd62df133b0518e91283094eaba2be9318316f72d2c4aae6286d3e8686e787

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE

Filesize
1.6MB

MD5
11486d1d22eaacf01580e3e650f1da3f

SHA1
a47a721efec08ade8456a6918c3de413a2f8c7a2

SHA256
5e1b1daa9968ca19a58714617b7e691b6b6f34bfacaf0dcf4792c48888b1a5d3

SHA512
5bd54e1c1308e04a769e089ab37bd9236ab97343b486b85a018f2c8ad060503c97e8bc51f911a63f9b96dd734eb7d21e0a5c447951246d972b05fafeef4633da

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe

Filesize
3.2MB

MD5
5119e350591269f44f732b470024bb7c

SHA1
4ccd48e4c6ba6e162d1520760ee3063e93e2c014

SHA256
2b3aa9642b291932ba7f9f3d85221402a9d27078f56ef0e9c6bca633616e3873

SHA512
599b4ec673169d42a348d1117737b4ad4d7539574153df5a5c7689130c9ac5ff5cd00f3c8ec39adf32ff2b56be074081efcabb6456272c649703c3ea6cdaded4

Download Submit
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE

Filesize
141KB

MD5
3cfd732cd6a3399c411739a8b75b5ae2

SHA1
242b02177cbec61819c11c35c903a2994e83ae10

SHA256
e90c627265bc799db00828179a5d76717a577086755043ba223a9ac78510a2ff

SHA512
b7b61c5f9dab2c6a4e5157a934db5bb26727418698fa44f05fbb9af38cd93dee0261f3f28700bc5cb21e8947a542c3ee6166375ea262c19d41e84c68b0d0fc72

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\ba12faf36dc84a0bbd0d18dd3cb6f8813794c782a8a023663188cf0cf7cf8451N.exe

Filesize
208KB

MD5
c451c6a9c36f023ba8c6fd983d1b96d3

SHA1
8037c61bcd112baeac8ed47af251a26dfe207549

SHA256
bf93af19def80c053335b36053373af2522dd3eb54168e0f5299c4b0cf0cc80d

SHA512
1d154db7e9fa52d2107b8af887d4f5fc1883e4ab77e29afde2c264e8b1cb270989fee45e83dea911a983167edc570a16ccaf7146c149a25215c976cfad4bdebe

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
8a71439ee8426aca8b25dee1525beeb7

SHA1
8a54e62e61994e18b66ea5d10e74dc135692fdf6

SHA256
44c29ea574a5b62555009ab5730c4947633f1abba497adc0af6c8b8807bdd12b

SHA512
aae05d1b3c7e57506f24a6b8c788244a4f4b080a9806d9236c13a56c1bc5e952e8338de5ffe8637136ba4943bd3b871cd7c43e39903b25f7c834f8ccba8f290a

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
4bde3376e01f16b1303cab41e9b385d1

SHA1
c8d697c3aed489cbedb1e03eb94032c02f16c881

SHA256
672f7fbc61082ce4ec448b45e815465fbd7a7fea043cb15bf57d25fe0e0002b0

SHA512
68ab9ba44c68258a7287859bab279f2bdbdb4c9d9073c3dce49f4e78f96c83986d2f98bde629bb75f8270054c3622a6b4d93ce06678bc4486ebd8261ef62dbd3

Download Submit
memory/32-315-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/372-294-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/536-408-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/744-246-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/756-328-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/852-27-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/900-75-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1060-134-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1472-422-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1476-334-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1476-140-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1496-310-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1508-344-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1728-429-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1924-205-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1928-358-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1952-121-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2204-382-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2204-244-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2248-318-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2292-79-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2296-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2312-368-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2324-320-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2500-272-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2552-389-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2556-44-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2556-406-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2592-285-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2704-260-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2732-374-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2780-286-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2780-414-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2796-288-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3152-16-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3172-301-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3352-28-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3400-232-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3448-56-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3520-381-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3544-398-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3712-326-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3784-350-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3928-416-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3980-392-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4020-123-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4080-155-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4080-342-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4132-40-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4156-357-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4184-341-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4264-366-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4304-365-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4336-302-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4624-309-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4668-400-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4668-270-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4676-111-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4756-278-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4804-52-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4840-390-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4844-258-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4904-64-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5040-76-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download