neshta | 9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-11-2024 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
Size

1.0MB
MD5

fc891c1eef8dc297fb88b558218b9700
SHA1

15c7f4ce688c9b64f562dd6707de529820f680ad
SHA256

9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451
SHA512

7880fff1dffacc597d92bc2be17de557fdc7bde0249b048dc227369ea712021de36ae2ab9772be7108726fcd943067a9127750b770ea857da8fda182dd9b554f
SSDEEP

24576:LSEN3xtvIjdFpRXF4R6G1Rxb1L1bxLT1Gxb1715xnlGf6fNfl1gvklTY:LNC9Y

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 64 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c89-4.dat	family_neshta
behavioral2/files/0x0007000000023c8a-10.dat	family_neshta
behavioral2/memory/2520-16-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3036-26-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1352-28-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3244-32-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1820-40-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4912-50-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4792-52-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2824-63-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3124-64-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4708-68-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2920-76-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x0004000000020343-78.dat	family_neshta
behavioral2/memory/4192-92-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x000700000002027e-84.dat	family_neshta
behavioral2/files/0x0004000000020335-98.dat	family_neshta
behavioral2/files/0x0004000000020336-103.dat	family_neshta
behavioral2/files/0x0004000000020348-106.dat	family_neshta
behavioral2/files/0x0001000000020294-102.dat	family_neshta
behavioral2/memory/3816-120-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4808-110-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x000200000002030d-137.dat	family_neshta
behavioral2/files/0x00010000000214d8-144.dat	family_neshta
behavioral2/files/0x00010000000214da-152.dat	family_neshta
behavioral2/files/0x00010000000214d9-150.dat	family_neshta
behavioral2/files/0x00010000000225d6-143.dat	family_neshta
behavioral2/files/0x0001000000021533-140.dat	family_neshta
behavioral2/files/0x0001000000022f67-166.dat	family_neshta
behavioral2/files/0x000100000001680d-180.dat	family_neshta
behavioral2/files/0x00010000000167ef-186.dat	family_neshta
behavioral2/files/0x00010000000167f0-185.dat	family_neshta
behavioral2/files/0x00010000000167d3-179.dat	family_neshta
behavioral2/files/0x000100000001685d-178.dat	family_neshta
behavioral2/files/0x00010000000167cf-177.dat	family_neshta
behavioral2/files/0x00010000000167d1-176.dat	family_neshta
behavioral2/files/0x00010000000167b6-174.dat	family_neshta
behavioral2/files/0x0001000000016808-173.dat	family_neshta
behavioral2/files/0x0001000000022f69-165.dat	family_neshta
behavioral2/files/0x0001000000022f28-164.dat	family_neshta
behavioral2/files/0x0001000000022f2b-163.dat	family_neshta
behavioral2/memory/1020-145-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/400-217-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x0008000000020237-136.dat	family_neshta
behavioral2/files/0x0006000000020235-135.dat	family_neshta
behavioral2/memory/4292-122-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3108-226-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4572-230-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2884-232-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1380-238-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4880-240-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1352-246-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2264-253-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3564-254-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3164-261-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/552-262-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/228-264-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2952-270-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3572-272-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4720-278-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4508-280-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1408-286-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1844-288-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2892-294-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9D2E93~1.EXE

Executes dropped EXE 64 IoCs

pid	Process
2560	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
2520	svchost.com
3036	9D2E93~1.EXE
1352	svchost.com
3244	9D2E93~1.EXE
1820	svchost.com
4912	9D2E93~1.EXE
4792	svchost.com
2824	9D2E93~1.EXE
3124	svchost.com
4708	9D2E93~1.EXE
2920	svchost.com
4192	9D2E93~1.EXE
4808	svchost.com
3816	9D2E93~1.EXE
4292	svchost.com
1020	9D2E93~1.EXE
400	svchost.com
3108	9D2E93~1.EXE
4572	svchost.com
2884	9D2E93~1.EXE
1380	svchost.com
4880	9D2E93~1.EXE
1352	svchost.com
2264	9D2E93~1.EXE
3564	svchost.com
3164	9D2E93~1.EXE
552	svchost.com
228	9D2E93~1.EXE
2952	svchost.com
3572	9D2E93~1.EXE
4720	svchost.com
4508	9D2E93~1.EXE
1408	svchost.com
1844	9D2E93~1.EXE
2892	svchost.com
2164	9D2E93~1.EXE
4300	svchost.com
4060	9D2E93~1.EXE
376	svchost.com
364	9D2E93~1.EXE
932	svchost.com
2036	9D2E93~1.EXE
2568	svchost.com
1316	9D2E93~1.EXE
2152	svchost.com
4228	9D2E93~1.EXE
4884	svchost.com
3848	9D2E93~1.EXE
2944	svchost.com
4860	9D2E93~1.EXE
3108	svchost.com
4216	9D2E93~1.EXE
452	svchost.com
4028	9D2E93~1.EXE
4224	svchost.com
1864	9D2E93~1.EXE
1188	svchost.com
2924	9D2E93~1.EXE
2692	svchost.com
2888	9D2E93~1.EXE
1848	svchost.com
1480	9D2E93~1.EXE
4992	svchost.com

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	9D2E93~1.EXE

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	9D2E93~1.EXE
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	9D2E93~1.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	9D2E93~1.EXE
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	9D2E93~1.EXE

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	9D2E93~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	9D2E93~1.EXE
File opened for modification	C:\Windows\svchost.com	9D2E93~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	9D2E93~1.EXE
File opened for modification	C:\Windows\directx.sys	9D2E93~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	9D2E93~1.EXE
File opened for modification	C:\Windows\directx.sys	9D2E93~1.EXE
File opened for modification	C:\Windows\directx.sys	9D2E93~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	9D2E93~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	9D2E93~1.EXE
File opened for modification	C:\Windows\directx.sys	9D2E93~1.EXE
File opened for modification	C:\Windows\directx.sys	9D2E93~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	9D2E93~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	9D2E93~1.EXE
File opened for modification	C:\Windows\directx.sys	9D2E93~1.EXE
File opened for modification	C:\Windows\directx.sys	9D2E93~1.EXE
File opened for modification	C:\Windows\directx.sys	9D2E93~1.EXE
File opened for modification	C:\Windows\svchost.com	9D2E93~1.EXE
File opened for modification	C:\Windows\svchost.com	9D2E93~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	9D2E93~1.EXE
File opened for modification	C:\Windows\svchost.com	9D2E93~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	9D2E93~1.EXE
File opened for modification	C:\Windows\svchost.com	9D2E93~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	9D2E93~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	9D2E93~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	9D2E93~1.EXE
File opened for modification	C:\Windows\directx.sys	9D2E93~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	9D2E93~1.EXE
File opened for modification	C:\Windows\directx.sys	9D2E93~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	9D2E93~1.EXE
File opened for modification	C:\Windows\directx.sys	9D2E93~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	9D2E93~1.EXE
File opened for modification	C:\Windows\directx.sys	9D2E93~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	9D2E93~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9D2E93~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9D2E93~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9D2E93~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9D2E93~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9D2E93~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9D2E93~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9D2E93~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9D2E93~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9D2E93~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9D2E93~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9D2E93~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9D2E93~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9D2E93~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9D2E93~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9D2E93~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9D2E93~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9D2E93~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9D2E93~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9D2E93~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9D2E93~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9D2E93~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9D2E93~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9D2E93~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9D2E93~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9D2E93~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9D2E93~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9D2E93~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9D2E93~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9D2E93~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9D2E93~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9D2E93~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9D2E93~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9D2E93~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9D2E93~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	9D2E93~1.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4936	9D2E93~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 2560	5092	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe	85
PID 5092 wrote to memory of 2560	5092	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe	85
PID 5092 wrote to memory of 2560	5092	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe	85
PID 2560 wrote to memory of 2520	2560	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe	86
PID 2560 wrote to memory of 2520	2560	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe	86
PID 2560 wrote to memory of 2520	2560	9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe	86
PID 2520 wrote to memory of 3036	2520	svchost.com	87
PID 2520 wrote to memory of 3036	2520	svchost.com	87
PID 2520 wrote to memory of 3036	2520	svchost.com	87
PID 3036 wrote to memory of 1352	3036	9D2E93~1.EXE	88
PID 3036 wrote to memory of 1352	3036	9D2E93~1.EXE	88
PID 3036 wrote to memory of 1352	3036	9D2E93~1.EXE	88
PID 1352 wrote to memory of 3244	1352	svchost.com	89
PID 1352 wrote to memory of 3244	1352	svchost.com	89
PID 1352 wrote to memory of 3244	1352	svchost.com	89
PID 3244 wrote to memory of 1820	3244	9D2E93~1.EXE	90
PID 3244 wrote to memory of 1820	3244	9D2E93~1.EXE	90
PID 3244 wrote to memory of 1820	3244	9D2E93~1.EXE	90
PID 1820 wrote to memory of 4912	1820	svchost.com	91
PID 1820 wrote to memory of 4912	1820	svchost.com	91
PID 1820 wrote to memory of 4912	1820	svchost.com	91
PID 4912 wrote to memory of 4792	4912	9D2E93~1.EXE	92
PID 4912 wrote to memory of 4792	4912	9D2E93~1.EXE	92
PID 4912 wrote to memory of 4792	4912	9D2E93~1.EXE	92
PID 4792 wrote to memory of 2824	4792	svchost.com	93
PID 4792 wrote to memory of 2824	4792	svchost.com	93
PID 4792 wrote to memory of 2824	4792	svchost.com	93
PID 2824 wrote to memory of 3124	2824	9D2E93~1.EXE	94
PID 2824 wrote to memory of 3124	2824	9D2E93~1.EXE	94
PID 2824 wrote to memory of 3124	2824	9D2E93~1.EXE	94
PID 3124 wrote to memory of 4708	3124	svchost.com	95
PID 3124 wrote to memory of 4708	3124	svchost.com	95
PID 3124 wrote to memory of 4708	3124	svchost.com	95
PID 4708 wrote to memory of 2920	4708	9D2E93~1.EXE	97
PID 4708 wrote to memory of 2920	4708	9D2E93~1.EXE	97
PID 4708 wrote to memory of 2920	4708	9D2E93~1.EXE	97
PID 2920 wrote to memory of 4192	2920	svchost.com	98
PID 2920 wrote to memory of 4192	2920	svchost.com	98
PID 2920 wrote to memory of 4192	2920	svchost.com	98
PID 4192 wrote to memory of 4808	4192	9D2E93~1.EXE	99
PID 4192 wrote to memory of 4808	4192	9D2E93~1.EXE	99
PID 4192 wrote to memory of 4808	4192	9D2E93~1.EXE	99
PID 4808 wrote to memory of 3816	4808	svchost.com	185
PID 4808 wrote to memory of 3816	4808	svchost.com	185
PID 4808 wrote to memory of 3816	4808	svchost.com	185
PID 3816 wrote to memory of 4292	3816	9D2E93~1.EXE	101
PID 3816 wrote to memory of 4292	3816	9D2E93~1.EXE	101
PID 3816 wrote to memory of 4292	3816	9D2E93~1.EXE	101
PID 4292 wrote to memory of 1020	4292	svchost.com	102
PID 4292 wrote to memory of 1020	4292	svchost.com	102
PID 4292 wrote to memory of 1020	4292	svchost.com	102
PID 1020 wrote to memory of 400	1020	9D2E93~1.EXE	103
PID 1020 wrote to memory of 400	1020	9D2E93~1.EXE	103
PID 1020 wrote to memory of 400	1020	9D2E93~1.EXE	103
PID 400 wrote to memory of 3108	400	svchost.com	138
PID 400 wrote to memory of 3108	400	svchost.com	138
PID 400 wrote to memory of 3108	400	svchost.com	138
PID 3108 wrote to memory of 4572	3108	9D2E93~1.EXE	105
PID 3108 wrote to memory of 4572	3108	9D2E93~1.EXE	105
PID 3108 wrote to memory of 4572	3108	9D2E93~1.EXE	105
PID 4572 wrote to memory of 2884	4572	svchost.com	106
PID 4572 wrote to memory of 2884	4572	svchost.com	106
PID 4572 wrote to memory of 2884	4572	svchost.com	106
PID 2884 wrote to memory of 1380	2884	9D2E93~1.EXE	276

C:\Users\Admin\AppData\Local\Temp\9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
"C:\Users\Admin\AppData\Local\Temp\9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Users\Admin\AppData\Local\Temp\3582-490\9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3036
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1352
      - C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        24⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        25⤵
        Executes dropped EXE
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        26⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:2264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        27⤵
        Executes dropped EXE
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        28⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        29⤵
        Executes dropped EXE
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        31⤵
        Executes dropped EXE
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        32⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3572
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        33⤵
        Executes dropped EXE
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        34⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4508
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        35⤵
        Executes dropped EXE
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        37⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        38⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:2164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        39⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        40⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        41⤵
        Executes dropped EXE
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        42⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:364
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        43⤵
        Executes dropped EXE
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        45⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        46⤵
        Executes dropped EXE
        
        PID:1316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        47⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        48⤵
        Executes dropped EXE
        
        PID:4228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        49⤵
        Executes dropped EXE
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        51⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        52⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        53⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        54⤵
        Executes dropped EXE
        
        PID:4216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        55⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        56⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        57⤵
        Executes dropped EXE
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        58⤵
        Executes dropped EXE
        
        PID:1864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        59⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        60⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        61⤵
        Executes dropped EXE
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        65⤵
        Executes dropped EXE
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        66⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:4064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        67⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        68⤵
        Modifies registry class
        
        PID:1844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        69⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        70⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        71⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        72⤵
        Checks computer location settings
        
        PID:1568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        73⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        74⤵
        
        PID:3204
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:1284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        77⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        78⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        80⤵
        Modifies registry class
        
        PID:4332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        81⤵
        Drops file in Windows directory
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        83⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        84⤵
        Checks computer location settings
        
        PID:4864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        85⤵
        Drops file in Windows directory
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        86⤵
        
        PID:4676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        87⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        88⤵
        Modifies registry class
        
        PID:3040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        89⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        90⤵
        Checks computer location settings
        
        PID:4708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        91⤵
        Drops file in Windows directory
        
        PID:460
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        92⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        93⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        94⤵
        Modifies registry class
        
        PID:4280
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        96⤵
        Drops file in Windows directory
        
        PID:3816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        97⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        99⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        100⤵
        Modifies registry class
        
        PID:2364
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        101⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        102⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        103⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        104⤵
        
        PID:1308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        105⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        106⤵
        Modifies registry class
        
        PID:5116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        107⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        108⤵
        Checks computer location settings
        
        PID:2152
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        109⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        110⤵
        Modifies registry class
        
        PID:4316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        111⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        112⤵
        
        PID:636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        113⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        114⤵
        Drops file in Windows directory
        
        PID:1400
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        116⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        117⤵
        Drops file in Windows directory
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        118⤵
        
        PID:4164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        119⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        120⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        121⤵
        Drops file in Windows directory
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        122⤵
        Drops file in Windows directory
        
        PID:1416
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        123⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        125⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        126⤵
        
        PID:2400
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        127⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        128⤵
        Modifies registry class
        
        PID:1844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        129⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        130⤵
        Checks computer location settings
        Modifies system executable filetype association
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        
        PID:3712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        131⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        132⤵
        Checks computer location settings
        
        PID:4060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        133⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        134⤵
        Drops file in Windows directory
        
        PID:2288
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        135⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        136⤵
        Modifies registry class
        
        PID:1972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        137⤵
        Drops file in Windows directory
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        138⤵
        
        PID:1172
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        139⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        140⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        142⤵
        Checks computer location settings
        
        PID:636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        143⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        144⤵
        Modifies registry class
        
        PID:3196
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        145⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        146⤵
        Drops file in Windows directory
        
        PID:1584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        147⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        148⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        149⤵
        Drops file in Windows directory
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        150⤵
        Modifies registry class
        
        PID:4676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        151⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        152⤵
        Modifies registry class
        
        PID:4280
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        153⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        154⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        155⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        156⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:4060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        157⤵
        Drops file in Windows directory
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        158⤵
        
        PID:2236
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        159⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:1172
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        162⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        163⤵
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        164⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        165⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        166⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:4860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        167⤵
        Drops file in Windows directory
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        168⤵
        Checks computer location settings
        
        PID:228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        169⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        171⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        172⤵
        Checks computer location settings
        
        PID:2804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        173⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        174⤵
        Drops file in Windows directory
        
        PID:2280
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        175⤵
        Drops file in Windows directory
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        176⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        177⤵
        System Location Discovery: System Language Discovery
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        178⤵
        
        PID:4516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        179⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        180⤵
        Modifies registry class
        
        PID:2300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        181⤵
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        182⤵
        
        PID:4368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        183⤵
        Drops file in Windows directory
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        184⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        185⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        186⤵
        
        PID:1856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        187⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        188⤵
        
        PID:3040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        189⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        190⤵
        
        PID:4560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        191⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        192⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        193⤵
        Drops file in Windows directory
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        194⤵
        Checks computer location settings
        
        PID:2620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        195⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        196⤵
        
        PID:4056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        197⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        198⤵
        
        PID:5116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        199⤵
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        200⤵
        Modifies registry class
        
        PID:4316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        201⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        202⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4356
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        203⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        204⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        205⤵
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        206⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        207⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        208⤵
        
        PID:552
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        209⤵
        System Location Discovery: System Language Discovery
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        210⤵
        Modifies registry class
        
        PID:900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        211⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        212⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        213⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        214⤵
        Modifies registry class
        
        PID:3784
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        215⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        216⤵
        Drops file in Windows directory
        
        PID:5088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        217⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        218⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        219⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        220⤵
        
        PID:3172
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        221⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        222⤵
        Modifies registry class
        
        PID:720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        223⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        224⤵
        Checks computer location settings
        
        PID:460
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        225⤵
        Drops file in Windows directory
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        226⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        227⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        228⤵
        Modifies registry class
        
        PID:692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        229⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        230⤵
        Checks computer location settings
        
        PID:3448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        231⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        232⤵
        Checks computer location settings
        
        PID:4336
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        233⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        234⤵
        
        PID:2720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        235⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        236⤵
        Checks computer location settings
        
        PID:3108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        237⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        238⤵
        
        PID:4368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        239⤵
        Drops file in Windows directory
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        240⤵
        
        PID:2460
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        241⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        242⤵
        Checks computer location settings
        
        PID:4792
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        243⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        244⤵
        Modifies registry class
        
        PID:3708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        245⤵
        Drops file in Windows directory
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        246⤵
        Checks computer location settings
        
        PID:4956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        247⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        248⤵
        Modifies registry class
        
        PID:4344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        249⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        250⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        251⤵
        Drops file in Windows directory
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        252⤵
        
        PID:2940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        253⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        254⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:3848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        255⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        256⤵
        Checks computer location settings
        
        PID:4552
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        257⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        258⤵
        
        PID:3020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        259⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        260⤵
        Modifies registry class
        
        PID:3164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        261⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        262⤵
        Drops file in Windows directory
        
        PID:5032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        263⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        264⤵
        
        PID:2088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        265⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        266⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        267⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        268⤵
        
        PID:2576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        269⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        270⤵
        Checks computer location settings
        
        PID:364
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        271⤵
        
        PID:164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        272⤵
        Checks computer location settings
        
        PID:2184
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        273⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        274⤵
        System Location Discovery: System Language Discovery
        
        PID:756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        275⤵
        System Location Discovery: System Language Discovery
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        276⤵
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        277⤵
        System Location Discovery: System Language Discovery
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        278⤵
        
        PID:4432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        279⤵
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        280⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2532
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        281⤵
        System Location Discovery: System Language Discovery
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        282⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        283⤵
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        284⤵
        
        PID:4676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        285⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        286⤵
        Modifies registry class
        
        PID:1952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        287⤵
        Drops file in Windows directory
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        288⤵
        
        PID:4732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        289⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        290⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:2480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        291⤵
        System Location Discovery: System Language Discovery
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        292⤵
        System Location Discovery: System Language Discovery
        
        PID:5108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        293⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        294⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        295⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        296⤵
        System Location Discovery: System Language Discovery
        
        PID:4068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        297⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        298⤵
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        299⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        300⤵
        Checks computer location settings
        
        PID:4552
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        301⤵
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        302⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4384
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        303⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        304⤵
        System Location Discovery: System Language Discovery
        
        PID:3680
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        305⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        306⤵
        Modifies registry class
        
        PID:3472
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        307⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        308⤵
        
        PID:4676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        309⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        310⤵
        
        PID:932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        311⤵
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        312⤵
        Checks computer location settings
        
        PID:1232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        313⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        314⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1784
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        315⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        316⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        317⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        318⤵
        Checks computer location settings
        
        PID:5116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        319⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        320⤵
        
        PID:4228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        321⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        322⤵
        Drops file in Windows directory
        
        PID:3564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        323⤵
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        324⤵
        Modifies registry class
        
        PID:4552
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        325⤵
        Drops file in Windows directory
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        326⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        327⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        328⤵
        Modifies registry class
        
        PID:2760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        329⤵
        Drops file in Windows directory
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        330⤵
        
        PID:5104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        331⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        332⤵
        Drops file in Windows directory
        
        PID:2464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        333⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        334⤵
        Checks computer location settings
        
        PID:2612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        335⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        336⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        337⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        338⤵
        Modifies registry class
        
        PID:3484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        339⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        340⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        341⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        342⤵
        Checks computer location settings
        
        PID:4516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        343⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        344⤵
        Checks computer location settings
        
        PID:588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        345⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        346⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        347⤵
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        348⤵
        Modifies registry class
        
        PID:1096
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE"
        349⤵
        System Location Discovery: System Language Discovery
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\9D2E93~1.EXE
        350⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4936

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:1480

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

Filesize
368KB

MD5
a344438de9e499ca3d9038688440f406

SHA1
c961917349de7e9d269f6f4a5593b6b9d3fcd4d2

SHA256
715f6420c423ae4068b25a703d5575f7c147b26e388f0fff1ae20c6abe821557

SHA512
8bf3c621725fddafa6326b057fee9beee95966e43c5fbab40ebaa4a1a64d17acca97a19d0ece10c3574e13e194ff191316871d1d46d4d74ffc0ac3efb403bca9

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE

Filesize
5.7MB

MD5
09acdc5bbec5a47e8ae47f4a348541e2

SHA1
658f64967b2a9372c1c0bdd59c6fb2a18301d891

SHA256
1b5c715d71384f043843ea1785a6873a9f39d2daae112ccdeffcd88b10a3a403

SHA512
3867bf98e1a0e253114a98b78b047b0d8282b5abf4aaf836f31cc0e26224e2a1b802c65df9d90dc7696a6dbcb9a8e4b900f1d1299e1b11e36f095ebaf8a2e5b8

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe

Filesize
9.4MB

MD5
322302633e36360a24252f6291cdfc91

SHA1
238ed62353776c646957efefc0174c545c2afa3d

SHA256
31da9632f5d25806b77b617d48da52a14afc574bbe1653120f97705284ea566c

SHA512
5a1f7c44ce7f5036bffc18ebac39e2bf70e6f35fa252617d665b26448f4c4473adfa115467b7e2d9b7068823e448f74410cdcdfef1ac1c09021e051921787373

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE

Filesize
183KB

MD5
9dfcdd1ab508b26917bb2461488d8605

SHA1
4ba6342bcf4942ade05fb12db83da89dc8c56a21

SHA256
ecd5e94da88c653e4c34b6ab325e0aca8824247b290336f75c410caa16381bc5

SHA512
1afc1b95f160333f1ff2fa14b3f22a28ae33850699c6b5498915a8b6bec1cfc40f33cb69583240aa9206bc2ea7ab14e05e071275b836502a92aa8c529fc1b137

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

Filesize
131KB

MD5
5791075058b526842f4601c46abd59f5

SHA1
b2748f7542e2eebcd0353c3720d92bbffad8678f

SHA256
5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394

SHA512
83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE

Filesize
386KB

MD5
8c753d6448183dea5269445738486e01

SHA1
ebbbdc0022ca7487cd6294714cd3fbcb70923af9

SHA256
473eb551101caeaf2d18f811342e21de323c8dd19ed21011997716871defe997

SHA512
4f6fddefc42455540448eac0b693a4847e21b68467486376a4186776bfe137337733d3075b7b87ed7dac532478dc9afc63883607ec8205df3f155fee64c7a9be

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE

Filesize
147KB

MD5
3b35b268659965ab93b6ee42f8193395

SHA1
8faefc346e99c9b2488f2414234c9e4740b96d88

SHA256
750824b5f75c91a6c2eeb8c5e60ae28d7a81e323d3762c8652255bfea5cba0bb

SHA512
035259a7598584ddb770db3da4e066b64dc65638501cdd8ff9f8e2646f23b76e3dfffa1fb5ed57c9bd15bb4efa3f7dd33fdc2e769e5cc195c25de0e340eb89ab

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE

Filesize
454KB

MD5
bcd0f32f28d3c2ba8f53d1052d05252d

SHA1
c29b4591df930dabc1a4bd0fa2c0ad91500eafb2

SHA256
bb07d817b8b1b6b4c25e62b6120e51dec10118557d7b6b696ad084a5ba5bfdeb

SHA512
79f407735853f82f46870c52058ceee4d91857a89db14868ee1169abd5c0fd2e3fa1ed230ab90b5f479a9581b88998643d69b0df498defea29e73b0d487f3b10

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe

Filesize
1.2MB

MD5
d47ed8961782d9e27f359447fa86c266

SHA1
d37d3f962c8d302b18ec468b4abe94f792f72a3b

SHA256
b1ec065f71cc40f400e006586d370997102860504fd643b235e8ed9f5607262a

SHA512
3e33f2cdf35024868b183449019de9278035e7966b342ba320a6c601b5629792cbb98a19850d4ca80b906c85d10e8503b0193794d1f1efa849fa33d26cff0669

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe

Filesize
555KB

MD5
ce82862ca68d666d7aa47acc514c3e3d

SHA1
f458c7f43372dbcdac8257b1639e0fe51f592e28

SHA256
c5a99f42100834599e4995d0a178b32b772a6e774a4050a6bb00438af0a6a1f3

SHA512
bca7afd6589c3215c92fdaca552ad3380f53d3db8c4b69329a1fa81528dd952a14bf012321de92ad1d20e5c1888eab3dd512b1ac80a406baccc37ee6ff4a90dc

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE

Filesize
121KB

MD5
cbd96ba6abe7564cb5980502eec0b5f6

SHA1
74e1fe1429cec3e91f55364e5cb8385a64bb0006

SHA256
405b8bd647fa703e233b8b609a18999abe465a8458168f1daf23197bd2ea36aa

SHA512
a551001853f6b93dfbc6cf6a681820af31330a19d5411076ff3dbce90937b3d92173085a15f29ebf56f2ef12a4e86860ac6723ebc89c98ea31ea7a6c7e3d7cdc

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe

Filesize
325KB

MD5
892cf4fc5398e07bf652c50ef2aa3b88

SHA1
c399e55756b23938057a0ecae597bd9dbe481866

SHA256
e2262c798729169f697e6c30e5211cde604fd8b14769311ff4ea81abba8c2781

SHA512
f16a9e4b1150098c5936ec6107c36d47246dafd5a43e9f4ad9a31ecab69cc789c768691fa23a1440fae7f6e93e8e62566b5c86f7ed6bb4cfe26368149ea8c167

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe

Filesize
505KB

MD5
91889e961a8fb49b3c015258e0c979f1

SHA1
e3573bf94c8293e1a6755afcc7cb62734809b157

SHA256
f58389951a85e0f12b701daaa55f561938dc5a97f55101a42b77710822fdf66f

SHA512
1295e6e3c6294236df560482a1153aed2ba4a9cd923d7942c7798bebb3834c621a5818dad10dc6f23ed78d1c527336135c7f41ef32b7ea2eeceb91e42673409f

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe

Filesize
325KB

MD5
9a8d683f9f884ddd9160a5912ca06995

SHA1
98dc8682a0c44727ee039298665f5d95b057c854

SHA256
5e2e22ead49ce9cc11141dbeebbe5b93a530c966695d8efc2083f00e6be53423

SHA512
6aecf8c5cb5796d6879f8643e20c653f58bad70820896b0019c39623604d5b3c8a4420562ab051c6685edce60aa068d9c2dbb4413a7b16c6d01a9ac10dc22c12

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE

Filesize
221KB

MD5
87bb2253f977fc3576a01e5cbb61f423

SHA1
5129844b3d8af03e8570a3afcdc5816964ed8ba4

SHA256
3fc32edf3f9ab889c2cdf225a446da1e12a7168a7a56165efe5e9744d172d604

SHA512
7cfd38ceb52b986054a68a781e01c3f99e92227f884a4401eb9fbc72f4c140fd32a552b4a102bedf9576e6a0da216bc10ce29241f1418acb39aeb2503cb8d703

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE

Filesize
146KB

MD5
d9a290f7aec8aff3591c189b3cf8610a

SHA1
7558d29fb32018897c25e0ac1c86084116f1956c

SHA256
41bed95cb1101181a97460e2395efebb0594849e6f48b80a2b7c376ddf5ce0ea

SHA512
b55ab687a75c11ba99c64be42ad8471576aa2df10ce1bb61e902e98827e3a38cd922e365751bd485cac089c2bd8bccf939a578da7238506b77fe02a3eb7994c6

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE

Filesize
258KB

MD5
d9186b6dd347f1cf59349b6fc87f0a98

SHA1
6700d12be4bd504c4c2a67e17eea8568416edf93

SHA256
a892284c97c8888a589ea84f88852238b8cd97cc1f4af85b93b5c5264f5c40d4

SHA512
a29cc26028a68b0145cb20ec353a4406ec86962ff8c3630c96e0627639cf76e0ea1723b7b44592ea4f126c4a48d85d92f930294ae97f72ecc95e3a752a475087

Download Submit
C:\PROGRA~2\Google\Update\DISABL~1.EXE

Filesize
198KB

MD5
7429ce42ac211cd3aa986faad186cedd

SHA1
b61a57f0f99cfd702be0fbafcb77e9f911223fac

SHA256
d608c05409ac4bd05d8e0702fcf66dfae5f4f38cbae13406842fa5504f4d616f

SHA512
ee4456877d6d881d9904013aabecb9f2daf6fc0ec7a7c9251e77396b66a7f5a577fe8544e64e2bb7464db429db56a3fe47c183a81d40cc869d01be573ab5e4c1

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE

Filesize
509KB

MD5
7c73e01bd682dc67ef2fbb679be99866

SHA1
ad3834bd9f95f8bf64eb5be0a610427940407117

SHA256
da333c92fdfd2e8092f5b56686b94f713f8fa27ef8f333e7222259ad1eb08f5d

SHA512
b2f3398e486cde482cb6bea18f4e5312fa2db7382ca25cea17bcba5ab1ff0e891d59328bc567641a9da05caca4d7c61dc102289d46e7135f947ce6155e295711

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE

Filesize
138KB

MD5
5e08d87c074f0f8e3a8e8c76c5bf92ee

SHA1
f52a554a5029fb4749842b2213d4196c95d48561

SHA256
5d548c2cc25d542f2061ed9c8e38bd5ca72bddb37dd17654346cae8a19645714

SHA512
dd98d6fa7d943604914b2e3b27e1f21a95f1fe1feb942dd6956e864da658f4fbd9d1d0cf775e79ceaae6a025aafd4e633763389c37034134bd5245969bec383e

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE

Filesize
1.6MB

MD5
41b1e87b538616c6020369134cbce857

SHA1
a255c7fef7ba2fc1a7c45d992270d5af023c5f67

SHA256
08465cc139ee50a7497f8c842f74730d3a8f1a73c0b7caca95e9e6d37d3beed3

SHA512
3a354d3577b45f6736203d5a35a2d1d543da2d1e268cefeffe6bdb723ff63c720ceb2838701144f5fec611470d77649846e0fb4770d6439f321f6b819f03e4db

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE

Filesize
1.1MB

MD5
301d7f5daa3b48c83df5f6b35de99982

SHA1
17e68d91f3ec1eabde1451351cc690a1978d2cd4

SHA256
abe398284d90be5e5e78f98654b88664e2e14478f7eb3f55c5fd1c1bcf1bebee

SHA512
4a72a24dec461d116fe8324c651913273ccaa50cb036ccdacb3ae300e417cf4a64aa458869b8d2f3b4c298c59977437d11b241d08b391a481c3226954bba22e4

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe

Filesize
3.6MB

MD5
6ce350ad38c8f7cbe5dd8fda30d11fa1

SHA1
4f232b8cccd031c25378b4770f85e8038e8655d8

SHA256
06a3bb0bdd2da870bc8dc2c6b760855cea7821273ce59fc0be158149e52915ba

SHA512
4c18a112fec391f443a4ae217ac6d1850e0cfdad4b2d2cbe3f61cb01c0a1400ea6bd5c3ffe0a9978ead50e7f6cfab96ae5090bb9a611f988f1a86ccaa5d4cd4f

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE

Filesize
1.6MB

MD5
11486d1d22eaacf01580e3e650f1da3f

SHA1
a47a721efec08ade8456a6918c3de413a2f8c7a2

SHA256
5e1b1daa9968ca19a58714617b7e691b6b6f34bfacaf0dcf4792c48888b1a5d3

SHA512
5bd54e1c1308e04a769e089ab37bd9236ab97343b486b85a018f2c8ad060503c97e8bc51f911a63f9b96dd734eb7d21e0a5c447951246d972b05fafeef4633da

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE

Filesize
2.8MB

MD5
eb008f1890fed6dc7d13a25ff9c35724

SHA1
751d3b944f160b1f77c1c8852af25b65ae9d649c

SHA256
a9b7b9155af49d651b092bb1665447059f7a1d0061f88fa320d4f956b9723090

SHA512
9cfe3480f24bf8970ad5773cb9df51d132ee90ada35cbf8ec1222e09a60ae46b2ff4b96862fea19085b1c32f93c47c69f604589fa3f4af17e5d67bef893b6bf1

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE

Filesize
1.3MB

MD5
27543bab17420af611ccc3029db9465a

SHA1
f0f96fd53f9695737a3fa6145bc5a6ce58227966

SHA256
75530dc732f35cc796d19edd11ae6d6f6ef6499ddcf2e57307582b1c5299554c

SHA512
a62c2dd60e1df309ec1bb48ea85184914962ba83766f29d878569549ca20fca68f304f4494702d9e5f09adedc2166e48ee0bc1f4a5d9e245c5490daf15036bea

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe

Filesize
3.2MB

MD5
5119e350591269f44f732b470024bb7c

SHA1
4ccd48e4c6ba6e162d1520760ee3063e93e2c014

SHA256
2b3aa9642b291932ba7f9f3d85221402a9d27078f56ef0e9c6bca633616e3873

SHA512
599b4ec673169d42a348d1117737b4ad4d7539574153df5a5c7689130c9ac5ff5cd00f3c8ec39adf32ff2b56be074081efcabb6456272c649703c3ea6cdaded4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\9d2e93e3bca581bdb45c0ced62c02d26d3c8d4590ffac9a1d38c295780293451N.exe

Filesize
1016KB

MD5
00af32ea08b8225231810ba26093f573

SHA1
e814d258fcbda03c0b1e14b2aa199b88694f50b4

SHA256
8fe93bdf84ab2d2e23813e7135e82c40d9f0a9ecaaead8380438799db9f204ea

SHA512
e17ac6ba3c315c413a4e224917ffda5352310a296cb1bd7f93b85b4d821f47d5f8a881933ae32ee13064223f697839daa7abe03804d1d569b78e46dfaaa6824c

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
4fce0c4111019fda636c5df7319817b2

SHA1
46f77783c775e9cd42f0b50aaeebe5baceb86a80

SHA256
30dc1a318191e7d4db3e5dc55985332aef5f07b9533463296a45194df3c9f2ba

SHA512
585905ac096c0e8c80ba101b9f2f5b87fb0ae5b83226dc904a51c3009b0323b864fc694f06162de6178a5987d989c294c81c931d24f5e42f3cb297c287dd8a8e

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
32c1967592e4238be5fa8d54e23a33ac

SHA1
479e22158bf9c447705e2490337045f72e71351a

SHA256
73a31c975af63255f9d17c46642e09e76db9b833a24273ea90c2870d46eccb93

SHA512
6898353471f000ce76f05036b8668ff1db993cb6f75bc3379530bc8f39b868125fec445062ae73d413b0361da764593a87a35689067f37079ea02919a4b9de73

Download Submit
memory/228-264-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/364-317-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/376-310-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/400-217-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/452-366-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/552-262-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/932-318-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1020-145-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1188-382-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1316-333-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1352-28-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1352-246-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1380-238-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1408-286-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1480-405-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1820-40-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1844-288-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1848-398-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1864-376-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2036-320-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2152-334-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2164-296-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2264-253-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2520-16-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2568-326-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2692-390-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2824-63-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2884-232-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2888-397-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2892-294-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2920-76-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2924-384-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2944-350-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2952-270-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3036-26-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3108-226-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3108-358-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3124-64-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3164-261-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3244-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3564-254-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3572-272-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3816-120-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3848-349-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4028-368-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4060-304-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4064-408-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4192-92-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4216-360-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4224-374-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4228-341-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4292-122-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4300-302-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4508-280-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4572-230-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4708-68-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4720-278-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4792-52-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4808-110-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4860-352-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4880-240-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4884-342-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4912-50-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4992-406-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads