neshta | 7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd

Analysis

max time kernel
95s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2024, 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
Size

301KB
MD5

408826cfe2454311f032f323a3f62e99
SHA1

547d37b16f499c68e9affe4de72b644bf5321cda
SHA256

7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd
SHA512

3056ef3263c0be2b528fb92f5ddef481136d182c71f192da4b88a392d0acad616226ce31e3b2c41bc7de21e79a6dd7b984deedd5b3217d55b65c73f00e52ef58
SSDEEP

3072:zr8WDrCxjoByFgAsaCRSkrmfAPXSPBIFXMN3uCo//9urTWuFsxihGrJW/UmTXItd:PuqchCReAPC0XMRqGWUlxTXb0bYu

Score

10^/10

neshta discovery persistence pyinstaller spyware stealer

Malware Config

Signatures

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE

Executes dropped EXE 64 IoCs

pid	Process
2896	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
1300	svchost.com
3104	7CFCC6~1.EXE
3932	svchost.com
1880	7CFCC6~1.EXE
3640	svchost.com
1932	7CFCC6~1.EXE
3772	svchost.com
1352	7CFCC6~1.EXE
3484	svchost.com
5040	7CFCC6~1.EXE
892	svchost.com
3256	7CFCC6~1.EXE
4984	svchost.com
2828	7CFCC6~1.EXE
1976	svchost.com
4376	7CFCC6~1.EXE
3296	svchost.com
5116	7CFCC6~1.EXE
4012	svchost.com
4668	7CFCC6~1.EXE
2352	svchost.com
3540	7CFCC6~1.EXE
1072	svchost.com
1308	7CFCC6~1.EXE
4816	svchost.com
2216	7CFCC6~1.EXE
3428	svchost.com
2716	7CFCC6~1.EXE
3480	svchost.com
4492	7CFCC6~1.EXE
2160	svchost.com
464	7CFCC6~1.EXE
4620	svchost.com
2656	7CFCC6~1.EXE
1828	svchost.com
1456	7CFCC6~1.EXE
2568	svchost.com
892	7CFCC6~1.EXE
3888	svchost.com
2140	7CFCC6~1.EXE
5024	svchost.com
4272	7CFCC6~1.EXE
2028	svchost.com
4776	7CFCC6~1.EXE
1384	svchost.com
3472	7CFCC6~1.EXE
2484	svchost.com
3448	7CFCC6~1.EXE
804	svchost.com
1728	7CFCC6~1.EXE
2884	svchost.com
2268	7CFCC6~1.EXE
2288	svchost.com
4672	7CFCC6~1.EXE
2720	svchost.com
4028	7CFCC6~1.EXE
3544	svchost.com
4512	7CFCC6~1.EXE
2224	svchost.com
4524	7CFCC6~1.EXE
4988	svchost.com
4900	7CFCC6~1.EXE
1880	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x000a000000023b6d-4.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7CFCC6~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2896	2368	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe	82
PID 2368 wrote to memory of 2896	2368	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe	82
PID 2368 wrote to memory of 2896	2368	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe	82
PID 2896 wrote to memory of 1300	2896	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe	83
PID 2896 wrote to memory of 1300	2896	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe	83
PID 2896 wrote to memory of 1300	2896	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe	83
PID 1300 wrote to memory of 3104	1300	svchost.com	84
PID 1300 wrote to memory of 3104	1300	svchost.com	84
PID 1300 wrote to memory of 3104	1300	svchost.com	84
PID 3104 wrote to memory of 3932	3104	7CFCC6~1.EXE	85
PID 3104 wrote to memory of 3932	3104	7CFCC6~1.EXE	85
PID 3104 wrote to memory of 3932	3104	7CFCC6~1.EXE	85
PID 3932 wrote to memory of 1880	3932	svchost.com	86
PID 3932 wrote to memory of 1880	3932	svchost.com	86
PID 3932 wrote to memory of 1880	3932	svchost.com	86
PID 1880 wrote to memory of 3640	1880	7CFCC6~1.EXE	87
PID 1880 wrote to memory of 3640	1880	7CFCC6~1.EXE	87
PID 1880 wrote to memory of 3640	1880	7CFCC6~1.EXE	87
PID 3640 wrote to memory of 1932	3640	svchost.com	88
PID 3640 wrote to memory of 1932	3640	svchost.com	88
PID 3640 wrote to memory of 1932	3640	svchost.com	88
PID 1932 wrote to memory of 3772	1932	7CFCC6~1.EXE	89
PID 1932 wrote to memory of 3772	1932	7CFCC6~1.EXE	89
PID 1932 wrote to memory of 3772	1932	7CFCC6~1.EXE	89
PID 3772 wrote to memory of 1352	3772	svchost.com	90
PID 3772 wrote to memory of 1352	3772	svchost.com	90
PID 3772 wrote to memory of 1352	3772	svchost.com	90
PID 1352 wrote to memory of 3484	1352	7CFCC6~1.EXE	91
PID 1352 wrote to memory of 3484	1352	7CFCC6~1.EXE	91
PID 1352 wrote to memory of 3484	1352	7CFCC6~1.EXE	91
PID 3484 wrote to memory of 5040	3484	svchost.com	92
PID 3484 wrote to memory of 5040	3484	svchost.com	92
PID 3484 wrote to memory of 5040	3484	svchost.com	92
PID 5040 wrote to memory of 892	5040	7CFCC6~1.EXE	120
PID 5040 wrote to memory of 892	5040	7CFCC6~1.EXE	120
PID 5040 wrote to memory of 892	5040	7CFCC6~1.EXE	120
PID 892 wrote to memory of 3256	892	svchost.com	94
PID 892 wrote to memory of 3256	892	svchost.com	94
PID 892 wrote to memory of 3256	892	svchost.com	94
PID 3256 wrote to memory of 4984	3256	7CFCC6~1.EXE	95
PID 3256 wrote to memory of 4984	3256	7CFCC6~1.EXE	95
PID 3256 wrote to memory of 4984	3256	7CFCC6~1.EXE	95
PID 4984 wrote to memory of 2828	4984	svchost.com	96
PID 4984 wrote to memory of 2828	4984	svchost.com	96
PID 4984 wrote to memory of 2828	4984	svchost.com	96
PID 2828 wrote to memory of 1976	2828	7CFCC6~1.EXE	97
PID 2828 wrote to memory of 1976	2828	7CFCC6~1.EXE	97
PID 2828 wrote to memory of 1976	2828	7CFCC6~1.EXE	97
PID 1976 wrote to memory of 4376	1976	svchost.com	98
PID 1976 wrote to memory of 4376	1976	svchost.com	98
PID 1976 wrote to memory of 4376	1976	svchost.com	98
PID 4376 wrote to memory of 3296	4376	7CFCC6~1.EXE	99
PID 4376 wrote to memory of 3296	4376	7CFCC6~1.EXE	99
PID 4376 wrote to memory of 3296	4376	7CFCC6~1.EXE	99
PID 3296 wrote to memory of 5116	3296	svchost.com	100
PID 3296 wrote to memory of 5116	3296	svchost.com	100
PID 3296 wrote to memory of 5116	3296	svchost.com	100
PID 5116 wrote to memory of 4012	5116	7CFCC6~1.EXE	101
PID 5116 wrote to memory of 4012	5116	7CFCC6~1.EXE	101
PID 5116 wrote to memory of 4012	5116	7CFCC6~1.EXE	101
PID 4012 wrote to memory of 4668	4012	svchost.com	174
PID 4012 wrote to memory of 4668	4012	svchost.com	174
PID 4012 wrote to memory of 4668	4012	svchost.com	174
PID 4668 wrote to memory of 2352	4668	7CFCC6~1.EXE	103

C:\Users\Admin\AppData\Local\Temp\7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
"C:\Users\Admin\AppData\Local\Temp\7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\3582-490\7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1300
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3104
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3932
      - C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        10⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        12⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        21⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        22⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        23⤵
        Executes dropped EXE
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        25⤵
        Executes dropped EXE
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        27⤵
        Executes dropped EXE
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        28⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        29⤵
        Executes dropped EXE
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        30⤵
        Executes dropped EXE
        
        PID:2716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        31⤵
        Executes dropped EXE
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4492
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        33⤵
        Executes dropped EXE
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        34⤵
        Executes dropped EXE
        
        PID:464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        35⤵
        Executes dropped EXE
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        36⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:2656
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        37⤵
        Executes dropped EXE
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        38⤵
        Executes dropped EXE
        
        PID:1456
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        39⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        41⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        42⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        43⤵
        Executes dropped EXE
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        44⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4272
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        45⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        46⤵
        Executes dropped EXE
        
        PID:4776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        47⤵
        Executes dropped EXE
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        48⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3472
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        49⤵
        Executes dropped EXE
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        50⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        51⤵
        Executes dropped EXE
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        52⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        53⤵
        Executes dropped EXE
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        54⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        55⤵
        Executes dropped EXE
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        58⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        60⤵
        Executes dropped EXE
        
        PID:4512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        61⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4524
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        63⤵
        Executes dropped EXE
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        65⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        66⤵
        Checks computer location settings
        
        PID:3640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        67⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        68⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        69⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        70⤵
        
        PID:1352
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        72⤵
        
        PID:2656
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        75⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        76⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        77⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        78⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2140
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        79⤵
        Drops file in Windows directory
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        80⤵
        Checks computer location settings
        
        PID:1244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        81⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        82⤵
        
        PID:624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        83⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        84⤵
        Modifies registry class
        
        PID:4596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        85⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        86⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        87⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        88⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3656
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        89⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        90⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        91⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        92⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2288
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        94⤵
        Checks computer location settings
        
        PID:2956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        95⤵
        Drops file in Windows directory
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        96⤵
        
        PID:4664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        97⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        98⤵
        Modifies registry class
        
        PID:2732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        99⤵
        Drops file in Windows directory
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        100⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        101⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        102⤵
        Checks computer location settings
        
        PID:3552
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        103⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        104⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        105⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        106⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        107⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        108⤵
        
        PID:4696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        109⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        110⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3192
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        112⤵
        Modifies registry class
        
        PID:4024
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        113⤵
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        114⤵
        Modifies registry class
        
        PID:4924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        115⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        116⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        117⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        118⤵
        
        PID:1016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        120⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        121⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        122⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        123⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        124⤵
        Checks computer location settings
        
        PID:1224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        125⤵
        Drops file in Windows directory
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        126⤵
        
        PID:3308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        127⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        128⤵
        Checks computer location settings
        
        PID:3036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        129⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        130⤵
        
        PID:668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        131⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        132⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        133⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        134⤵
        
        PID:2812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        135⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        136⤵
        
        PID:4496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        137⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        138⤵
        Modifies registry class
        
        PID:3108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        140⤵
        Checks computer location settings
        
        PID:4692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        141⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        142⤵
        Drops file in Windows directory
        
        PID:1472
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        143⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        144⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        146⤵
        
        PID:1064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        147⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        148⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        149⤵
        Drops file in Windows directory
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        150⤵
        Checks computer location settings
        
        PID:216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        151⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        152⤵
        Checks computer location settings
        
        PID:2140
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        153⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        154⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        155⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        156⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:1712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        157⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:4892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        160⤵
        Checks computer location settings
        
        PID:4128
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        161⤵
        Drops file in Windows directory
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        162⤵
        
        PID:540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        163⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        164⤵
        Modifies registry class
        
        PID:4420
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        165⤵
        Drops file in Windows directory
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        167⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        168⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        169⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        171⤵
        Drops file in Windows directory
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        172⤵
        Checks computer location settings
        
        PID:3044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        173⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        174⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        175⤵
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        176⤵
        Drops file in Windows directory
        
        PID:3720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        177⤵
        System Location Discovery: System Language Discovery
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        178⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:4836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        179⤵
        System Location Discovery: System Language Discovery
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        180⤵
        Drops file in Windows directory
        
        PID:2088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        181⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        182⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3096
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        184⤵
        
        PID:3800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        185⤵
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        186⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        187⤵
        Drops file in Windows directory
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        188⤵
        
        PID:208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        189⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        190⤵
        Modifies registry class
        
        PID:2720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        191⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        192⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        193⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        194⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:4412
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        195⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        196⤵
        Checks computer location settings
        
        PID:4492
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        197⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        198⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:2732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        199⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        200⤵
        Modifies registry class
        
        PID:2652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        201⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        202⤵
        Checks computer location settings
        
        PID:1428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        203⤵
        Drops file in Windows directory
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        204⤵
        Checks computer location settings
        
        PID:1600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        205⤵
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        206⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:5104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        207⤵
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        208⤵
        
        PID:4044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        209⤵
        Drops file in Windows directory
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        210⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:1496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        211⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        212⤵
        System Location Discovery: System Language Discovery
        
        PID:4836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        213⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        214⤵
        
        PID:2088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        215⤵
        System Location Discovery: System Language Discovery
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        216⤵
        Modifies registry class
        
        PID:3600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        217⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        218⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        219⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        220⤵
        
        PID:4596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        221⤵
        Drops file in Windows directory
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        222⤵
        
        PID:3564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        223⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        224⤵
        Modifies registry class
        
        PID:1116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        225⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        226⤵
        Checks computer location settings
        
        PID:2332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        227⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        228⤵
        Modifies registry class
        
        PID:164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        229⤵
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        230⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        231⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        232⤵
        Checks computer location settings
        
        PID:5108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        233⤵
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        234⤵
        Modifies registry class
        
        PID:2168
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        235⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        236⤵
        
        PID:1548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        237⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        238⤵
        System Location Discovery: System Language Discovery
        
        PID:1828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        239⤵
        System Location Discovery: System Language Discovery
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        240⤵
        Modifies registry class
        
        PID:2392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        241⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        242⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        243⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        244⤵
        Checks computer location settings
        
        PID:4984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        245⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        246⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        247⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        248⤵
        
        PID:3288
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        249⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        250⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        251⤵
        Drops file in Windows directory
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        252⤵
        Modifies registry class
        
        PID:4100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        253⤵
        Drops file in Windows directory
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        254⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        255⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        256⤵
        
        PID:4672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        257⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        258⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2544
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        259⤵
        Drops file in Windows directory
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        260⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4420
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        261⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        262⤵
        
        PID:4788
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        263⤵
        System Location Discovery: System Language Discovery
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        264⤵
        Checks computer location settings
        
        PID:2652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        265⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        266⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        267⤵
        Drops file in Windows directory
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        268⤵
        Modifies registry class
        
        PID:1600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        269⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        270⤵
        Modifies registry class
        
        PID:892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        271⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        272⤵
        
        PID:4768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        273⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        274⤵
        
        PID:3720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        275⤵
        Drops file in Windows directory
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        276⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3336
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        277⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        278⤵
        
        PID:3968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        279⤵
        System Location Discovery: System Language Discovery
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        280⤵
        System Location Discovery: System Language Discovery
        
        PID:1284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        281⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        282⤵
        
        PID:4364
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        283⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        284⤵
        Modifies registry class
        
        PID:3664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        285⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        286⤵
        
        PID:3036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        287⤵
        Drops file in Windows directory
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        288⤵
        Checks computer location settings
        
        PID:4876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        289⤵
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        290⤵
        
        PID:3056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        291⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        292⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:4368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        293⤵
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        294⤵
        Checks computer location settings
        
        PID:1780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        295⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        296⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        297⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        298⤵
        Checks computer location settings
        
        PID:2224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        299⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        300⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:2932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        301⤵
        Drops file in Windows directory
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        302⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:1124
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        303⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        304⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:5104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        305⤵
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        306⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        307⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        308⤵
        
        PID:4108

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe

Filesize
9.4MB

MD5
14d9ae53c96e3e938c1fea8a4958baf2

SHA1
c0fe89702246f18ce26323724f96eb81da85777a

SHA256
413a11a06c4c72d9e161fe1875f7b1e8744798728d28091d53d03ec6cf1ce7cf

SHA512
84178e3db7de2043e6a9bc396c38e584f19cfb0ff80ef94120eb6a660c39e1d95b8c0857dfbd0a8e083f457dd0ba3f9a563f1e59ded56e94e03fb4e2a69fe9b1

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

Filesize
131KB

MD5
514972e16cdda8b53012ad8a14a26e60

SHA1
aa082c2fbe0b3dd5c47952f9a285636412203559

SHA256
49091e1e41980b39d8de055fe6c6a1dc69398f17817960d64743e7efb740efc4

SHA512
98bbd6f06e3ff3e94aee3620f20f89e254dde157bc8129a64cf78fefe5cf9b13c7902128c2acbd54b3def527e09a039bd1f66ba64efb85f3f0404d894cabbee4

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE

Filesize
254KB

MD5
c4a918069757a263adb9fbc9f5c9e00d

SHA1
66d749fc566763b6170080a40f54f4cda4644af4

SHA256
129a2bfe25ceabb871b65b645ef98f6799d7d273fc5ddfd33c1cb78f5b76fa3b

SHA512
4ecf32fa2c8f53ff7a08555ec5d37739dc1358352621d038669f608edf18b0dcc6dca168a2b602359c9ee098052e546e5c02603f83aad44a114192138de7b7b9

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE

Filesize
454KB

MD5
961c73fd70b543a6a3c816649e5f8fce

SHA1
8dbdc7daeb83110638d192f65f6d014169e0a79b

SHA256
f94ddaf929fb16d952b79c02e78439a10dd2faa78f7f66b7d52de2675e513103

SHA512
e5d97ee63b02abc65add41f6721514515b34fd79f7db23ae04cf608c2f7e0504e00b07694047b982d14d60cccf6f833b50268c693e3baf1b697d3370c0bba0b6

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe

Filesize
546KB

MD5
52927c2ff6260abef9d440b92d7894ef

SHA1
d766ec8d31a1b3ec68709adffb333b9b0aecc990

SHA256
0f5d7ae5106f842b482a1708b7ddf62803075ec7c1bebae44e21ba0fdd15db3d

SHA512
5fd72ee89f89c8008c6afa664247c97447d23086b686a9b8b1b28bba60399b82d9997cd7088e7356a992b47faff3f117c319e595f3b73fec55f4452e1d3071d4

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe

Filesize
325KB

MD5
62976c65ded41b4f31c7f379c548e05c

SHA1
3827c414ad15cd67ea8635400002c4c79704250e

SHA256
80de06ea5d221e21f765a96750f821aaaf8eee23bfd9d8cde265a8da11041c66

SHA512
ddf74814c7a54a258b7200310bd644547f3a831e373c8392dddedd08b3c1ca60e864fbe2007e68fabdcfe1e923d9207039bde42a09e0ec07d69694263057fcd7

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe

Filesize
325KB

MD5
de9e6086062f01926b48c2d80508d12b

SHA1
13610cca5e38925e22b6a79067df0dd9eca49fe3

SHA256
d2f956514bc885fed054dec3ad4c0e89e59a6a38390fa8432abd15eb201468b4

SHA512
60478e55b6a3d49686ed8e95e939a2384fb1440950d710e7beedb9eda24be0e6996c931d0703d6cc0065fbe5a85eff463b9e9eaadf14746593abe723636137c3

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE

Filesize
146KB

MD5
6ecccb4bab82a4971897aa0bcb2f14be

SHA1
1c680d6f8ca6a0436b5935906a2d9c4699a7a412

SHA256
c661a1408b32f837e02965675400807e111dc5d43a00588011e4365dd3c24be1

SHA512
d68cae4b3c7664751bca1f73cb6b6aa0f0745bb10a76e250b9ffae82bbf2a398f17277ebe5cfd22338af9b4d4c0e0c8241eeb640bdcc0a73774612a6785ac081

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE

Filesize
221KB

MD5
a12297c17e3747647d5c29d67edd4d9a

SHA1
6a6ed9d50d8385b2fb1da6c700934bf213e1ec2d

SHA256
288f7e376d1ba967276a05a1b00fddff236315ee0df24e543cf8b604768ae7f2

SHA512
e1004b5307f26af7c22ec051539ed633105ac6673301d31a57cb530ab76551b51aa59741397d1b9fe860bed8c93c2a21d8e828edd1612750bcec1bd068898239

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE

Filesize
146KB

MD5
001760b2a66fb4fff1e2c42bc39e5421

SHA1
1980cafc246e5a31b6e78bcd5eec1726c9789046

SHA256
1ae63f874694d576e6b6c2f409a71e49cf607e62b2a7a646322294009c7b813a

SHA512
a37e499451abc2b9399eafe8d866210bdaac2c73a4f1dbe16c272fa56a8b5bcb1efe41e198effb9c84a77de269cbb5b81871d88eb726f95c3d3b4067bfc0c7df

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE

Filesize
258KB

MD5
78f77aff4993684fdbcad13c74d5f364

SHA1
0b02ed9112021b3c65778fdce0642e81dfb5b628

SHA256
9f707deff2f5b5a8c611c5926362c4ffc82f5744a4699f3fb1ee3ef6bb9b2cfb

SHA512
568c1abf5f6d13fe37cb55a5f5992dea38e30fc80812a977c0ae25ed30f67321db8f4c0da2ae4ae558e58dc430885fa13c1f7f1d6b2d6bb51ed031f042defafb

Download Submit
C:\PROGRA~2\Google\Update\DISABL~1.EXE

Filesize
198KB

MD5
2424d589d7997df1356c160a9a82088c

SHA1
ca9b479043636434f32c74c2299210ef9f933b98

SHA256
9d6982a566148cf69cb6aec417baddca680e647931315736a6c19f2ba91c4d60

SHA512
4dd0a69c1dfb0e88fc6b24c97e14dd0ad1ac0226dd372d09123b6a2ec3c107fc94a810764d16e111d1cf7e81a23b70b84d36cbfbf1e32986d00de3cd9e315c2b

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE

Filesize
139KB

MD5
415671ceca4f8e9fd6830ba812e41597

SHA1
0e5095e00711a69d44bfff529a8700528093ca52

SHA256
235bea563512a5532851bd2b1b2927cc0365904e1f851d7d94010b65e531092b

SHA512
ccafc59de0d100fc54d4099fd07b83e8a4d962e12bcecc3d1145ab41edc89bb3a5b9f3a00cc4d9df57bd7784666da7c00effc11cc5b991f9f97587cb8affeee8

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE

Filesize
1.7MB

MD5
619314ef3e2e5abde1bb19dbce363220

SHA1
5fc9e9c74d8fdc9d185f524dc1364500883c4eef

SHA256
763c48c14695500dd1f8b1b88f7be84a9fe95d9a7bb63211f74cbe210e0a58af

SHA512
5389516629a884b109950254398d1453fd573ce6f73ff3479322c1361ec990b53cd0cec2fbe366e7ab0ba704bfb1f5fd58dc7ec3d81254c9256973f4983ec360

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE

Filesize
250KB

MD5
cd4af683704c71887125716ca891e18c

SHA1
64d02bac29cfeeed31978438d572230f316d61df

SHA256
1e6a087180f0e5a8e738718de2d4d99c1a4b6d89bd2a84ad19ab45f7dd9225c5

SHA512
dda5661f1e95e1a6dc0ce62a5b476aa335ddde431d47fb6cabffe36947376f6c583f83560dc43da4bc4432052a95ed61f0553ade59308582510c25a5f828921a

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE

Filesize
139KB

MD5
2925993d37c49204c9637e5c1bb5c949

SHA1
17dacda06c542a6fa6391b2b57aba8675cf7c924

SHA256
3c6212746a75da30bf30c420ce17f4a9d45e1cbd15df50b9acfcb4b655514a3e

SHA512
65616ffb2526adebcd447e9c7e838bb2a1dc5829c6097412fcdb2d245c33ea895922736d00bb45de4769307783c0670750ba3efcccd85c98f56a954334264965

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE

Filesize
1.1MB

MD5
ecda5b4161dbf34af2cd3bd4b4ca92a6

SHA1
a76347d21e3bfc8d9a528097318e4b037d7b1351

SHA256
98e7a35dd61a5eeea32ca5ff0f195b7e5931429e2e4b12d1e75ca09ddab3278f

SHA512
3cd3d64e7670ab824d36a792faa5d16a61f080d52345e07b0ef8396b2a1481876a3b30fc702bf0018a1b02c7788c3c7f1b016590c5b31485a90e3a375f11dade

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe

Filesize
3.2MB

MD5
b30563cc31305ef1397cfa0f379b8963

SHA1
5a78c13fc0035cddb68117e2085dd794d17e13f5

SHA256
c4443fb6195c73ee05f0718f948df0f3a8ec259d72196a2a0edc5f7eaed96bae

SHA512
3b376c2b8daf658de6d6f23d3b36dd64b57b4bdcac045f2caa45ea22f9eed92ee1cb314b385776663bef563fb30e7b54c3cbe072c88e6b8db37171a14ff85a56

Download Submit
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE

Filesize
141KB

MD5
144294f89c5a1ad929b9056ec0760f0f

SHA1
91175b430042997c8fb899596afc53bea4bb38c8

SHA256
9d1eeb4a9b9ef3d686891ac34e9b4a2379f24fc02ea2e9fc00071d03a86d42ab

SHA512
77c2fd3dc1bc710e652e4e4ca7cd73076a3988cf395d977b5a46a395cedd943560f3a5ad2251365c63cd2d3e681e7cf9fc3510d8d778732d7c692831c2fc9898

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe

Filesize
260KB

MD5
527d3369afe964e85e82b9c7095e1274

SHA1
194faba89123aa0125178c970903f74f34b3529a

SHA256
df4523a0ecfb63fb8b8b6da8aff955bcaa87f1a16a2d70ee3fc8dbd22f6e3fca

SHA512
444c1d377a6092098799f914cdc316719aa5cba638ad64bf18db17a8ac8535bac92944865f6acaa87e41f5b8ab34d81f549753f7eb45f863f5a3c36cbb858fc3

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
e8d561e162ed1fb7fecd9dc375f93968

SHA1
c4e4ae68333265bf038de64856b4089726a046b7

SHA256
4c821f06812ef3ef15b95da08a7e5b3b5220cbdeff08f8fe385dd9235db79ed1

SHA512
0bb18784785ee95abe05d2c2ca970b6c1152e2b414e7d50e237df9008bbe3e1defdcd076933ef3e7f8e1e2e2ed6bf1bb3f43770fcde814a0524d36276707047b

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
memory/464-288-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/804-358-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/892-94-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/892-317-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1072-233-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1300-17-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1308-242-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1352-57-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1384-342-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1456-309-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1728-360-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1828-302-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1880-39-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1880-414-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1932-45-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1976-123-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2028-334-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2140-320-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2160-286-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2216-260-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2224-398-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2268-373-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2288-374-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2352-222-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2484-350-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2568-310-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2656-296-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2716-277-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2720-382-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2828-122-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2884-366-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3104-27-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3256-103-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3296-138-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3428-270-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3448-357-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3472-344-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3480-278-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3484-65-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3540-225-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3544-390-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3640-41-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3640-416-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3772-53-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3888-318-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3932-29-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4012-188-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4028-389-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4272-328-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4376-134-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4492-280-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4512-392-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4524-400-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4620-294-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4668-212-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4672-381-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4776-341-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4816-255-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4900-408-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4984-111-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4988-406-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5024-326-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5040-69-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5116-152-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads