gh0strat | 1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1

Analysis

max time kernel
148s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
Size

2.3MB
MD5

c2178d8b3bdcf1210181170012e95b83
SHA1

1a6e51b004c5384c0af7882229f6a949395d588a
SHA256

1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1
SHA512

c99ca875c22893d98bbb11fd70eacbad3e180e78f55abc9421db350db91c58428b52398678db0ccbfe9942ce9bf2775a61af9f1d709ca87c7f08c8b62c45fa5a
SSDEEP

24576:dFbkIsaPiXSVnC7Yp9zkNmZG8RRln4yzrIila8CfcX50Kew+IVWQPYwKBdzuyMrt:dREXSVMDi3w0aFIP+DwKnwhFltZ

Score

10^/10

gh0strat neshta discovery persistence rat spyware stealer

Malware Config

Signatures

Detect Neshta payload 64 IoCs

resource	yara_rule
behavioral1/files/0x0008000000015d07-2.dat	family_neshta
behavioral1/files/0x0001000000010318-10.dat	family_neshta
behavioral1/files/0x0008000000015da1-27.dat	family_neshta
behavioral1/files/0x0001000000010316-51.dat	family_neshta
behavioral1/memory/1592-59-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x001400000000f842-50.dat	family_neshta
behavioral1/files/0x005b00000001032b-49.dat	family_neshta
behavioral1/files/0x0008000000015d19-48.dat	family_neshta
behavioral1/files/0x000100000000f7cf-66.dat	family_neshta
behavioral1/memory/1052-82-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x000100000000f7eb-70.dat	family_neshta
behavioral1/files/0x000100000000f877-89.dat	family_neshta
behavioral1/files/0x00010000000118e7-103.dat	family_neshta
behavioral1/files/0x0001000000011b5b-109.dat	family_neshta
behavioral1/files/0x0003000000012145-136.dat	family_neshta
behavioral1/files/0x0003000000012148-135.dat	family_neshta
behavioral1/files/0x0003000000012186-131.dat	family_neshta
behavioral1/files/0x0003000000012184-139.dat	family_neshta
behavioral1/files/0x00010000000108fa-116.dat	family_neshta
behavioral1/memory/2932-140-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2052-115-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x0002000000011813-152.dat	family_neshta
behavioral1/files/0x0001000000010b11-161.dat	family_neshta
behavioral1/files/0x0002000000010928-150.dat	family_neshta
behavioral1/memory/1900-149-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1832-169-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x00010000000115d0-170.dat	family_neshta
behavioral1/memory/1864-181-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1696-202-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/580-209-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/996-215-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2032-224-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1992-231-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1376-233-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x0001000000010f34-101.dat	family_neshta
behavioral1/memory/1520-239-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2920-241-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2068-247-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1648-249-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2080-255-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2856-257-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1592-263-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2636-265-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/536-271-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2096-273-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/484-279-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1924-99-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2008-281-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/576-287-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2108-289-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x0001000000010c16-97.dat	family_neshta
behavioral1/memory/2512-295-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1636-298-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2516-303-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2120-305-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2128-311-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1168-318-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1448-319-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1832-321-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/840-327-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2016-334-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/660-335-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2364-342-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/940-343-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000015d68-17.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\259450925.bat"	look2.exe

Executes dropped EXE 64 IoCs

pid	Process
2832	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
2916	look2.exe
2848	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
1592	svchost.com
1052	HD_1D5~1.EXE
1924	svchost.com
2052	HD_1D5~1.EXE
2932	svchost.com
1900	HD_1D5~1.EXE
1832	svchost.com
1864	HD_1D5~1.EXE
1696	svchost.com
580	HD_1D5~1.EXE
996	svchost.com
2032	HD_1D5~1.EXE
1992	svchost.com
1376	HD_1D5~1.EXE
1520	svchost.com
2920	HD_1D5~1.EXE
2068	svchost.com
1648	HD_1D5~1.EXE
2080	svchost.com
2856	HD_1D5~1.EXE
1592	svchost.com
2636	HD_1D5~1.EXE
536	svchost.com
2096	HD_1D5~1.EXE
484	svchost.com
2008	HD_1D5~1.EXE
576	svchost.com
2108	HD_1D5~1.EXE
2512	svchost.com
1636	HD_1D5~1.EXE
2516	svchost.com
2120	HD_1D5~1.EXE
2128	svchost.com
1168	HD_1D5~1.EXE
1448	svchost.com
1832	HD_1D5~1.EXE
840	svchost.com
2016	HD_1D5~1.EXE
660	svchost.com
2364	HD_1D5~1.EXE
940	svchost.com
984	HD_1D5~1.EXE
996	svchost.com
2320	HD_1D5~1.EXE
1092	svchcst.exe
2032	svchost.com
1856	HD_1D5~1.EXE
1376	svchost.com
1496	HD_1D5~1.EXE
2344	svchost.com
2860	HD_1D5~1.EXE
2580	svchost.com
2080	HD_1D5~1.EXE
2856	svchost.com
1504	HD_1D5~1.EXE
2900	svchost.com
2796	HD_1D5~1.EXE
1000	svchost.com
2600	HD_1D5~1.EXE
1708	svchost.com
2256	HD_1D5~1.EXE

Loads dropped DLL 64 IoCs

pid	Process
2112	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
2832	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
2916	look2.exe
2868	svchost.exe
2832	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
2832	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
1592	svchost.com
1592	svchost.com
2848	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
2112	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
2112	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
2848	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
2848	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
1924	svchost.com
1924	svchost.com
2848	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
2932	svchost.com
2932	svchost.com
2848	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
1832	svchost.com
1832	svchost.com
2848	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
1696	svchost.com
2848	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
1696	svchost.com
996	svchost.com
996	svchost.com
1992	svchost.com
1992	svchost.com
1520	svchost.com
1520	svchost.com
2068	svchost.com
2068	svchost.com
2080	svchost.com
2080	svchost.com
1592	svchost.com
1592	svchost.com
536	svchost.com
536	svchost.com
484	svchost.com
484	svchost.com
576	svchost.com
576	svchost.com
2512	svchost.com
2512	svchost.com
2516	svchost.com
2516	svchost.com
2128	svchost.com
2128	svchost.com
1448	svchost.com
1448	svchost.com
840	svchost.com
840	svchost.com
660	svchost.com
660	svchost.com
940	svchost.com
940	svchost.com
996	svchost.com
996	svchost.com
2868	svchost.exe
1092	svchcst.exe
2032	svchost.com
2032	svchost.com
1376	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ini.ini	look2.exe
File created	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File created	C:\Windows\SysWOW64\259450925.bat	look2.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	HD_1D5~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	HD_1D5~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	HD_1D5~1.EXE
File opened for modification	C:\Windows\svchost.com	HD_1D5~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	HD_1D5~1.EXE
File opened for modification	C:\Windows\svchost.com	HD_1D5~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	HD_1D5~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	HD_1D5~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	HD_1D5~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	HD_1D5~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	HD_1D5~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	HD_1D5~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	HD_1D5~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	HD_1D5~1.EXE
File opened for modification	C:\Windows\svchost.com	HD_1D5~1.EXE
File opened for modification	C:\Windows\svchost.com	HD_1D5~1.EXE
File opened for modification	C:\Windows\directx.sys	HD_1D5~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	HD_1D5~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	HD_1D5~1.EXE
File opened for modification	C:\Windows\svchost.com	HD_1D5~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	HD_1D5~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	HD_1D5~1.EXE
File opened for modification	C:\Windows\directx.sys	HD_1D5~1.EXE
File opened for modification	C:\Windows\directx.sys	HD_1D5~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_1D5~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_1D5~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_1D5~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_1D5~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_1D5~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_1D5~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_1D5~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_1D5~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_1D5~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_1D5~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_1D5~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_1D5~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_1D5~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	look2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_1D5~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_1D5~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_1D5~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_1D5~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_1D5~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_1D5~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_1D5~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_1D5~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_1D5~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_1D5~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_1D5~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_1D5~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_1D5~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_1D5~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_1D5~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_1D5~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_1D5~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_1D5~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_1D5~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_1D5~1.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2832	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2832	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
2832	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
2960	HD_1D5~1.EXE
2960	HD_1D5~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2832	2112	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe	31
PID 2112 wrote to memory of 2832	2112	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe	31
PID 2112 wrote to memory of 2832	2112	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe	31
PID 2112 wrote to memory of 2832	2112	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe	31
PID 2832 wrote to memory of 2916	2832	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe	32
PID 2832 wrote to memory of 2916	2832	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe	32
PID 2832 wrote to memory of 2916	2832	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe	32
PID 2832 wrote to memory of 2916	2832	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe	32
PID 2832 wrote to memory of 2848	2832	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe	35
PID 2832 wrote to memory of 2848	2832	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe	35
PID 2832 wrote to memory of 2848	2832	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe	35
PID 2832 wrote to memory of 2848	2832	1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe	35
PID 2848 wrote to memory of 1592	2848	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe	56
PID 2848 wrote to memory of 1592	2848	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe	56
PID 2848 wrote to memory of 1592	2848	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe	56
PID 2848 wrote to memory of 1592	2848	HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe	56
PID 1592 wrote to memory of 1052	1592	svchost.com	37
PID 1592 wrote to memory of 1052	1592	svchost.com	37
PID 1592 wrote to memory of 1052	1592	svchost.com	37
PID 1592 wrote to memory of 1052	1592	svchost.com	37
PID 1052 wrote to memory of 1924	1052	HD_1D5~1.EXE	38
PID 1052 wrote to memory of 1924	1052	HD_1D5~1.EXE	38
PID 1052 wrote to memory of 1924	1052	HD_1D5~1.EXE	38
PID 1052 wrote to memory of 1924	1052	HD_1D5~1.EXE	38
PID 1924 wrote to memory of 2052	1924	svchost.com	39
PID 1924 wrote to memory of 2052	1924	svchost.com	39
PID 1924 wrote to memory of 2052	1924	svchost.com	39
PID 1924 wrote to memory of 2052	1924	svchost.com	39
PID 2052 wrote to memory of 2932	2052	HD_1D5~1.EXE	40
PID 2052 wrote to memory of 2932	2052	HD_1D5~1.EXE	40
PID 2052 wrote to memory of 2932	2052	HD_1D5~1.EXE	40
PID 2052 wrote to memory of 2932	2052	HD_1D5~1.EXE	40
PID 2932 wrote to memory of 1900	2932	svchost.com	41
PID 2932 wrote to memory of 1900	2932	svchost.com	41
PID 2932 wrote to memory of 1900	2932	svchost.com	41
PID 2932 wrote to memory of 1900	2932	svchost.com	41
PID 1900 wrote to memory of 1832	1900	HD_1D5~1.EXE	71
PID 1900 wrote to memory of 1832	1900	HD_1D5~1.EXE	71
PID 1900 wrote to memory of 1832	1900	HD_1D5~1.EXE	71
PID 1900 wrote to memory of 1832	1900	HD_1D5~1.EXE	71
PID 1832 wrote to memory of 1864	1832	svchost.com	43
PID 1832 wrote to memory of 1864	1832	svchost.com	43
PID 1832 wrote to memory of 1864	1832	svchost.com	43
PID 1832 wrote to memory of 1864	1832	svchost.com	43
PID 1864 wrote to memory of 1696	1864	HD_1D5~1.EXE	44
PID 1864 wrote to memory of 1696	1864	HD_1D5~1.EXE	44
PID 1864 wrote to memory of 1696	1864	HD_1D5~1.EXE	44
PID 1864 wrote to memory of 1696	1864	HD_1D5~1.EXE	44
PID 1696 wrote to memory of 580	1696	svchost.com	45
PID 1696 wrote to memory of 580	1696	svchost.com	45
PID 1696 wrote to memory of 580	1696	svchost.com	45
PID 1696 wrote to memory of 580	1696	svchost.com	45
PID 580 wrote to memory of 996	580	HD_1D5~1.EXE	145
PID 580 wrote to memory of 996	580	HD_1D5~1.EXE	145
PID 580 wrote to memory of 996	580	HD_1D5~1.EXE	145
PID 580 wrote to memory of 996	580	HD_1D5~1.EXE	145
PID 996 wrote to memory of 2032	996	svchost.com	81
PID 996 wrote to memory of 2032	996	svchost.com	81
PID 996 wrote to memory of 2032	996	svchost.com	81
PID 996 wrote to memory of 2032	996	svchost.com	81
PID 2032 wrote to memory of 1992	2032	HD_1D5~1.EXE	48
PID 2032 wrote to memory of 1992	2032	HD_1D5~1.EXE	48
PID 2032 wrote to memory of 1992	2032	HD_1D5~1.EXE	48
PID 2032 wrote to memory of 1992	2032	HD_1D5~1.EXE	48

C:\Users\Admin\AppData\Local\Temp\1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
"C:\Users\Admin\AppData\Local\Temp\1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\3582-490\1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Users\Admin\AppData\Local\Temp\look2.exe
    C:\Users\Admin\AppData\Local\Temp\\look2.exe
    3⤵
    - Server Software Component: Terminal Services DLL
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:2916
- - C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
    C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1592
    - - C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1052
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        17⤵
        Executes dropped EXE
        
        PID:1376
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        21⤵
        Executes dropped EXE
        
        PID:1648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        23⤵
        Executes dropped EXE
        
        PID:2856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        25⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        27⤵
        Executes dropped EXE
        
        PID:2096
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        29⤵
        Executes dropped EXE
        
        PID:2008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        33⤵
        Executes dropped EXE
        
        PID:1636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        34⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        35⤵
        Executes dropped EXE
        
        PID:2120
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1168
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        39⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1832
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        40⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        41⤵
        Executes dropped EXE
        
        PID:2016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        42⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        44⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        45⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        46⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        47⤵
        Executes dropped EXE
        
        PID:2320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        48⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        50⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        52⤵
        Executes dropped EXE
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        53⤵
        Executes dropped EXE
        
        PID:2860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        54⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        55⤵
        Executes dropped EXE
        
        PID:2080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        56⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        57⤵
        Executes dropped EXE
        
        PID:1504
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        58⤵
        Executes dropped EXE
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        59⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        60⤵
        Executes dropped EXE
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        61⤵
        Executes dropped EXE
        
        PID:2600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        62⤵
        Executes dropped EXE
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        63⤵
        Executes dropped EXE
        
        PID:2256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        64⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        66⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        67⤵
        
        PID:2516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        68⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        69⤵
        
        PID:2128
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        70⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        71⤵
        
        PID:2064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        72⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        73⤵
        
        PID:1260
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        74⤵
        Drops file in Windows directory
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        75⤵
        
        PID:1736
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        77⤵
        
        PID:2020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        78⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        79⤵
        
        PID:1980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        81⤵
        
        PID:1436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        83⤵
        
        PID:1376
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        84⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        85⤵
        Drops file in Windows directory
        
        PID:2344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        87⤵
        
        PID:2548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        88⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        89⤵
        
        PID:1872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        90⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        93⤵
        Drops file in Windows directory
        
        PID:2632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        94⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        95⤵
        
        PID:2008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        96⤵
        Drops file in Windows directory
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        97⤵
        
        PID:1836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        98⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        99⤵
        
        PID:2332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        100⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        101⤵
        
        PID:2120
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        102⤵
        Drops file in Windows directory
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        103⤵
        
        PID:1292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        104⤵
        Drops file in Windows directory
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        105⤵
        
        PID:1464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        107⤵
        
        PID:1584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        108⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        109⤵
        
        PID:2072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        110⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        111⤵
        
        PID:1908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        112⤵
        Drops file in Windows directory
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        113⤵
        
        PID:2452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        114⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        115⤵
        
        PID:792
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        116⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        117⤵
        
        PID:2824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        118⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        119⤵
        
        PID:2836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        120⤵
        Drops file in Windows directory
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        121⤵
        
        PID:2548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        122⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        123⤵
        
        PID:604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        124⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        125⤵
        Drops file in Windows directory
        
        PID:760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        126⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        127⤵
        
        PID:712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        128⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        129⤵
        
        PID:2172
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        130⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        131⤵
        
        PID:2092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        132⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        133⤵
        
        PID:560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        134⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        135⤵
        
        PID:888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        136⤵
        Drops file in Windows directory
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        137⤵
        Drops file in Windows directory
        
        PID:1124
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        138⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        139⤵
        Drops file in Windows directory
        
        PID:588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        141⤵
        
        PID:2364
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        142⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        143⤵
        
        PID:2472
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        144⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        145⤵
        
        PID:2968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        146⤵
        Drops file in Windows directory
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        147⤵
        
        PID:1520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        148⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        149⤵
        
        PID:2920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        151⤵
        
        PID:2820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        152⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        153⤵
        Drops file in Windows directory
        
        PID:1328
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        154⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        155⤵
        
        PID:1064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        157⤵
        
        PID:236
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        158⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        159⤵
        
        PID:684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        160⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        161⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        162⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        163⤵
        
        PID:2180
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        164⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        165⤵
        
        PID:2404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        166⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        167⤵
        
        PID:1228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        168⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        169⤵
        
        PID:1740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        170⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        171⤵
        
        PID:568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        172⤵
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        173⤵
        
        PID:2432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        174⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        175⤵
        Drops file in Windows directory
        
        PID:940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        176⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        177⤵
        
        PID:2452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        178⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        179⤵
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        180⤵
        Drops file in Windows directory
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        181⤵
        
        PID:2536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        182⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        183⤵
        
        PID:3020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        184⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        185⤵
        
        PID:3032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        186⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        187⤵
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        188⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        189⤵
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        190⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        191⤵
        Drops file in Windows directory
        
        PID:628
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        192⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        193⤵
        Drops file in Windows directory
        
        PID:1884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        194⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        195⤵
        
        PID:2932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        196⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        197⤵
        
        PID:2148
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        198⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        199⤵
        
        PID:2404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        200⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        201⤵
        
        PID:1612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        202⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        203⤵
        
        PID:620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        204⤵
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        205⤵
        Drops file in Windows directory
        
        PID:1260
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        206⤵
        Drops file in Windows directory
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        207⤵
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        208⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        209⤵
        
        PID:2952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        210⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        211⤵
        
        PID:996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        212⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        213⤵
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        214⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        215⤵
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        216⤵
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        217⤵
        
        PID:1472
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        218⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        219⤵
        
        PID:2400
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        220⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        221⤵
        
        PID:1416
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        222⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        223⤵
        Drops file in Windows directory
        
        PID:2376
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        224⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        225⤵
        
        PID:1708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        226⤵
        Drops file in Windows directory
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        227⤵
        
        PID:1836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        228⤵
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        229⤵
        
        PID:332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        230⤵
        Drops file in Windows directory
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        231⤵
        
        PID:1168
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        232⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        233⤵
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        234⤵
        Drops file in Windows directory
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        235⤵
        
        PID:1852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        236⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        237⤵
        
        PID:2960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        238⤵
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        239⤵
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        240⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        241⤵
        
        PID:1720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        242⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        243⤵
        
        PID:1980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        244⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        245⤵
        
        PID:2704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        246⤵
        Drops file in Windows directory
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        247⤵
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        248⤵
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        249⤵
        
        PID:2080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        250⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        251⤵
        
        PID:600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        252⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        253⤵
        
        PID:2548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        254⤵
        Drops file in Windows directory
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        255⤵
        
        PID:2212
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        256⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        257⤵
        
        PID:1940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        258⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        259⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        260⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        261⤵
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        262⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        263⤵
        
        PID:912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        264⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        265⤵
        
        PID:920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        266⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        267⤵
        
        PID:1228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        268⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        269⤵
        
        PID:2396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        270⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        271⤵
        
        PID:568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        272⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        273⤵
        
        PID:2924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        274⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        275⤵
        
        PID:2164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        276⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        277⤵
        
        PID:2056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        278⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        279⤵
        
        PID:592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        280⤵
        Drops file in Windows directory
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        281⤵
        System Location Discovery: System Language Discovery
        
        PID:1016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        282⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        283⤵
        
        PID:2532
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        284⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        285⤵
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        286⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        287⤵
        
        PID:276
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        288⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        289⤵
        Drops file in Windows directory
        
        PID:1000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        290⤵
        Drops file in Windows directory
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        291⤵
        
        PID:760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        292⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        293⤵
        
        PID:1884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        294⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        295⤵
        
        PID:1604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        296⤵
        Drops file in Windows directory
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        297⤵
        System Location Discovery: System Language Discovery
        
        PID:912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        298⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        299⤵
        
        PID:920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        300⤵
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        301⤵
        
        PID:1228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        302⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        303⤵
        System Location Discovery: System Language Discovery
        
        PID:1852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        304⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        305⤵
        
        PID:2660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        306⤵
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        307⤵
        
        PID:2692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        308⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        309⤵
        
        PID:1720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        310⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        311⤵
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        312⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        313⤵
        
        PID:2676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        314⤵
        Drops file in Windows directory
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        315⤵
        
        PID:1648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        316⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        317⤵
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        318⤵
        Drops file in Windows directory
        
        PID:600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        319⤵
        
        PID:3032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        320⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        321⤵
        
        PID:2896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        322⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        323⤵
        
        PID:1660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        324⤵
        Drops file in Windows directory
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        325⤵
        
        PID:760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        326⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        327⤵
        
        PID:1884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        328⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        329⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        330⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        331⤵
        
        PID:2004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        332⤵
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        333⤵
        
        PID:1832
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        334⤵
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        335⤵
        
        PID:2064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        336⤵
        Drops file in Windows directory
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        337⤵
        Drops file in Windows directory
        
        PID:2984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        338⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        339⤵
        
        PID:904
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        340⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        341⤵
        
        PID:2488
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        342⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        343⤵
        
        PID:2164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        344⤵
        Drops file in Windows directory
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        345⤵
        Drops file in Windows directory
        
        PID:2580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        346⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        347⤵
        
        PID:2276
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        348⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        349⤵
        
        PID:2584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        350⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        351⤵
        
        PID:1928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        352⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        353⤵
        
        PID:2420
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        354⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        355⤵
        
        PID:2656
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        356⤵
        Drops file in Windows directory
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        357⤵
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        358⤵
        Drops file in Windows directory
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        359⤵
        
        PID:844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        360⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        361⤵
        
        PID:2512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        362⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        363⤵
        
        PID:1900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        364⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        365⤵
        
        PID:2404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        366⤵
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        367⤵
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        368⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        369⤵
        Drops file in Windows directory
        
        PID:604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        370⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        371⤵
        
        PID:568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        372⤵
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        373⤵
        System Location Discovery: System Language Discovery
        
        PID:984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        374⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        375⤵
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        376⤵
        Drops file in Windows directory
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        377⤵
        
        PID:2788
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        378⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        379⤵
        
        PID:2916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        380⤵
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        381⤵
        
        PID:2996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        382⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        383⤵
        
        PID:2080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        384⤵
        Drops file in Windows directory
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        385⤵
        Drops file in Windows directory
        
        PID:2384
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        386⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        387⤵
        Drops file in Windows directory
        
        PID:2548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        388⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        389⤵
        
        PID:2896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        390⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        391⤵
        
        PID:2944
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        392⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        393⤵
        
        PID:2172
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        394⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        395⤵
        
        PID:1884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        396⤵
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        397⤵
        
        PID:1700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        398⤵
        System Location Discovery: System Language Discovery
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        399⤵
        
        PID:1964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        400⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        401⤵
        
        PID:1008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE"
        402⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE
        403⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2960

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
PID:2268

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:2868
- C:\Windows\SysWOW64\svchcst.exe
  C:\Windows\system32\svchcst.exe "c:\windows\system32\259450925.bat",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1092

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
859KB

MD5
02ee6a3424782531461fb2f10713d3c1

SHA1
b581a2c365d93ebb629e8363fd9f69afc673123f

SHA256
ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

SHA512
6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
566ed4f62fdc96f175afedd811fa0370

SHA1
d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

SHA256
e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

SHA512
cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE

Filesize
569KB

MD5
eef2f834c8d65585af63916d23b07c36

SHA1
8cb85449d2cdb21bd6def735e1833c8408b8a9c6

SHA256
3cd34a88e3ae7bd3681a7e3c55832af026834055020add33e6bd6f552fc0aabd

SHA512
2ee8766e56e5b1e71c86f7d1a1aa1882706d0bca8f84b2b2c54dd4c255e04f037a6eb265302449950e5f5937b0e57f17a6aa45e88a407ace4b3945e65043d9b7

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe

Filesize
1.6MB

MD5
8e304daee222d3cdebdae87403c26c2f

SHA1
7deaaa05b8371a5d1f2105dea51c1ead297e6f49

SHA256
fcba5f416b3abc8eb3cc237413fbdd7ab29d76a92b1d2f6f2b36772f3717d393

SHA512
374f9c94028adce1033cbfb0a5595924b7ad500ba775cef01fcf801d15622b8897da1bf3e6010afcda537e04a159ae1227c42e3f9c7fd347da443c500c2be8e8

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe

Filesize
137KB

MD5
e1833678885f02b5e3cf1b3953456557

SHA1
c197e763500002bc76a8d503933f1f6082a8507a

SHA256
bd9a16d8d7590a2ec827913db5173f8beb1d1ef44dab1920ef52a307f922bc14

SHA512
fe107e1c8631ec6ac94f772e6a7be1fdc2a533fe3cfcf36b1ff018c8d01bd7f1f818f0a2448f736838c953cd516ea7327c416dea20706ed2420327af8ef01abe

Download Submit
C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE

Filesize
100KB

MD5
e4e0aca2d9d108e1ab4c0e8b960268ad

SHA1
647caea0aba2a9acb93c4b6b253433497fc34d97

SHA256
2251f16f0d964180a34525678c0875fd75b892b169b025c3ca94711095172822

SHA512
461b86b894144ee04807cf7a80cee83bcc086f3f0c24dc8459833c6042160d47c8268d06fd926adb0b401ca8b98229af30ee1552fd2447311c5be9670e0cb3a1

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE

Filesize
198KB

MD5
f562021a3a2e1a11351e0b6da28be149

SHA1
b591c3f6647b7d8ec0a45c7cddbd69eaf4d07e7e

SHA256
58abcadd2bff81ed5fd90e3b16f7339ca7bdae6b3058709ef72d5879da57618c

SHA512
802b396422608ec1f8c49c957af04d8a77b42ae6d37914257268ab0bc52fe841a10bae1fd53fd8d9d5b4165e133787833f6d6c38b28ac4c31f54eebdf527b1ef

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE

Filesize
503KB

MD5
3f67da7e800cd5b4af2283a9d74d2808

SHA1
f9288d052b20a9f4527e5a0f87f4249f5e4440f7

SHA256
31c10320edb2de22f37faee36611558db83b78a9c3c71ea0ed13c8dce25bf711

SHA512
6a40f4629ddae102d8737e921328e95717274cea16eb5f23bff6a6627c6047d7f27e7f6eb5cb52f53152e326e53b6ee44d9a9ee8eca7534a2f62fa457ac3d4e3

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe

Filesize
205KB

MD5
da31170e6de3cf8bd6cf7346d9ef5235

SHA1
e2c9602f5c7778f9614672884638efd5dd2aee92

SHA256
7737ab500cbbd5d507881d481eef9bd91cf6650bf8d2b41b47b1a8c5f2789858

SHA512
2759d938d6ad963e0bf63481a700f7c503d06011a60bcfc1071b511e38afa87d903deb36f9cbfa0b3fd08f1ecb88d2c0bddf0d3b5f2dea2a0cca1a80471669f3

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe

Filesize
1.2MB

MD5
467aee41a63b9936ce9c5cbb3fa502cd

SHA1
19403cac6a199f6cd77fc5ac4a6737a9a9782dc8

SHA256
99e5bea5f632ef4af76e4e5108486d5e99386c3d451b983bcd3ad2a49cc04039

SHA512
00c9ccdbbd6fd1be0c2dafd485d811be9bf2076d4efeabc256179befd92679b964e80edcb90ef21f3e874578fdb0003878227f560ca76498865770280f87113e

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE

Filesize
155KB

MD5
9bca91fd134fd98f02edb9c1f67338e5

SHA1
b98fb11c19efb8e3c4e62e30c37712b365a4365c

SHA256
939c31a55f7ca6fade34bc211664a63312ae866a5006a644f0dffe351dfa2f9e

SHA512
45be91deae89adb772dfc46107b84bd60a9c86b264824ce0138020dd5e1cb265db3afd75542e0da109e70a29305d97cd8fd79f0679e2afc564b0f4b570ba6372

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE

Filesize
230KB

MD5
e5589ec1e4edb74cc7facdaac2acabfd

SHA1
9b12220318e848ed87bb7604d6f6f5df5dbc6b3f

SHA256
6ce92587a138ec07dac387a294d0bbe8ab629599d1a2868d2afaccea3b245d67

SHA512
f36ab33894681f51b9cec7ea5a738eb081a56bcd7625bdd2f5ef2c084e4beb7378be8f292af3aeae79d9317ba57cc41df89f00aef52e58987bdb2eac3f48171a

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE

Filesize
265KB

MD5
25e165d6a9c6c0c77ee1f94c9e58754b

SHA1
9b614c1280c75d058508bba2a468f376444b10c1

SHA256
8bbe59987228dd9ab297f9ea34143ea1e926bfb19f3d81c2904ab877f31e1217

SHA512
7d55c7d86ccabb6e9769ebca44764f4d89e221d5756e5c5d211e52c271e3ce222df90bc9938248e2e210d6695f30f6280d929d19ef41c09d3ea31688ae24d4bf

Download Submit
C:\PROGRA~2\Google\Update\DISABL~1.EXE

Filesize
207KB

MD5
3b0e91f9bb6c1f38f7b058c91300e582

SHA1
6e2e650941b1a96bb0bb19ff26a5d304bb09df5f

SHA256
57c993cadf4bf84810cea23a7112c6e260624beaab48d0e4332d3462900fec1d

SHA512
a4fbe28a0135f4632e0a5b6bd775f8d010250b0fbfe223db1fe81d18552a6bc166ebce807853ba02e6a476e9829454805e415ca828a5e043bd1e63dc53599d0f

Download Submit
C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe

Filesize
129KB

MD5
b1e0da67a985533914394e6b8ac58205

SHA1
5a65e6076f592f9ea03af582d19d2407351ba6b6

SHA256
67629b025fed676bd607094fa7f21550e18c861495ba664ee0d2b215a4717d7f

SHA512
188ebb9a58565ca7ed81a46967a66d583f7dea43a2fc1fe8076a79ef4a83119ccaa22f948a944abae8f64b3a4b219f5184260eff7201eb660c321f6c0d1eba22

Download Submit
C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE

Filesize
287KB

MD5
abfa225c2a1a1094c155028ba2ee77f7

SHA1
74136932691b15195ffef5a81a47a9aeafb6b9b7

SHA256
06b967634c744ad9232ab1286da77794848c03ab83a26e125931e9b47e8befbc

SHA512
5dd807b1ae91587c99948699e7fbf67dc5512c50cec1a738dd9c8ba3758500089eaf8bd7d13ea277bd101eee91d53dfd5cf1ea033cb0575082e6759e416ebc0a

Download Submit
C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE

Filesize
1002KB

MD5
44c00eee4d2eafea4a9b177600a69081

SHA1
e4be22498e72e9d447dedf38040172608e07b95f

SHA256
67fd74648def7edb386583fb630f415beac00e7fa4019b3c0e3a15e3a0a5f6b6

SHA512
577f71b9f53b48b37f19814c7282d396ee90e69c44b146d4bbd1b346dcd35f3eb9d2d30212a10f1e1ddde72c9b4885fce5f4ebcf5a117776761cbaca4296b80d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\HD_1D5~1.EXE

Filesize
984KB

MD5
4d29f6d3ea4133382193e1e2a9d476eb

SHA1
068daf075b5f4d5a3ae3310afc5ebe815011feea

SHA256
4abbe4b15b6be371445b330b3b30b9b78651258944f770932ec7a9bb92fb47f0

SHA512
8dba352d749da1cf6470dd597ac05591eaa342da1f67f6f575c9c7dcb480ba687c7fa0fc8b52f527ff5c2a0d6878e09986cd4b7c78b90c1f9e0044a79ce4494c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.3MB

MD5
5d9531646e3488a1197b0b2f643c221a

SHA1
6c7dce320291e3a8d4f6c1c5263bdcf116779a84

SHA256
569dc203228952fafe83e9fa4b558a8a05bf736d79cac7ff16942f300e38f500

SHA512
1c0c31d1c647e231d155f89d821338adac018d7a75ab448f2193887cfd4ad598bee770a1453e12b47744fb3954e49423d1e912d81358c939a67d05eaf2066e0f

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
805762a52a709bb35fe6b36dedf8867b

SHA1
73d7882887213562c0958b716a24ecbe38f9f360

SHA256
9f848299677378073a0b92ee9be75a41f2f4d22030a81fe54b147e4b8f2a24c0

SHA512
544c3a05dfbc1b9dce198b0277d5c13a6c4b9962ef7f0b05fa7ac1f4df377b559088b22f61914b908001eb930c9fe56933d3272535489fbf27ed952c6953fd1a

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE

Filesize
125KB

MD5
46e43f94482a27df61e1df44d764826b

SHA1
8b4eab017e85f8103c60932c5efe8dff12dc5429

SHA256
dc6658dec5bf89f65f2d4b9bdb27634bac0bf5354c792bc8970a2b39f535facd

SHA512
ce5bdd3f9a2394ffda83c93fc5604d972f90bd72e6aded357bdf27a2b21a0469f6ac71ce40d9fb4ed8c845468c4171a3c5b4501edbae79447c4f4e08342d4560

Download Submit
\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE

Filesize
1.4MB

MD5
71509f22e82a9f371295b0e6cf4a79bb

SHA1
c7eefb4b59f87e9a0086ea80962070afb68e1d27

SHA256
f9837240f5913bfa289ac2b5da2ba0ba24f60249d6f7e23db8a78bb10c3c7722

SHA512
3ea6347bbb1288335ac34ee7c3006af746ca9baccfbc688d85a5ca86b09d3e456047239c0859e8dd2cdc22d254897fccd0919f00826e9665fd735cfb7c1554e7

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe

Filesize
2.3MB

MD5
5d2efb4d1caf51ec95b07adaa4ce57cc

SHA1
50c505eaf584f058e10e80c48864e542f403a9be

SHA256
b38a80037f47516bc8089ec173a9edfa444afcfa7c80befc8fcf492779299685

SHA512
258b95af87a4b203100de70bde8528d1e972968bbed98d01f66d5051c3deda3fff939f5734c0bfe7ccf6b1ca77b37c79ac005c380d749e8090f208625d689fcd

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\HD_1d56622a3c6d280fc8d01051e201e6258265491d08ed387a4910d4663fb707a1.exe

Filesize
1.0MB

MD5
bb5c057957e3c874b742a9a18cf1b992

SHA1
4691501e28928c9b4bb6d82552cc8083b86d59ac

SHA256
a6502adca8170a7045f237cdb3f3043babe8297a83134cbbda69312e192efb4d

SHA512
92a70e311852eeb2defef6a9985a6ea0fae93083cbce1ee86e3a8e5468fb41b320c1f597121809d748f7a4b9235318570ea7e1267bd7da11010f410e7da81b37

Download Submit
\Users\Admin\AppData\Local\Temp\look2.exe

Filesize
337KB

MD5
2f3b6f16e33e28ad75f3fdaef2567807

SHA1
85e907340faf1edfc9210db85a04abd43d21b741

SHA256
86492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857

SHA512
db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4

Download Submit
\Windows\SysWOW64\259450925.bat

Filesize
51KB

MD5
06206974e98688f35ebabfa6b35937f4

SHA1
78ae0a01cb5d6a40372f0a57307f3851753578f0

SHA256
f1c069e49a9d39807832ca344065f03114907c819d7b122f080d51410ccf2aef

SHA512
caad42a2298494a183cfd99c07c851564f0d0f60f50fac4b1dadd2a56defad957af8fc18f251b43c241df5e5b28b6d11d15683a7181b425e6656407d09598865

Download Submit
memory/484-279-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/536-271-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/576-287-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/580-209-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/660-335-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/840-327-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/940-343-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/984-350-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/996-351-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/996-215-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1000-409-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1052-82-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1168-318-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1376-369-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1376-233-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1448-319-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1496-371-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1504-395-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1520-239-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1592-59-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1592-263-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1636-298-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1648-249-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1696-202-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1708-417-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1832-169-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1832-321-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1836-425-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1856-363-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1864-181-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1900-149-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1924-99-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1992-231-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2008-281-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2016-334-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2032-224-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2032-361-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2052-115-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2068-247-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2080-387-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2080-255-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2096-273-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2108-289-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2120-305-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2128-311-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2256-419-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2320-355-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2332-433-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2344-377-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2364-342-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2512-295-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2512-427-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2516-303-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2516-435-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2580-385-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2600-411-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2636-265-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2796-403-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2856-257-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2856-393-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2860-379-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2900-401-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2920-241-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2932-140-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download