neshta | 0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786

Analysis

max time kernel
33s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2024 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
Size

136KB
MD5

cec1b6eeedbcb3ca65a2693ed8168b10
SHA1

787fc47857bfc960ce6dbe0adc4927bfa38f72ee
SHA256

0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786
SHA512

5a019f19ede30d5dce140b991f4c96afa9fe953216cf148bb015718ebe3ed93dd6787e1c50a9d7532fc61b7773df84caa709d2a6b46e018705cc36c405f95937
SSDEEP

1536:JxqjQ+P04wsmJCtQy0qEF0+nMSzG4pqSbi6y2xn0mOxqjQ+P04wsmJC:sr85CtQy0qEF0+nLi44Sbi6yE0cr85C

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 64 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x0007000000023cb0-4.dat	family_neshta
behavioral2/files/0x0007000000023cb1-10.dat	family_neshta
behavioral2/memory/368-16-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4796-27-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4988-28-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4148-32-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4760-40-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4696-44-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4028-52-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3772-62-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4132-64-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2176-74-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/536-76-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2204-87-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1144-88-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4856-92-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1984-100-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5052-111-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x000700000002029a-115.dat	family_neshta
behavioral2/files/0x00010000000202ab-134.dat	family_neshta
behavioral2/files/0x0004000000020364-133.dat	family_neshta
behavioral2/memory/3412-138-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2896-149-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2108-150-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3828-161-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2136-162-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/384-172-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4104-176-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x0002000000020329-180.dat	family_neshta
behavioral2/memory/1424-192-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x00010000000214f5-198.dat	family_neshta
behavioral2/files/0x00010000000214f4-205.dat	family_neshta
behavioral2/files/0x00010000000214f6-204.dat	family_neshta
behavioral2/files/0x0001000000022f85-211.dat	family_neshta
behavioral2/files/0x0001000000022f43-210.dat	family_neshta
behavioral2/files/0x0001000000022f47-209.dat	family_neshta
behavioral2/memory/4812-241-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4444-256-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3604-257-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/740-267-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2148-268-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2132-276-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1520-293-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3824-297-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/832-303-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1260-305-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4312-319-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2328-326-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5112-327-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4384-329-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5108-335-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4468-342-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/748-343-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2184-345-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1912-351-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/60-353-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1068-359-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4372-366-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4968-367-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3308-369-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3004-375-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2892-377-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4188-383-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2016-385-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	0B881E~1.EXE

Executes dropped EXE 64 IoCs

Processes:

0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exesvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.com

pid	Process
3052	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
368	svchost.com
4796	0B881E~1.EXE
4988	svchost.com
4148	0B881E~1.EXE
4760	svchost.com
4696	0B881E~1.EXE
4028	svchost.com
3772	0B881E~1.EXE
4132	svchost.com
2176	0B881E~1.EXE
536	svchost.com
2204	0B881E~1.EXE
1144	svchost.com
4856	0B881E~1.EXE
1984	svchost.com
5052	0B881E~1.EXE
3412	svchost.com
2896	0B881E~1.EXE
2108	svchost.com
3828	0B881E~1.EXE
2136	svchost.com
384	0B881E~1.EXE
4104	svchost.com
1424	0B881E~1.EXE
4812	svchost.com
4444	0B881E~1.EXE
3604	svchost.com
740	0B881E~1.EXE
2148	svchost.com
2132	0B881E~1.EXE
1520	svchost.com
3824	0B881E~1.EXE
832	svchost.com
1260	0B881E~1.EXE
4312	svchost.com
2328	0B881E~1.EXE
5112	svchost.com
4384	0B881E~1.EXE
5108	svchost.com
4468	0B881E~1.EXE
748	svchost.com
2184	0B881E~1.EXE
1912	svchost.com
60	0B881E~1.EXE
1068	svchost.com
4372	0B881E~1.EXE
4968	svchost.com
3308	0B881E~1.EXE
3004	svchost.com
2892	0B881E~1.EXE
4188	svchost.com
2016	0B881E~1.EXE
1468	svchost.com
4764	0B881E~1.EXE
1684	svchost.com
2980	0B881E~1.EXE
4728	svchost.com
2208	0B881E~1.EXE
3692	svchost.com
3744	0B881E~1.EXE
3420	svchost.com
4616	0B881E~1.EXE
224	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

Processes:

0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe

description	ioc	Process
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe

Drops file in Windows directory 64 IoCs

Processes:

svchost.com0B881E~1.EXEsvchost.com0B881E~1.EXE0B881E~1.EXE0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXEsvchost.comsvchost.comsvchost.comsvchost.com0B881E~1.EXEsvchost.comsvchost.com0B881E~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com0B881E~1.EXE0B881E~1.EXE0B881E~1.EXEsvchost.com0B881E~1.EXE0B881E~1.EXE0B881E~1.EXEsvchost.com0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXEsvchost.comsvchost.comsvchost.comsvchost.com0B881E~1.EXE0B881E~1.EXEsvchost.com0B881E~1.EXE0B881E~1.EXEsvchost.comsvchost.comsvchost.com0B881E~1.EXEsvchost.comsvchost.com

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	0B881E~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	0B881E~1.EXE
File opened for modification	C:\Windows\svchost.com	0B881E~1.EXE
File opened for modification	C:\Windows\directx.sys	0B881E~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	0B881E~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	0B881E~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	0B881E~1.EXE
File opened for modification	C:\Windows\svchost.com	0B881E~1.EXE
File opened for modification	C:\Windows\directx.sys	0B881E~1.EXE
File opened for modification	C:\Windows\svchost.com	0B881E~1.EXE
File opened for modification	C:\Windows\svchost.com	0B881E~1.EXE
File opened for modification	C:\Windows\svchost.com	0B881E~1.EXE
File opened for modification	C:\Windows\directx.sys	0B881E~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	0B881E~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	0B881E~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	0B881E~1.EXE
File opened for modification	C:\Windows\svchost.com	0B881E~1.EXE
File opened for modification	C:\Windows\svchost.com	0B881E~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	0B881E~1.EXE
File opened for modification	C:\Windows\svchost.com	0B881E~1.EXE
File opened for modification	C:\Windows\directx.sys	0B881E~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	0B881E~1.EXE
File opened for modification	C:\Windows\svchost.com	0B881E~1.EXE
File opened for modification	C:\Windows\svchost.com	0B881E~1.EXE
File opened for modification	C:\Windows\svchost.com	0B881E~1.EXE
File opened for modification	C:\Windows\directx.sys	0B881E~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	0B881E~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	0B881E~1.EXE
File opened for modification	C:\Windows\svchost.com	0B881E~1.EXE
File opened for modification	C:\Windows\directx.sys	0B881E~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	0B881E~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	0B881E~1.EXE
File opened for modification	C:\Windows\directx.sys	0B881E~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	0B881E~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

0B881E~1.EXE0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.comsvchost.comsvchost.comsvchost.com0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXEsvchost.comsvchost.comsvchost.com0B881E~1.EXE0B881E~1.EXEsvchost.comsvchost.com0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.comsvchost.com0B881E~1.EXE0B881E~1.EXEsvchost.com0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.comsvchost.comsvchost.comsvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXE0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe0B881E~1.EXE0B881E~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com0B881E~1.EXEsvchost.comsvchost.comsvchost.com0B881E~1.EXE0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.comsvchost.com

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0B881E~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0B881E~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0B881E~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0B881E~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0B881E~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0B881E~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0B881E~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0B881E~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0B881E~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0B881E~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0B881E~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0B881E~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0B881E~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0B881E~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0B881E~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0B881E~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0B881E~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0B881E~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0B881E~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0B881E~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0B881E~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0B881E~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0B881E~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0B881E~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0B881E~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0B881E~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0B881E~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0B881E~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0B881E~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0B881E~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0B881E~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com

Modifies registry class 64 IoCs

Processes:

0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE0B881E~1.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	0B881E~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exesvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXEsvchost.com0B881E~1.EXE

description	pid	Process	procid_target
PID 2964 wrote to memory of 3052	2964	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe	84
PID 2964 wrote to memory of 3052	2964	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe	84
PID 2964 wrote to memory of 3052	2964	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe	84
PID 3052 wrote to memory of 368	3052	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe	85
PID 3052 wrote to memory of 368	3052	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe	85
PID 3052 wrote to memory of 368	3052	0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe	85
PID 368 wrote to memory of 4796	368	svchost.com	86
PID 368 wrote to memory of 4796	368	svchost.com	86
PID 368 wrote to memory of 4796	368	svchost.com	86
PID 4796 wrote to memory of 4988	4796	0B881E~1.EXE	87
PID 4796 wrote to memory of 4988	4796	0B881E~1.EXE	87
PID 4796 wrote to memory of 4988	4796	0B881E~1.EXE	87
PID 4988 wrote to memory of 4148	4988	svchost.com	88
PID 4988 wrote to memory of 4148	4988	svchost.com	88
PID 4988 wrote to memory of 4148	4988	svchost.com	88
PID 4148 wrote to memory of 4760	4148	0B881E~1.EXE	148
PID 4148 wrote to memory of 4760	4148	0B881E~1.EXE	148
PID 4148 wrote to memory of 4760	4148	0B881E~1.EXE	148
PID 4760 wrote to memory of 4696	4760	svchost.com	179
PID 4760 wrote to memory of 4696	4760	svchost.com	179
PID 4760 wrote to memory of 4696	4760	svchost.com	179
PID 4696 wrote to memory of 4028	4696	0B881E~1.EXE	91
PID 4696 wrote to memory of 4028	4696	0B881E~1.EXE	91
PID 4696 wrote to memory of 4028	4696	0B881E~1.EXE	91
PID 4028 wrote to memory of 3772	4028	svchost.com	181
PID 4028 wrote to memory of 3772	4028	svchost.com	181
PID 4028 wrote to memory of 3772	4028	svchost.com	181
PID 3772 wrote to memory of 4132	3772	0B881E~1.EXE	180
PID 3772 wrote to memory of 4132	3772	0B881E~1.EXE	180
PID 3772 wrote to memory of 4132	3772	0B881E~1.EXE	180
PID 4132 wrote to memory of 2176	4132	svchost.com	94
PID 4132 wrote to memory of 2176	4132	svchost.com	94
PID 4132 wrote to memory of 2176	4132	svchost.com	94
PID 2176 wrote to memory of 536	2176	0B881E~1.EXE	95
PID 2176 wrote to memory of 536	2176	0B881E~1.EXE	95
PID 2176 wrote to memory of 536	2176	0B881E~1.EXE	95
PID 536 wrote to memory of 2204	536	svchost.com	209
PID 536 wrote to memory of 2204	536	svchost.com	209
PID 536 wrote to memory of 2204	536	svchost.com	209
PID 2204 wrote to memory of 1144	2204	0B881E~1.EXE	97
PID 2204 wrote to memory of 1144	2204	0B881E~1.EXE	97
PID 2204 wrote to memory of 1144	2204	0B881E~1.EXE	97
PID 1144 wrote to memory of 4856	1144	svchost.com	98
PID 1144 wrote to memory of 4856	1144	svchost.com	98
PID 1144 wrote to memory of 4856	1144	svchost.com	98
PID 4856 wrote to memory of 1984	4856	0B881E~1.EXE	99
PID 4856 wrote to memory of 1984	4856	0B881E~1.EXE	99
PID 4856 wrote to memory of 1984	4856	0B881E~1.EXE	99
PID 1984 wrote to memory of 5052	1984	svchost.com	100
PID 1984 wrote to memory of 5052	1984	svchost.com	100
PID 1984 wrote to memory of 5052	1984	svchost.com	100
PID 5052 wrote to memory of 3412	5052	0B881E~1.EXE	102
PID 5052 wrote to memory of 3412	5052	0B881E~1.EXE	102
PID 5052 wrote to memory of 3412	5052	0B881E~1.EXE	102
PID 3412 wrote to memory of 2896	3412	svchost.com	164
PID 3412 wrote to memory of 2896	3412	svchost.com	164
PID 3412 wrote to memory of 2896	3412	svchost.com	164
PID 2896 wrote to memory of 2108	2896	0B881E~1.EXE	195
PID 2896 wrote to memory of 2108	2896	0B881E~1.EXE	195
PID 2896 wrote to memory of 2108	2896	0B881E~1.EXE	195
PID 2108 wrote to memory of 3828	2108	svchost.com	105
PID 2108 wrote to memory of 3828	2108	svchost.com	105
PID 2108 wrote to memory of 3828	2108	svchost.com	105
PID 3828 wrote to memory of 2136	3828	0B881E~1.EXE	106

C:\Users\Admin\AppData\Local\Temp\0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
"C:\Users\Admin\AppData\Local\Temp\0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Users\Admin\AppData\Local\Temp\3582-490\0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:368
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4796
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4988
      - C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        9⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        10⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        13⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        18⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        21⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        23⤵
        Executes dropped EXE
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:384
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        25⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        27⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        28⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4444
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        30⤵
        Executes dropped EXE
        
        PID:740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        31⤵
        Executes dropped EXE
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2132
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        33⤵
        Executes dropped EXE
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        34⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        36⤵
        Executes dropped EXE
        
        PID:1260
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2328
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        39⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4384
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        41⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        42⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        43⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2184
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        45⤵
        Executes dropped EXE
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:60
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        48⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        49⤵
        Executes dropped EXE
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        51⤵
        Executes dropped EXE
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        52⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        53⤵
        Executes dropped EXE
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        55⤵
        Executes dropped EXE
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        56⤵
        Executes dropped EXE
        
        PID:4764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        57⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:2980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        59⤵
        Executes dropped EXE
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        61⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:3744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        64⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        65⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        66⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        67⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        68⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2200
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:100
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        70⤵
        Modifies registry class
        
        PID:1624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        71⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        72⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        73⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        74⤵
        Modifies registry class
        
        PID:3664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        75⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        76⤵
        Drops file in Windows directory
        
        PID:2896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        78⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        80⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        81⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        82⤵
        Drops file in Windows directory
        
        PID:2472
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        83⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        84⤵
        Modifies registry class
        
        PID:1384
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        85⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        86⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        88⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        89⤵
        Drops file in Windows directory
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        90⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        92⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        93⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        94⤵
        Modifies registry class
        
        PID:888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        95⤵
        Drops file in Windows directory
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        96⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        98⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:3068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        99⤵
        Drops file in Windows directory
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        100⤵
        Checks computer location settings
        Modifies registry class
        
        PID:5020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        102⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4400
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        103⤵
        Drops file in Windows directory
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        104⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        105⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        106⤵
        Checks computer location settings
        Modifies registry class
        
        PID:556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        108⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        109⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        110⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:2912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        111⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        112⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:4492
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        113⤵
        Drops file in Windows directory
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        114⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4148
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        115⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        116⤵
        Checks computer location settings
        
        PID:4640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        117⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        118⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2204
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        119⤵
        Drops file in Windows directory
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        120⤵
        Checks computer location settings
        
        PID:832
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        122⤵
        Modifies registry class
        
        PID:1132
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        123⤵
        Drops file in Windows directory
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        124⤵
        Modifies registry class
        
        PID:3860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        125⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        126⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        128⤵
        Checks computer location settings
        
        PID:3068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        129⤵
        Drops file in Windows directory
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        130⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        131⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        132⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        133⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        134⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1736
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        135⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        136⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        138⤵
        Drops file in Windows directory
        
        PID:616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        139⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        140⤵
        Modifies registry class
        
        PID:1344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        141⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        142⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        143⤵
        Drops file in Windows directory
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        144⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        146⤵
        Modifies registry class
        
        PID:3868
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        147⤵
        Drops file in Windows directory
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        148⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1460
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        149⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        150⤵
        Modifies registry class
        
        PID:4640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        151⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        152⤵
        Checks computer location settings
        Modifies registry class
        
        PID:948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        153⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        154⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2328
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        156⤵
        Checks computer location settings
        
        PID:1572
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        157⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        158⤵
        Checks computer location settings
        
        PID:2356
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        159⤵
        Drops file in Windows directory
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        160⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        161⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        162⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        163⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        164⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        165⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        166⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        167⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        168⤵
        Modifies registry class
        
        PID:3656
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        169⤵
        Drops file in Windows directory
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        170⤵
        Modifies registry class
        
        PID:4492
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        171⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        172⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        173⤵
        System Location Discovery: System Language Discovery
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        174⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        175⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        176⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4412
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        177⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        178⤵
        
        PID:732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        179⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        180⤵
        Checks computer location settings
        Modifies registry class
        
        PID:5112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        181⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        182⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:1812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        183⤵
        Drops file in Windows directory
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        184⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:4972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        185⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        186⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        187⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        188⤵
        Modifies registry class
        
        PID:5024
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        189⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        190⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:2180
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        191⤵
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        192⤵
        Checks computer location settings
        
        PID:1244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        193⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        194⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        195⤵
        System Location Discovery: System Language Discovery
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        196⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        197⤵
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        198⤵
        
        PID:3692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        199⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        200⤵
        
        PID:1796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        201⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        202⤵
        
        PID:2736
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        203⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        204⤵
        
        PID:856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        205⤵
        
        PID:100
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        206⤵
        
        PID:4640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        207⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        208⤵
        
        PID:1676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        209⤵
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        210⤵
        
        PID:1300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        211⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        212⤵
        
        PID:924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        213⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        214⤵
        
        PID:3564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        215⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        216⤵
        
        PID:4144
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        217⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        218⤵
        
        PID:872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        219⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        220⤵
        
        PID:3380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        221⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        222⤵
        
        PID:1228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        223⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        224⤵
        
        PID:852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        225⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        226⤵
        
        PID:1260
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        227⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        228⤵
        
        PID:1824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        229⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        230⤵
        
        PID:4384
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        231⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        232⤵
        
        PID:4792
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        233⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        234⤵
        
        PID:2356
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        235⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        236⤵
        
        PID:1248
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        237⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        238⤵
        
        PID:4076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        239⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        240⤵
        
        PID:3780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        241⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        242⤵
        
        PID:2644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        243⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        244⤵
        
        PID:1492
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        245⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        246⤵
        
        PID:2872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        247⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        248⤵
        
        PID:3380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        249⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        250⤵
        
        PID:2112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        251⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        252⤵
        
        PID:4956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        253⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        254⤵
        
        PID:1260
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        255⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        256⤵
        
        PID:4312
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        257⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        258⤵
        
        PID:4964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        259⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        260⤵
        
        PID:3240
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        261⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        262⤵
        
        PID:3180
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        263⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        264⤵
        
        PID:3508
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        265⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        266⤵
        
        PID:1344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        267⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        268⤵
        
        PID:3744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        269⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        270⤵
        
        PID:3576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        271⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        272⤵
        
        PID:4988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        273⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        274⤵
        
        PID:1968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        275⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        276⤵
        
        PID:1296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        277⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        278⤵
        
        PID:2068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        279⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        280⤵
        
        PID:4496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        281⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        282⤵
        
        PID:852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        283⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        284⤵
        
        PID:4476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        285⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        286⤵
        
        PID:4684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        287⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        288⤵
        
        PID:1260
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        289⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        290⤵
        
        PID:3088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        291⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        292⤵
        
        PID:940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        293⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        294⤵
        
        PID:1276
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        295⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        296⤵
        
        PID:756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        297⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        298⤵
        
        PID:3204
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        299⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        300⤵
        
        PID:4968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        301⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        302⤵
        
        PID:4784
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        303⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        304⤵
        
        PID:2164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        305⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        306⤵
        
        PID:4344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        307⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        308⤵
        
        PID:1124
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        309⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        310⤵
        
        PID:4744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        311⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        312⤵
        
        PID:1848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        313⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        314⤵
        
        PID:4132
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        315⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        316⤵
        
        PID:3692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        317⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        318⤵
        
        PID:4412
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        319⤵
        
        PID:164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        320⤵
        
        PID:2336
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        321⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        322⤵
        
        PID:2788
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        323⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        324⤵
        
        PID:2848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        325⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        326⤵
        
        PID:4972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        327⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        328⤵
        
        PID:1300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        329⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        330⤵
        
        PID:2532
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        331⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        332⤵
        
        PID:1728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        333⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        334⤵
        
        PID:1524
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        335⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        336⤵
        
        PID:1804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        337⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        338⤵
        
        PID:3868
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        339⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        340⤵
        
        PID:872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        341⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        342⤵
        
        PID:3372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        343⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        344⤵
        
        PID:3992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        345⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        346⤵
        
        PID:2820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        347⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        348⤵
        
        PID:4956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        349⤵
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        350⤵
        
        PID:3824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        351⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        352⤵
        
        PID:3096
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        353⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        354⤵
        
        PID:4464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        355⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        356⤵
        
        PID:4384
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        357⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        358⤵
        
        PID:4752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        359⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        360⤵
        
        PID:556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        361⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        362⤵
        
        PID:3004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        363⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        364⤵
        
        PID:2892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE"
        365⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\0B881E~1.EXE
        366⤵
        
        PID:1580

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4760

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe

Filesize
9.4MB

MD5
58f9bc16408d4db56519691315bb8a75

SHA1
ac94543044371e3ea49918eb0f114a29ab303004

SHA256
5562973f2b3aa9d0c6184143360f7861b4129605f5e63b896ad815f381e6475b

SHA512
e1884456f86bb7cf7d268942f6fc1bacaa550eac31aaf186d9e95c15bdc41d05638cfdea1762c92681225af72008d251b101e8f291e3a74f382832336b82d39d

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE

Filesize
386KB

MD5
8c753d6448183dea5269445738486e01

SHA1
ebbbdc0022ca7487cd6294714cd3fbcb70923af9

SHA256
473eb551101caeaf2d18f811342e21de323c8dd19ed21011997716871defe997

SHA512
4f6fddefc42455540448eac0b693a4847e21b68467486376a4186776bfe137337733d3075b7b87ed7dac532478dc9afc63883607ec8205df3f155fee64c7a9be

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE

Filesize
142KB

MD5
92dc0a5b61c98ac6ca3c9e09711e0a5d

SHA1
f809f50cfdfbc469561bced921d0bad343a0d7b4

SHA256
3e9da97a7106122245e77f13f3f3cc96c055d732ab841eb848d03ac25401c1bc

SHA512
d9eefb19f82e0786d9be0dbe5e339d25473fb3a09682f40c6d190d4c320cca5556abb72b5d97c6b0da4f8faefdc6d39ac9d0415fdf94ebcc90ecdf2e513c6a31

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE

Filesize
494KB

MD5
3ad3461ef1d630f38ed3749838bbedc3

SHA1
8d85b0b392ae75c5d0b004ee9cf5a7b80b1b79e6

SHA256
32be2bca2b848da78c02140a288f1bb771cb66757f90d20126b1bcfd5bb40e62

SHA512
0e95e5181eab14d5820a3a4952018ac9b290fa3b17add8a5e13d893052f1d2a90a2323c62843f6a9e9af00f27e00108b60e0bce2f848e0a4d8ce0cce153db1ba

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe

Filesize
366KB

MD5
f1dd0a0fe1c98603a4d5666f5175a911

SHA1
12bc988ea7a55e6d7fd4c7a59d74393bb8473d4d

SHA256
f5bf98813e2d5a12f3b78f02108f7d16436e2454770599859b1e694d97df4264

SHA512
3196905919cb6c45d287ab9a26d5970ccf710d092c166202e0919989703584dfeab416adc998a50104a7a76fe175838de5544904a32bbc96e19c2f68362ce895

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe

Filesize
546KB

MD5
2fbf8e73fc690c57c64459cb4c349ddb

SHA1
1038053aff4e542a8dbb77fc4d100fe083493e50

SHA256
408ad7354171bc8d51846bbe8238e8fbd6a5bf9b0b12b3f55b43f61e03371bf2

SHA512
7e29b6ae75865dc9e7004665f6c90513e5b8f593509cbd209f523ea5602ea9e242ef1fee867f8d293781a51fa816d502456bbe97414de2e7ecbc6f6f640a49fc

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe

Filesize
366KB

MD5
d722ea08b4e55dbfca956d34b7fef6e2

SHA1
69119f4475fc6f7fd1f749c52b03cc49adf50014

SHA256
9fc432a9ce058ba19348e5918a716db8d429cfd87ae51deccc220ff5d2a9708c

SHA512
11bc7e857aeabbc3c914da0d00cdc34fe3cd42ebea22a3c688985dda1b94095ba634a3bc1c9d1e0a808f8be42f1d754233ab963d123329066b9e0cb6f3c3719a

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE

Filesize
146KB

MD5
cdc455fa95578320bd27e0d89a7c9108

SHA1
60cde78a74e4943f349f1999be3b6fc3c19ab268

SHA256
d7f214dc55857c3576675279261a0ee1881f7ddee4755bb0b9e7566fc0f425a9

SHA512
35f3741538bd59f6c744bcad6f348f4eb6ea1ee542f9780daa29de5dbb2d772b01fe4774fb1c2c7199a349488be309ceedd562ceb5f1bdcdd563036b301dcd9f

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE

Filesize
198KB

MD5
7429ce42ac211cd3aa986faad186cedd

SHA1
b61a57f0f99cfd702be0fbafcb77e9f911223fac

SHA256
d608c05409ac4bd05d8e0702fcf66dfae5f4f38cbae13406842fa5504f4d616f

SHA512
ee4456877d6d881d9904013aabecb9f2daf6fc0ec7a7c9251e77396b66a7f5a577fe8544e64e2bb7464db429db56a3fe47c183a81d40cc869d01be573ab5e4c1

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE

Filesize
433KB

MD5
674eddc440664b8b854bc397e67ee338

SHA1
af9d74243ee3ea5f88638172f592ed89bbbd7e0d

SHA256
20bbf92426732ff7269b4f2f89d404d5fee0fa6a20944004d2eeb3cc2d1fa457

SHA512
5aced0e2235f113e323d6b28be74da5e4da4dc881629461df4644a52bccd717dc6d2632c40ed8190b3ad060b8b62c347757a0bbe82680d892114c1f0529146b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\0b881e65b83b9650eb65a68102bb4aeebfd0813cc55e92b21f06b404fecc6786N.exe

Filesize
96KB

MD5
658083832293ccf19909871193b3350d

SHA1
bd977ec556983a6aa1201b3fe7df8ab30a139fdd

SHA256
3fd264f3c3d90209d85abd51a9db71a65d38f3922bfd74f038f936479e02ac2c

SHA512
a622964d0eeaab6cf2cac99351875257d3a0dca373e09b8ef916bdfa76eb19a8de2a8d6633f57d7415c610e8a401b1daab2182aa83cfa27da9f90db47f4ee8f4

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
ede6f5d2e14b2d668596da56c81582fd

SHA1
4cc51d9410feba68d3703fdcc82c71ede1bc56af

SHA256
33fd3f0b648a28d8bfe79363983a08604a3d2d2a93cd734306a48ecadc84b58e

SHA512
f33b4256eca9848a6c02f5917362cac31c108311de331ca9ac2f67bb2ed95fde559d77919fec9eab50b0b35f814928f5a12cdb72dd639ae4f8518d0c23f0b28e

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
memory/60-353-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/368-16-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/384-172-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/536-76-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/740-267-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/748-343-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/832-303-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1068-359-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1144-88-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1260-305-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1424-192-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1468-392-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1520-293-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1684-400-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1912-351-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1984-100-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2016-385-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2108-150-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2132-276-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2136-162-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2148-268-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2176-74-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2184-345-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2204-87-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2208-415-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2328-326-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2892-377-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2896-149-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2964-391-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2980-402-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3004-375-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3052-417-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3308-369-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3412-138-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3420-425-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3604-257-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3692-416-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3744-419-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3772-62-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3824-297-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3828-161-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4028-52-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4104-176-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4132-64-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4148-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4188-383-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4312-319-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4372-366-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4384-329-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4444-256-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4468-342-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4616-432-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4696-44-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4728-408-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4760-40-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4764-394-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4796-27-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4812-241-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4856-92-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4968-367-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4988-28-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5052-111-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5108-335-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5112-327-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download