neshta | 36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c

Analysis

max time kernel
45s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-11-2024 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
Size

333KB
MD5

c182ece96d6d9a64a0c0464b22f35371
SHA1

4af9dcd8ba229f967a7573a0ca73aa24c5690a98
SHA256

36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c
SHA512

3aebf790625f3cc19f6e56e48b575199f8ff20caaf9480cbf864a9ed22e7178f0378d5254e65893246e177083120796de453ffb3c258446a0c590e28d04b636f
SSDEEP

3072:sr85Cn4BN6e7qQ0x6Nvx1p5GnKIL72zgO5+r85C:k9n66e7qR2x1p5GnKIL7P9

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 64 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x0008000000023c73-4.dat	family_neshta
behavioral2/files/0x0007000000023c78-10.dat	family_neshta
behavioral2/memory/2284-16-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1744-26-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3712-28-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1852-32-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4724-40-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4124-44-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2264-52-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3544-56-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2640-64-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2876-68-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4784-76-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x0006000000020216-89.dat	family_neshta
behavioral2/memory/688-95-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x000700000002027e-88.dat	family_neshta
behavioral2/files/0x0004000000020343-87.dat	family_neshta
behavioral2/files/0x0004000000020309-108.dat	family_neshta
behavioral2/files/0x000600000002022d-109.dat	family_neshta
behavioral2/memory/3940-110-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x000100000002028f-107.dat	family_neshta
behavioral2/memory/4484-121-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2400-122-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4036-126-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x0001000000021533-140.dat	family_neshta
behavioral2/memory/4208-145-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x0001000000022f29-154.dat	family_neshta
behavioral2/files/0x0001000000022f26-158.dat	family_neshta
behavioral2/memory/4396-177-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x0001000000022f69-176.dat	family_neshta
behavioral2/files/0x0001000000022f68-160.dat	family_neshta
behavioral2/files/0x00010000000214d8-152.dat	family_neshta
behavioral2/files/0x00010000000214da-151.dat	family_neshta
behavioral2/files/0x00010000000214d9-150.dat	family_neshta
behavioral2/memory/4212-192-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x00010000000167cb-202.dat	family_neshta
behavioral2/files/0x000100000001680d-201.dat	family_neshta
behavioral2/files/0x00010000000167d3-200.dat	family_neshta
behavioral2/files/0x000100000001685d-199.dat	family_neshta
behavioral2/memory/4604-218-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x00010000000167cf-198.dat	family_neshta
behavioral2/files/0x00010000000167d1-197.dat	family_neshta
behavioral2/files/0x00010000000167b6-196.dat	family_neshta
behavioral2/files/0x0001000000016808-195.dat	family_neshta
behavioral2/memory/4744-219-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3340-229-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2008-232-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1920-246-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/692-255-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4772-253-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3652-263-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/800-271-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2700-277-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4128-279-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4668-285-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1956-292-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4952-293-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3588-295-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/892-301-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2256-303-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3092-309-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4008-311-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4844-317-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4948-319-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	36E228~1.EXE

Executes dropped EXE 64 IoCs

Processes:

36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exesvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com

pid	Process
2824	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
2284	svchost.com
1744	36E228~1.EXE
3712	svchost.com
1852	36E228~1.EXE
4724	svchost.com
4124	36E228~1.EXE
2264	svchost.com
3544	36E228~1.EXE
2640	svchost.com
2876	36E228~1.EXE
4784	svchost.com
688	36E228~1.EXE
3940	svchost.com
4484	36E228~1.EXE
2400	svchost.com
4036	36E228~1.EXE
4208	svchost.com
4396	36E228~1.EXE
4212	svchost.com
4604	36E228~1.EXE
4744	svchost.com
3340	36E228~1.EXE
2008	svchost.com
1920	36E228~1.EXE
4772	svchost.com
692	36E228~1.EXE
3652	svchost.com
800	36E228~1.EXE
2700	svchost.com
4128	36E228~1.EXE
4668	svchost.com
1956	36E228~1.EXE
4952	svchost.com
3588	36E228~1.EXE
892	svchost.com
2256	36E228~1.EXE
3092	svchost.com
4008	36E228~1.EXE
4844	svchost.com
4948	36E228~1.EXE
2400	svchost.com
4780	36E228~1.EXE
3524	svchost.com
2000	36E228~1.EXE
4632	svchost.com
2156	36E228~1.EXE
4980	svchost.com
2188	36E228~1.EXE
2952	svchost.com
1148	36E228~1.EXE
644	svchost.com
2164	36E228~1.EXE
4592	svchost.com
4624	36E228~1.EXE
3060	svchost.com
4476	36E228~1.EXE
2556	svchost.com
2292	36E228~1.EXE
3288	svchost.com
2516	36E228~1.EXE
3872	svchost.com
4404	36E228~1.EXE
1704	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

Processes:

36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe

description	ioc	Process
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe

Drops file in Windows directory 64 IoCs

Processes:

36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exesvchost.com36E228~1.EXEsvchost.comsvchost.com36E228~1.EXEsvchost.com36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXEsvchost.comsvchost.comsvchost.comsvchost.com36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXEsvchost.comsvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXE36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXE36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXE36E228~1.EXE36E228~1.EXEsvchost.comsvchost.comsvchost.comsvchost.com36E228~1.EXE36E228~1.EXEsvchost.comsvchost.com36E228~1.EXE36E228~1.EXEsvchost.com36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXEsvchost.com36E228~1.EXE36E228~1.EXE36E228~1.EXE

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	36E228~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	36E228~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	36E228~1.EXE
File opened for modification	C:\Windows\directx.sys	36E228~1.EXE
File opened for modification	C:\Windows\directx.sys	36E228~1.EXE
File opened for modification	C:\Windows\directx.sys	36E228~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	36E228~1.EXE
File opened for modification	C:\Windows\directx.sys	36E228~1.EXE
File opened for modification	C:\Windows\svchost.com	36E228~1.EXE
File opened for modification	C:\Windows\directx.sys	36E228~1.EXE
File opened for modification	C:\Windows\svchost.com	36E228~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	36E228~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	36E228~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	36E228~1.EXE
File opened for modification	C:\Windows\directx.sys	36E228~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	36E228~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	36E228~1.EXE
File opened for modification	C:\Windows\directx.sys	36E228~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	36E228~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	36E228~1.EXE
File opened for modification	C:\Windows\directx.sys	36E228~1.EXE
File opened for modification	C:\Windows\directx.sys	36E228~1.EXE
File opened for modification	C:\Windows\svchost.com	36E228~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	36E228~1.EXE
File opened for modification	C:\Windows\directx.sys	36E228~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	36E228~1.EXE
File opened for modification	C:\Windows\svchost.com	36E228~1.EXE
File opened for modification	C:\Windows\directx.sys	36E228~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	36E228~1.EXE
File opened for modification	C:\Windows\directx.sys	36E228~1.EXE
File opened for modification	C:\Windows\directx.sys	36E228~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	36E228~1.EXE
File opened for modification	C:\Windows\svchost.com	36E228~1.EXE
File opened for modification	C:\Windows\svchost.com	36E228~1.EXE
File opened for modification	C:\Windows\svchost.com	36E228~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	36E228~1.EXE
File opened for modification	C:\Windows\directx.sys	36E228~1.EXE
File opened for modification	C:\Windows\directx.sys	36E228~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

svchost.com36E228~1.EXEsvchost.com36E228~1.EXE36E228~1.EXEsvchost.comsvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXEsvchost.comsvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXE36E228~1.EXE36E228~1.EXEsvchost.comsvchost.comsvchost.com36E228~1.EXEsvchost.comsvchost.com36E228~1.EXE36E228~1.EXE36E228~1.EXEsvchost.com36E228~1.EXE36E228~1.EXE36E228~1.EXEsvchost.comsvchost.com36E228~1.EXEsvchost.com36E228~1.EXE36E228~1.EXEsvchost.comsvchost.com36E228~1.EXEsvchost.com36E228~1.EXE36E228~1.EXEsvchost.com36E228~1.EXE36E228~1.EXEsvchost.comsvchost.com36E228~1.EXE36E228~1.EXEsvchost.com

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36E228~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36E228~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36E228~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36E228~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36E228~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36E228~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36E228~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36E228~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36E228~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36E228~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36E228~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36E228~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36E228~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36E228~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36E228~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36E228~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36E228~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36E228~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36E228~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36E228~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36E228~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36E228~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36E228~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36E228~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36E228~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36E228~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36E228~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36E228~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36E228~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36E228~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36E228~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36E228~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36E228~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com

Modifies registry class 64 IoCs

Processes:

36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE36E228~1.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	36E228~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exesvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXEsvchost.com36E228~1.EXE

description	pid	Process	procid_target
PID 956 wrote to memory of 2824	956	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe	84
PID 956 wrote to memory of 2824	956	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe	84
PID 956 wrote to memory of 2824	956	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe	84
PID 2824 wrote to memory of 2284	2824	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe	86
PID 2824 wrote to memory of 2284	2824	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe	86
PID 2824 wrote to memory of 2284	2824	36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe	86
PID 2284 wrote to memory of 1744	2284	svchost.com	87
PID 2284 wrote to memory of 1744	2284	svchost.com	87
PID 2284 wrote to memory of 1744	2284	svchost.com	87
PID 1744 wrote to memory of 3712	1744	36E228~1.EXE	88
PID 1744 wrote to memory of 3712	1744	36E228~1.EXE	88
PID 1744 wrote to memory of 3712	1744	36E228~1.EXE	88
PID 3712 wrote to memory of 1852	3712	svchost.com	89
PID 3712 wrote to memory of 1852	3712	svchost.com	89
PID 3712 wrote to memory of 1852	3712	svchost.com	89
PID 1852 wrote to memory of 4724	1852	36E228~1.EXE	90
PID 1852 wrote to memory of 4724	1852	36E228~1.EXE	90
PID 1852 wrote to memory of 4724	1852	36E228~1.EXE	90
PID 4724 wrote to memory of 4124	4724	svchost.com	91
PID 4724 wrote to memory of 4124	4724	svchost.com	91
PID 4724 wrote to memory of 4124	4724	svchost.com	91
PID 4124 wrote to memory of 2264	4124	36E228~1.EXE	92
PID 4124 wrote to memory of 2264	4124	36E228~1.EXE	92
PID 4124 wrote to memory of 2264	4124	36E228~1.EXE	92
PID 2264 wrote to memory of 3544	2264	svchost.com	93
PID 2264 wrote to memory of 3544	2264	svchost.com	93
PID 2264 wrote to memory of 3544	2264	svchost.com	93
PID 3544 wrote to memory of 2640	3544	36E228~1.EXE	94
PID 3544 wrote to memory of 2640	3544	36E228~1.EXE	94
PID 3544 wrote to memory of 2640	3544	36E228~1.EXE	94
PID 2640 wrote to memory of 2876	2640	svchost.com	95
PID 2640 wrote to memory of 2876	2640	svchost.com	95
PID 2640 wrote to memory of 2876	2640	svchost.com	95
PID 2876 wrote to memory of 4784	2876	36E228~1.EXE	96
PID 2876 wrote to memory of 4784	2876	36E228~1.EXE	96
PID 2876 wrote to memory of 4784	2876	36E228~1.EXE	96
PID 4784 wrote to memory of 688	4784	svchost.com	97
PID 4784 wrote to memory of 688	4784	svchost.com	97
PID 4784 wrote to memory of 688	4784	svchost.com	97
PID 688 wrote to memory of 3940	688	36E228~1.EXE	98
PID 688 wrote to memory of 3940	688	36E228~1.EXE	98
PID 688 wrote to memory of 3940	688	36E228~1.EXE	98
PID 3940 wrote to memory of 4484	3940	svchost.com	99
PID 3940 wrote to memory of 4484	3940	svchost.com	99
PID 3940 wrote to memory of 4484	3940	svchost.com	99
PID 4484 wrote to memory of 2400	4484	36E228~1.EXE	127
PID 4484 wrote to memory of 2400	4484	36E228~1.EXE	127
PID 4484 wrote to memory of 2400	4484	36E228~1.EXE	127
PID 2400 wrote to memory of 4036	2400	svchost.com	101
PID 2400 wrote to memory of 4036	2400	svchost.com	101
PID 2400 wrote to memory of 4036	2400	svchost.com	101
PID 4036 wrote to memory of 4208	4036	36E228~1.EXE	267
PID 4036 wrote to memory of 4208	4036	36E228~1.EXE	267
PID 4036 wrote to memory of 4208	4036	36E228~1.EXE	267
PID 4208 wrote to memory of 4396	4208	svchost.com	103
PID 4208 wrote to memory of 4396	4208	svchost.com	103
PID 4208 wrote to memory of 4396	4208	svchost.com	103
PID 4396 wrote to memory of 4212	4396	36E228~1.EXE	104
PID 4396 wrote to memory of 4212	4396	36E228~1.EXE	104
PID 4396 wrote to memory of 4212	4396	36E228~1.EXE	104
PID 4212 wrote to memory of 4604	4212	svchost.com	105
PID 4212 wrote to memory of 4604	4212	svchost.com	105
PID 4212 wrote to memory of 4604	4212	svchost.com	105
PID 4604 wrote to memory of 4744	4604	36E228~1.EXE	106

C:\Users\Admin\AppData\Local\Temp\36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
"C:\Users\Admin\AppData\Local\Temp\36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:956
- C:\Users\Admin\AppData\Local\Temp\3582-490\36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1744
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3712
      - C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        23⤵
        Executes dropped EXE
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        24⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        25⤵
        Executes dropped EXE
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        26⤵
        Executes dropped EXE
        
        PID:1920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        27⤵
        Executes dropped EXE
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        29⤵
        Executes dropped EXE
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        30⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        32⤵
        Executes dropped EXE
        
        PID:4128
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        33⤵
        Executes dropped EXE
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        34⤵
        Executes dropped EXE
        
        PID:1956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        35⤵
        Executes dropped EXE
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        36⤵
        Executes dropped EXE
        
        PID:3588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        37⤵
        Executes dropped EXE
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        39⤵
        Executes dropped EXE
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        41⤵
        Executes dropped EXE
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:4948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        43⤵
        Executes dropped EXE
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        45⤵
        Executes dropped EXE
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        46⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        47⤵
        Executes dropped EXE
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        48⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        49⤵
        Executes dropped EXE
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        50⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2188
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        52⤵
        Executes dropped EXE
        
        PID:1148
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        53⤵
        Executes dropped EXE
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        55⤵
        Executes dropped EXE
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        56⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        57⤵
        Executes dropped EXE
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        58⤵
        Executes dropped EXE
        
        PID:4476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        59⤵
        Executes dropped EXE
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        60⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        61⤵
        Executes dropped EXE
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        62⤵
        Executes dropped EXE
        
        PID:2516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        63⤵
        Executes dropped EXE
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        65⤵
        Executes dropped EXE
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        66⤵
        Checks computer location settings
        
        PID:2484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        67⤵
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        69⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        70⤵
        Modifies registry class
        
        PID:5000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        71⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        72⤵
        Checks computer location settings
        
        PID:2716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        73⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        74⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3524
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        75⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        76⤵
        Modifies registry class
        
        PID:1452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        77⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        78⤵
        Checks computer location settings
        Modifies registry class
        
        PID:668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        79⤵
        Drops file in Windows directory
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        80⤵
        Modifies registry class
        
        PID:2308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        81⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        82⤵
        
        PID:2644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        83⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        84⤵
        
        PID:2768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        86⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4324
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        87⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        88⤵
        Drops file in Windows directory
        
        PID:208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        90⤵
        Checks computer location settings
        
        PID:800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        91⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        92⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:3468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        93⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        94⤵
        
        PID:2408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        95⤵
        Drops file in Windows directory
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:3988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        97⤵
        Drops file in Windows directory
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        98⤵
        
        PID:5000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        99⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        100⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:2712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        102⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3524
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        103⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        104⤵
        Modifies registry class
        
        PID:772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        105⤵
        Drops file in Windows directory
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        106⤵
        Modifies registry class
        
        PID:3932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        107⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        108⤵
        
        PID:1148
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        109⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        110⤵
        Checks computer location settings
        
        PID:4580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        111⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        112⤵
        Checks computer location settings
        
        PID:1744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        113⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        114⤵
        
        PID:4940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        115⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        116⤵
        Checks computer location settings
        
        PID:1656
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        117⤵
        Drops file in Windows directory
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        118⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        119⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        120⤵
        Modifies registry class
        
        PID:3488
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        121⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        122⤵
        
        PID:3256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        124⤵
        
        PID:1308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        126⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:3020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        127⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        128⤵
        
        PID:364
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        129⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        130⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        131⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        132⤵
        
        PID:2188
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        133⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        134⤵
        
        PID:4620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        135⤵
        Drops file in Windows directory
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        136⤵
        
        PID:404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        137⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        138⤵
        Modifies registry class
        
        PID:2644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        140⤵
        
        PID:3352
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        141⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        142⤵
        Modifies registry class
        
        PID:1368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        143⤵
        Drops file in Windows directory
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        144⤵
        Checks computer location settings
        
        PID:3800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        145⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        146⤵
        Modifies registry class
        
        PID:4940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        147⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        148⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        149⤵
        Drops file in Windows directory
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        150⤵
        Checks computer location settings
        
        PID:4920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        151⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        152⤵
        Checks computer location settings
        
        PID:1136
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        153⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        154⤵
        Drops file in Windows directory
        
        PID:432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        155⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        157⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        158⤵
        Checks computer location settings
        
        PID:2224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        159⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        160⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:2184
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        161⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        162⤵
        
        PID:3444
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        163⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        164⤵
        Drops file in Windows directory
        
        PID:4868
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        165⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:3108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        167⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        168⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        169⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        170⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        171⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        172⤵
        Drops file in Windows directory
        
        PID:4032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        173⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        174⤵
        
        PID:4880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        175⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        176⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        177⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        178⤵
        
        PID:220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        179⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        180⤵
        Modifies registry class
        
        PID:4464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        182⤵
        Checks computer location settings
        
        PID:4468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        183⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        184⤵
        Modifies registry class
        
        PID:2284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        185⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        186⤵
        Modifies registry class
        
        PID:5084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        187⤵
        Drops file in Windows directory
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        188⤵
        
        PID:3552
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        189⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        190⤵
        Checks computer location settings
        
        PID:4112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        191⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        192⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        193⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        194⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        195⤵
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        196⤵
        
        PID:4236
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        197⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        198⤵
        Modifies registry class
        
        PID:1636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        199⤵
        System Location Discovery: System Language Discovery
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        200⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        201⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        202⤵
        
        PID:1376
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        203⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        204⤵
        Modifies registry class
        
        PID:4608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        205⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        206⤵
        
        PID:4620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        207⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        208⤵
        System Location Discovery: System Language Discovery
        
        PID:3604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        209⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        210⤵
        
        PID:3352
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        211⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        212⤵
        
        PID:4028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        213⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        214⤵
        Checks computer location settings
        
        PID:3848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        215⤵
        System Location Discovery: System Language Discovery
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        216⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        217⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        218⤵
        Drops file in Windows directory
        
        PID:4012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        219⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        220⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        221⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        222⤵
        Modifies registry class
        
        PID:3680
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        223⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        224⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        225⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        226⤵
        Modifies registry class
        
        PID:364
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        227⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        228⤵
        
        PID:4604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        229⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        230⤵
        Drops file in Windows directory
        
        PID:2188
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        231⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        232⤵
        Checks computer location settings
        
        PID:1792
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        233⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        234⤵
        
        PID:3604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        235⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        236⤵
        
        PID:1012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        237⤵
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        238⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:4644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        239⤵
        Drops file in Windows directory
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        240⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        241⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        242⤵
        Modifies registry class
        
        PID:1908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        243⤵
        System Location Discovery: System Language Discovery
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        244⤵
        
        PID:1124
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        245⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        246⤵
        Checks computer location settings
        
        PID:4208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        247⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        248⤵
        Modifies registry class
        
        PID:3912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        249⤵
        System Location Discovery: System Language Discovery
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        250⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        251⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        252⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        253⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        254⤵
        Checks computer location settings
        
        PID:3644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        255⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        256⤵
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        257⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        258⤵
        System Location Discovery: System Language Discovery
        
        PID:4476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        259⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        260⤵
        Modifies registry class
        
        PID:3376
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        261⤵
        System Location Discovery: System Language Discovery
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        262⤵
        
        PID:4056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        263⤵
        System Location Discovery: System Language Discovery
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        264⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4544
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        265⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        266⤵
        Modifies registry class
        
        PID:3904
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        267⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        268⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        269⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        270⤵
        
        PID:2336
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        271⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        272⤵
        
        PID:2248
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        273⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        274⤵
        Drops file in Windows directory
        
        PID:4116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        275⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        276⤵
        
        PID:4780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        277⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        278⤵
        Drops file in Windows directory
        
        PID:4224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        279⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        280⤵
        Checks computer location settings
        
        PID:1472
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        281⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        282⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        283⤵
        Drops file in Windows directory
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        284⤵
        
        PID:1744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        285⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        286⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3460
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        287⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        288⤵
        Drops file in Windows directory
        
        PID:1368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        289⤵
        Drops file in Windows directory
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        290⤵
        
        PID:1232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        291⤵
        Drops file in Windows directory
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        292⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:1124
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        293⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        294⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3152
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        295⤵
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        296⤵
        Checks computer location settings
        
        PID:2300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        297⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        298⤵
        Drops file in Windows directory
        
        PID:4968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        299⤵
        System Location Discovery: System Language Discovery
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        300⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        301⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        302⤵
        Checks computer location settings
        
        PID:5076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        303⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        304⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:388
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        305⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        306⤵
        Modifies registry class
        
        PID:2264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        307⤵
        Drops file in Windows directory
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        308⤵
        Checks computer location settings
        
        PID:4112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        309⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        310⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:3800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        311⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        312⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        313⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        314⤵
        Modifies registry class
        
        PID:4228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        315⤵
        Drops file in Windows directory
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        316⤵
        System Location Discovery: System Language Discovery
        
        PID:3468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        317⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        318⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3420
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        319⤵
        Drops file in Windows directory
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        320⤵
        Modifies registry class
        
        PID:3948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        321⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        322⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        323⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        324⤵
        
        PID:4452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        325⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        326⤵
        Drops file in Windows directory
        
        PID:5080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        327⤵
        
        PID:164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        328⤵
        Checks computer location settings
        
        PID:4744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        329⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        330⤵
        Drops file in Windows directory
        
        PID:1148
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        331⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        332⤵
        
        PID:1012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        333⤵
        Drops file in Windows directory
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        334⤵
        Checks computer location settings
        
        PID:3500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        335⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        336⤵
        Checks computer location settings
        
        PID:2856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        337⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        338⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        339⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        340⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        341⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        342⤵
        
        PID:1520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        343⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        344⤵
        
        PID:3252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        345⤵
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        346⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        347⤵
        Drops file in Windows directory
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        348⤵
        
        PID:4880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        349⤵
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        350⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        351⤵
        System Location Discovery: System Language Discovery
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        352⤵
        
        PID:432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        353⤵
        Drops file in Windows directory
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        354⤵
        Checks computer location settings
        
        PID:3340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        355⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        356⤵
        
        PID:3932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        357⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        358⤵
        
        PID:668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        359⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        360⤵
        Checks computer location settings
        
        PID:3604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        361⤵
        System Location Discovery: System Language Discovery
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        362⤵
        Checks computer location settings
        
        PID:3352
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        363⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        364⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2236
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        365⤵
        System Location Discovery: System Language Discovery
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        366⤵
        
        PID:2180
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        367⤵
        Drops file in Windows directory
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        368⤵
        System Location Discovery: System Language Discovery
        
        PID:4440
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        369⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        370⤵
        Checks computer location settings
        
        PID:4056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        371⤵
        Drops file in Windows directory
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        372⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        373⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        374⤵
        
        PID:4236
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        375⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        376⤵
        
        PID:1124
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        377⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        378⤵
        
        PID:3684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        379⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        380⤵
        
        PID:4980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        381⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        382⤵
        
        PID:4788
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        383⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        384⤵
        
        PID:1408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE"
        385⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\36E228~1.EXE
        386⤵
        
        PID:3596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:2256

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv ok2HDvZaE0WyMNHisPnWGQ.0.2
1⤵
PID:1656

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
1⤵
PID:3940

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

Filesize
328KB

MD5
39c8a4c2c3984b64b701b85cb724533b

SHA1
c911f4c4070dfe9a35d9adcb7de6e6fb1482ce00

SHA256
888a1dd0033e5d758a4e731e3e55357de866e80d03b1b194375f714e1fd4351d

SHA512
f42ca2962fe60cff1a13dea8b81ff0647b317c785ee4f5159c38487c34d33aecba8478757047d31ab2ee893fbdcb91a21655353456ba6a018fc71b2278db4db2

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe

Filesize
9.4MB

MD5
322302633e36360a24252f6291cdfc91

SHA1
238ed62353776c646957efefc0174c545c2afa3d

SHA256
31da9632f5d25806b77b617d48da52a14afc574bbe1653120f97705284ea566c

SHA512
5a1f7c44ce7f5036bffc18ebac39e2bf70e6f35fa252617d665b26448f4c4473adfa115467b7e2d9b7068823e448f74410cdcdfef1ac1c09021e051921787373

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

Filesize
2.4MB

MD5
8ffc3bdf4a1903d9e28b99d1643fc9c7

SHA1
919ba8594db0ae245a8abd80f9f3698826fc6fe5

SHA256
8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6

SHA512
0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE

Filesize
92KB

MD5
176436d406fd1aabebae353963b3ebcf

SHA1
9ffdfdb8cc832a0c6501c4c0e85b23a0f7eff57a

SHA256
2f947e3ca624ce7373080b4a3934e21644fb070a53feeaae442b15b849c2954f

SHA512
a2d1a714e0c1e5463260c64048ba8fd5064cfa06d4a43d02fc04a30748102ff5ba86d20a08e611e200dc778e2b7b3ae808da48132a05a61aa09ac424a182a06a

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE

Filesize
142KB

MD5
92dc0a5b61c98ac6ca3c9e09711e0a5d

SHA1
f809f50cfdfbc469561bced921d0bad343a0d7b4

SHA256
3e9da97a7106122245e77f13f3f3cc96c055d732ab841eb848d03ac25401c1bc

SHA512
d9eefb19f82e0786d9be0dbe5e339d25473fb3a09682f40c6d190d4c320cca5556abb72b5d97c6b0da4f8faefdc6d39ac9d0415fdf94ebcc90ecdf2e513c6a31

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE

Filesize
278KB

MD5
12c29dd57aa69f45ddd2e47620e0a8d9

SHA1
ba297aa3fe237ca916257bc46370b360a2db2223

SHA256
22a585c183e27b3c732028ff193733c2f9d03700a0e95e65c556b0592c43d880

SHA512
255176cd1a88dfa2af3838769cc20dc7ad9d969344801f07b9ebb372c12cee3f47f2dba3559f391deab10650875cad245d9724acfa23a42b336bfa96559a5488

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe

Filesize
555KB

MD5
ce82862ca68d666d7aa47acc514c3e3d

SHA1
f458c7f43372dbcdac8257b1639e0fe51f592e28

SHA256
c5a99f42100834599e4995d0a178b32b772a6e774a4050a6bb00438af0a6a1f3

SHA512
bca7afd6589c3215c92fdaca552ad3380f53d3db8c4b69329a1fa81528dd952a14bf012321de92ad1d20e5c1888eab3dd512b1ac80a406baccc37ee6ff4a90dc

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe

Filesize
366KB

MD5
f1dd0a0fe1c98603a4d5666f5175a911

SHA1
12bc988ea7a55e6d7fd4c7a59d74393bb8473d4d

SHA256
f5bf98813e2d5a12f3b78f02108f7d16436e2454770599859b1e694d97df4264

SHA512
3196905919cb6c45d287ab9a26d5970ccf710d092c166202e0919989703584dfeab416adc998a50104a7a76fe175838de5544904a32bbc96e19c2f68362ce895

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe

Filesize
325KB

MD5
892cf4fc5398e07bf652c50ef2aa3b88

SHA1
c399e55756b23938057a0ecae597bd9dbe481866

SHA256
e2262c798729169f697e6c30e5211cde604fd8b14769311ff4ea81abba8c2781

SHA512
f16a9e4b1150098c5936ec6107c36d47246dafd5a43e9f4ad9a31ecab69cc789c768691fa23a1440fae7f6e93e8e62566b5c86f7ed6bb4cfe26368149ea8c167

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe

Filesize
505KB

MD5
452c3ce70edba3c6e358fad9fb47eb4c

SHA1
d24ea3b642f385a666159ef4c39714bec2b08636

SHA256
da73b6e071788372702104b9c72b6697e84e7c75e248e964996700b77c6b6f1c

SHA512
fe8a0b9b1386d6931dc7b646d0dd99c3d1b44bd40698b33077e7eeba877b53e5cb39ff2aa0f6919ccab62953a674577bc1b2516d9cadc0c051009b2083a08085

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE

Filesize
186KB

MD5
9d671cab4d038aa215f8cc6130ac9692

SHA1
0a42bd44f79f3b07ed7f6079effc3760b6bcd447

SHA256
6dd1a9ad915f92271a71f76a4ca5ff2557c2819ee8699063e20c931c180b511f

SHA512
84be06725fc3be4b146bb08b8c34ca93616b6bc80c7b336a04115aa1a7a2526142f0d98f2bc8c76b9cc4112f1002acd8277fe093c45fa1bea2bcf0887d53a123

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE

Filesize
146KB

MD5
d9a290f7aec8aff3591c189b3cf8610a

SHA1
7558d29fb32018897c25e0ac1c86084116f1956c

SHA256
41bed95cb1101181a97460e2395efebb0594849e6f48b80a2b7c376ddf5ce0ea

SHA512
b55ab687a75c11ba99c64be42ad8471576aa2df10ce1bb61e902e98827e3a38cd922e365751bd485cac089c2bd8bccf939a578da7238506b77fe02a3eb7994c6

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE

Filesize
198KB

MD5
7429ce42ac211cd3aa986faad186cedd

SHA1
b61a57f0f99cfd702be0fbafcb77e9f911223fac

SHA256
d608c05409ac4bd05d8e0702fcf66dfae5f4f38cbae13406842fa5504f4d616f

SHA512
ee4456877d6d881d9904013aabecb9f2daf6fc0ec7a7c9251e77396b66a7f5a577fe8544e64e2bb7464db429db56a3fe47c183a81d40cc869d01be573ab5e4c1

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE

Filesize
335KB

MD5
e4351f1658eab89bbd70beb15598cf1c

SHA1
e18fbfaee18211fd9e58461145306f9bc4f459ea

SHA256
4c783822b873188a9ced8bd4888e1736e3d4f51f6b3b7a62675b0dc85277e0eb

SHA512
57dbc6418011bcac298e122990b14ed1461c53b5f41cb4986d1d3bbbb516c764a7c205fc4da3722399fdb9122f28e4ec98f39d2af80d4b6a64d7bd7944d1c218

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE

Filesize
509KB

MD5
7c73e01bd682dc67ef2fbb679be99866

SHA1
ad3834bd9f95f8bf64eb5be0a610427940407117

SHA256
da333c92fdfd2e8092f5b56686b94f713f8fa27ef8f333e7222259ad1eb08f5d

SHA512
b2f3398e486cde482cb6bea18f4e5312fa2db7382ca25cea17bcba5ab1ff0e891d59328bc567641a9da05caca4d7c61dc102289d46e7135f947ce6155e295711

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE

Filesize
138KB

MD5
5e08d87c074f0f8e3a8e8c76c5bf92ee

SHA1
f52a554a5029fb4749842b2213d4196c95d48561

SHA256
5d548c2cc25d542f2061ed9c8e38bd5ca72bddb37dd17654346cae8a19645714

SHA512
dd98d6fa7d943604914b2e3b27e1f21a95f1fe1feb942dd6956e864da658f4fbd9d1d0cf775e79ceaae6a025aafd4e633763389c37034134bd5245969bec383e

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE

Filesize
1.6MB

MD5
41b1e87b538616c6020369134cbce857

SHA1
a255c7fef7ba2fc1a7c45d992270d5af023c5f67

SHA256
08465cc139ee50a7497f8c842f74730d3a8f1a73c0b7caca95e9e6d37d3beed3

SHA512
3a354d3577b45f6736203d5a35a2d1d543da2d1e268cefeffe6bdb723ff63c720ceb2838701144f5fec611470d77649846e0fb4770d6439f321f6b819f03e4db

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE

Filesize
1.1MB

MD5
301d7f5daa3b48c83df5f6b35de99982

SHA1
17e68d91f3ec1eabde1451351cc690a1978d2cd4

SHA256
abe398284d90be5e5e78f98654b88664e2e14478f7eb3f55c5fd1c1bcf1bebee

SHA512
4a72a24dec461d116fe8324c651913273ccaa50cb036ccdacb3ae300e417cf4a64aa458869b8d2f3b4c298c59977437d11b241d08b391a481c3226954bba22e4

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe

Filesize
3.6MB

MD5
6ce350ad38c8f7cbe5dd8fda30d11fa1

SHA1
4f232b8cccd031c25378b4770f85e8038e8655d8

SHA256
06a3bb0bdd2da870bc8dc2c6b760855cea7821273ce59fc0be158149e52915ba

SHA512
4c18a112fec391f443a4ae217ac6d1850e0cfdad4b2d2cbe3f61cb01c0a1400ea6bd5c3ffe0a9978ead50e7f6cfab96ae5090bb9a611f988f1a86ccaa5d4cd4f

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE

Filesize
1.1MB

MD5
a5d9eaa7d52bffc494a5f58203c6c1b5

SHA1
97928ba7b61b46a1a77a38445679d040ffca7cc8

SHA256
34b8662d38e7d3d6394fa6c965d943d2c82ea06ba9d7a0af4f8e0571fb5a9c48

SHA512
b6fdc8389bb4d736d608600469be6a4b0452aa3ea082f9a0791022a14c02b8fb7dcd62df133b0518e91283094eaba2be9318316f72d2c4aae6286d3e8686e787

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE

Filesize
2.8MB

MD5
eb008f1890fed6dc7d13a25ff9c35724

SHA1
751d3b944f160b1f77c1c8852af25b65ae9d649c

SHA256
a9b7b9155af49d651b092bb1665447059f7a1d0061f88fa320d4f956b9723090

SHA512
9cfe3480f24bf8970ad5773cb9df51d132ee90ada35cbf8ec1222e09a60ae46b2ff4b96862fea19085b1c32f93c47c69f604589fa3f4af17e5d67bef893b6bf1

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe

Filesize
3.2MB

MD5
5119e350591269f44f732b470024bb7c

SHA1
4ccd48e4c6ba6e162d1520760ee3063e93e2c014

SHA256
2b3aa9642b291932ba7f9f3d85221402a9d27078f56ef0e9c6bca633616e3873

SHA512
599b4ec673169d42a348d1117737b4ad4d7539574153df5a5c7689130c9ac5ff5cd00f3c8ec39adf32ff2b56be074081efcabb6456272c649703c3ea6cdaded4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\36e228fa030534a282bb339a538b76d578cd8ac18a2ec90271ac391e6593c02c.exe

Filesize
292KB

MD5
5efe21deb83b685ca08f5c2c8e175d35

SHA1
d15ff02611b360152904dcd487da2cfe41d370d7

SHA256
f55d22309de5325fdcc86ee073eba522a0a866a13130c1a3f285199b06a2f539

SHA512
769598378dd174c1dfc8bb1675c8a984d3483b92bbeb9f17c9821cc74c4554ea9bf3a6c03dfd5be6a892687d386f2975980fc0b160740fce84f09e14b08596a5

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
cf9a81f0018928586fa56554d38d5bfc

SHA1
b731049ff8cee1e8115b34e1e12f69819e7bbf7d

SHA256
5c47879f42f64e1998edf37748e7d21d43278ed156d3091fdb81f56432ef8563

SHA512
5955bfb806209006c22b42beef7f5d70e542bdb7be27b7d037691973a782cff0c2df5ee208465b4abdbb8bf4454e884e82fc699b4399a47b233fd3fcd631e38a

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
4bde3376e01f16b1303cab41e9b385d1

SHA1
c8d697c3aed489cbedb1e03eb94032c02f16c881

SHA256
672f7fbc61082ce4ec448b45e815465fbd7a7fea043cb15bf57d25fe0e0002b0

SHA512
68ab9ba44c68258a7287859bab279f2bdbdb4c9d9073c3dce49f4e78f96c83986d2f98bde629bb75f8270054c3622a6b4d93ce06678bc4486ebd8261ef62dbd3

Download Submit
memory/644-365-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/688-95-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/692-255-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/800-271-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/892-301-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1148-359-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1704-413-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1744-26-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1852-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1920-246-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1956-292-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2000-335-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2008-232-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2156-343-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2164-367-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2188-356-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2256-303-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2264-52-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2284-16-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2292-391-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2400-325-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2400-122-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2484-415-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2516-399-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2556-389-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2640-64-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2700-277-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2876-68-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2952-357-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3060-381-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3092-309-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3288-397-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3340-229-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3524-333-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3544-56-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3588-295-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3652-263-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3712-28-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3872-405-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3940-110-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4008-311-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4036-126-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4124-44-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4128-279-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4208-145-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4212-192-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4396-177-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4404-412-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4476-383-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4484-121-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4592-373-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4604-218-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4624-375-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4632-341-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4668-285-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4724-40-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4744-219-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4772-253-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4780-332-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4784-76-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4844-317-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4948-319-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4952-293-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4980-349-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download