neshta | 7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd

Analysis

max time kernel
96s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 00:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
Size

265KB
MD5

2e74c916bee35d5b748ddde7e555693e
SHA1

d14604184262d1d42df9e9c9ad41b8b7fbdc0ed8
SHA256

7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd
SHA512

b5c8ca23f1ab8e6fab182d33c1cf6ade51450b0f9000191288462072308843c8c505021ef5f018524d522ed2e376133434415348e74706714b55c9807612b038
SSDEEP

3072:zr8WDrCbzmm71+7Xj4HOb+wlCXv3hVvr8WDrC:Pud7YXj4iRlqJu

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE

Executes dropped EXE 64 IoCs

pid	Process
4524	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
1772	svchost.com
5104	7DF959~1.EXE
4828	svchost.com
2616	7DF959~1.EXE
1188	svchost.com
3852	7DF959~1.EXE
3720	svchost.com
3592	7DF959~1.EXE
952	svchost.com
2632	7DF959~1.EXE
3004	svchost.com
700	7DF959~1.EXE
3148	svchost.com
3556	7DF959~1.EXE
4268	svchost.com
3096	7DF959~1.EXE
4504	svchost.com
4156	7DF959~1.EXE
3476	svchost.com
2300	7DF959~1.EXE
4072	svchost.com
4064	7DF959~1.EXE
1516	svchost.com
1376	7DF959~1.EXE
232	svchost.com
3580	7DF959~1.EXE
4940	svchost.com
2268	7DF959~1.EXE
3852	svchost.com
4576	7DF959~1.EXE
2360	svchost.com
2624	7DF959~1.EXE
1624	svchost.com
1340	7DF959~1.EXE
2632	svchost.com
3052	7DF959~1.EXE
848	svchost.com
2380	7DF959~1.EXE
4764	svchost.com
1264	7DF959~1.EXE
2364	svchost.com
1036	7DF959~1.EXE
4776	svchost.com
4284	7DF959~1.EXE
2164	svchost.com
4008	7DF959~1.EXE
4872	svchost.com
4884	7DF959~1.EXE
2992	svchost.com
2900	7DF959~1.EXE
4768	svchost.com
4592	7DF959~1.EXE
4604	svchost.com
3712	7DF959~1.EXE
4388	svchost.com
4952	7DF959~1.EXE
2228	svchost.com
2100	7DF959~1.EXE
2684	svchost.com
1376	7DF959~1.EXE
4352	svchost.com
3668	7DF959~1.EXE
4804	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\svchost.com	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	7DF959~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 4524	4992	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe	85
PID 4992 wrote to memory of 4524	4992	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe	85
PID 4992 wrote to memory of 4524	4992	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe	85
PID 4524 wrote to memory of 1772	4524	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe	86
PID 4524 wrote to memory of 1772	4524	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe	86
PID 4524 wrote to memory of 1772	4524	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe	86
PID 1772 wrote to memory of 5104	1772	svchost.com	87
PID 1772 wrote to memory of 5104	1772	svchost.com	87
PID 1772 wrote to memory of 5104	1772	svchost.com	87
PID 5104 wrote to memory of 4828	5104	7DF959~1.EXE	88
PID 5104 wrote to memory of 4828	5104	7DF959~1.EXE	88
PID 5104 wrote to memory of 4828	5104	7DF959~1.EXE	88
PID 4828 wrote to memory of 2616	4828	svchost.com	89
PID 4828 wrote to memory of 2616	4828	svchost.com	89
PID 4828 wrote to memory of 2616	4828	svchost.com	89
PID 2616 wrote to memory of 1188	2616	7DF959~1.EXE	90
PID 2616 wrote to memory of 1188	2616	7DF959~1.EXE	90
PID 2616 wrote to memory of 1188	2616	7DF959~1.EXE	90
PID 1188 wrote to memory of 3852	1188	svchost.com	114
PID 1188 wrote to memory of 3852	1188	svchost.com	114
PID 1188 wrote to memory of 3852	1188	svchost.com	114
PID 3852 wrote to memory of 3720	3852	7DF959~1.EXE	92
PID 3852 wrote to memory of 3720	3852	7DF959~1.EXE	92
PID 3852 wrote to memory of 3720	3852	7DF959~1.EXE	92
PID 3720 wrote to memory of 3592	3720	svchost.com	93
PID 3720 wrote to memory of 3592	3720	svchost.com	93
PID 3720 wrote to memory of 3592	3720	svchost.com	93
PID 3592 wrote to memory of 952	3592	7DF959~1.EXE	94
PID 3592 wrote to memory of 952	3592	7DF959~1.EXE	94
PID 3592 wrote to memory of 952	3592	7DF959~1.EXE	94
PID 952 wrote to memory of 2632	952	svchost.com	120
PID 952 wrote to memory of 2632	952	svchost.com	120
PID 952 wrote to memory of 2632	952	svchost.com	120
PID 2632 wrote to memory of 3004	2632	7DF959~1.EXE	96
PID 2632 wrote to memory of 3004	2632	7DF959~1.EXE	96
PID 2632 wrote to memory of 3004	2632	7DF959~1.EXE	96
PID 3004 wrote to memory of 700	3004	svchost.com	97
PID 3004 wrote to memory of 700	3004	svchost.com	97
PID 3004 wrote to memory of 700	3004	svchost.com	97
PID 700 wrote to memory of 3148	700	7DF959~1.EXE	98
PID 700 wrote to memory of 3148	700	7DF959~1.EXE	98
PID 700 wrote to memory of 3148	700	7DF959~1.EXE	98
PID 3148 wrote to memory of 3556	3148	svchost.com	99
PID 3148 wrote to memory of 3556	3148	svchost.com	99
PID 3148 wrote to memory of 3556	3148	svchost.com	99
PID 3556 wrote to memory of 4268	3556	7DF959~1.EXE	100
PID 3556 wrote to memory of 4268	3556	7DF959~1.EXE	100
PID 3556 wrote to memory of 4268	3556	7DF959~1.EXE	100
PID 4268 wrote to memory of 3096	4268	svchost.com	101
PID 4268 wrote to memory of 3096	4268	svchost.com	101
PID 4268 wrote to memory of 3096	4268	svchost.com	101
PID 3096 wrote to memory of 4504	3096	7DF959~1.EXE	102
PID 3096 wrote to memory of 4504	3096	7DF959~1.EXE	102
PID 3096 wrote to memory of 4504	3096	7DF959~1.EXE	102
PID 4504 wrote to memory of 4156	4504	svchost.com	103
PID 4504 wrote to memory of 4156	4504	svchost.com	103
PID 4504 wrote to memory of 4156	4504	svchost.com	103
PID 4156 wrote to memory of 3476	4156	7DF959~1.EXE	171
PID 4156 wrote to memory of 3476	4156	7DF959~1.EXE	171
PID 4156 wrote to memory of 3476	4156	7DF959~1.EXE	171
PID 3476 wrote to memory of 2300	3476	svchost.com	105
PID 3476 wrote to memory of 2300	3476	svchost.com	105
PID 3476 wrote to memory of 2300	3476	svchost.com	105
PID 2300 wrote to memory of 4072	2300	7DF959~1.EXE	175

C:\Users\Admin\AppData\Local\Temp\7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
"C:\Users\Admin\AppData\Local\Temp\7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Users\Admin\AppData\Local\Temp\3582-490\7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:1772
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5104
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4828
      - C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        19⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        23⤵
        Executes dropped EXE
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        25⤵
        Executes dropped EXE
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        26⤵
        Executes dropped EXE
        
        PID:1376
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        27⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        28⤵
        Executes dropped EXE
        
        PID:3580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        29⤵
        Executes dropped EXE
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        30⤵
        Executes dropped EXE
        
        PID:2268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        31⤵
        Executes dropped EXE
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        32⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        33⤵
        Executes dropped EXE
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        34⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        35⤵
        Executes dropped EXE
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        36⤵
        Executes dropped EXE
        
        PID:1340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        37⤵
        Executes dropped EXE
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        39⤵
        Executes dropped EXE
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        40⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        41⤵
        Executes dropped EXE
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        43⤵
        Executes dropped EXE
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        45⤵
        Executes dropped EXE
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        46⤵
        Executes dropped EXE
        
        PID:4284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        47⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        49⤵
        Executes dropped EXE
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        50⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:4884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        51⤵
        Executes dropped EXE
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        52⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        53⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:4592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        55⤵
        Executes dropped EXE
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:3712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        57⤵
        Executes dropped EXE
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        58⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        59⤵
        Executes dropped EXE
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        60⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        61⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1376
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        63⤵
        Executes dropped EXE
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        64⤵
        Executes dropped EXE
        
        PID:3668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        65⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        66⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        67⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        68⤵
        Checks computer location settings
        
        PID:4820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        69⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        70⤵
        Modifies registry class
        
        PID:4484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        71⤵
        Drops file in Windows directory
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        72⤵
        Checks computer location settings
        
        PID:3892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        73⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        74⤵
        
        PID:5036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        75⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        76⤵
        
        PID:4292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        77⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        78⤵
        Modifies registry class
        
        PID:1200
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        79⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        80⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1456
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        81⤵
        Drops file in Windows directory
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        83⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        84⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        85⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        86⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        87⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        88⤵
        
        PID:4072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        89⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        90⤵
        
        PID:2100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        91⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        92⤵
        
        PID:2276
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        93⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        94⤵
        
        PID:2536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        95⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        97⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        98⤵
        Modifies registry class
        
        PID:952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        100⤵
        Modifies registry class
        
        PID:3056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        102⤵
        Modifies registry class
        
        PID:756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        103⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        104⤵
        
        PID:4380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        105⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        106⤵
        Modifies registry class
        
        PID:792
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        107⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        108⤵
        
        PID:5092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        109⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        110⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1456
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        112⤵
        Checks computer location settings
        
        PID:820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        113⤵
        Drops file in Windows directory
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        114⤵
        
        PID:468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        115⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        116⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        117⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        118⤵
        
        PID:2576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        119⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        120⤵
        Checks computer location settings
        
        PID:3144
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        121⤵
        Drops file in Windows directory
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        122⤵
        Checks computer location settings
        
        PID:4016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        123⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        124⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        126⤵
        Checks computer location settings
        
        PID:5104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        127⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        128⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1376
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        130⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        132⤵
        Checks computer location settings
        
        PID:932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        133⤵
        Drops file in Windows directory
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:4576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        135⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        136⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        137⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        138⤵
        Checks computer location settings
        
        PID:3684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        139⤵
        Drops file in Windows directory
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        140⤵
        
        PID:3080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        141⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        142⤵
        Modifies registry class
        
        PID:2200
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        143⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        144⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:3680
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        145⤵
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        146⤵
        
        PID:220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        147⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        149⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        150⤵
        Checks computer location settings
        
        PID:1824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        151⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        152⤵
        Modifies registry class
        
        PID:3552
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        153⤵
        Drops file in Windows directory
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        154⤵
        
        PID:1744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        156⤵
        
        PID:1940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        157⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        158⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:236
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        159⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        160⤵
        
        PID:2636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        162⤵
        Modifies registry class
        
        PID:3508
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        163⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        164⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1400
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        165⤵
        Drops file in Windows directory
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        166⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4276
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        167⤵
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        168⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4488
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        169⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        170⤵
        
        PID:2380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        171⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        172⤵
        
        PID:3724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        173⤵
        System Location Discovery: System Language Discovery
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        174⤵
        Modifies registry class
        
        PID:4584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        175⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        176⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        177⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        178⤵
        Drops file in Windows directory
        
        PID:352
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        179⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        180⤵
        Checks computer location settings
        
        PID:5016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        181⤵
        Drops file in Windows directory
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        182⤵
        Modifies registry class
        
        PID:2724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        183⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        184⤵
        
        PID:4016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        185⤵
        Drops file in Windows directory
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        186⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:4076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        187⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        188⤵
        Checks computer location settings
        
        PID:2060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        189⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        190⤵
        Checks computer location settings
        
        PID:228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        191⤵
        Drops file in Windows directory
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        192⤵
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        193⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        194⤵
        Checks computer location settings
        
        PID:4976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        195⤵
        System Location Discovery: System Language Discovery
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        196⤵
        Checks computer location settings
        
        PID:4292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        197⤵
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        198⤵
        
        PID:4472
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        199⤵
        Drops file in Windows directory
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        200⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4504
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        201⤵
        Drops file in Windows directory
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        202⤵
        Drops file in Windows directory
        
        PID:1296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        203⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        204⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        205⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        206⤵
        Modifies registry class
        
        PID:2824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        207⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        208⤵
        
        PID:4228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        209⤵
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        210⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        211⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        212⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        213⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        214⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3360
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        215⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        216⤵
        Modifies registry class
        
        PID:4900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        217⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        218⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        219⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        220⤵
        Checks computer location settings
        
        PID:2780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        221⤵
        Drops file in Windows directory
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        222⤵
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        223⤵
        System Location Discovery: System Language Discovery
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        224⤵
        
        PID:2632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        225⤵
        Drops file in Windows directory
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        226⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:3684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        227⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        228⤵
        
        PID:2556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        229⤵
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        230⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        231⤵
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        232⤵
        Checks computer location settings
        Modifies registry class
        
        PID:468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        233⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        234⤵
        Checks computer location settings
        
        PID:3992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        235⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        236⤵
        Drops file in Windows directory
        
        PID:2480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        237⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        238⤵
        
        PID:1428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        239⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        240⤵
        
        PID:4688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        241⤵
        Drops file in Windows directory
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        242⤵
        Checks computer location settings
        
        PID:1304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        243⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        244⤵
        
        PID:4932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        245⤵
        Drops file in Windows directory
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        246⤵
        
        PID:440
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        247⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        248⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        249⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        250⤵
        
        PID:3924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        251⤵
        System Location Discovery: System Language Discovery
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        252⤵
        
        PID:4288
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        253⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        254⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        255⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        256⤵
        Modifies registry class
        
        PID:1264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        257⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        258⤵
        Modifies registry class
        
        PID:5092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        259⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        260⤵
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        261⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        262⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2348
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        263⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        264⤵
        Modifies registry class
        
        PID:4972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        265⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        266⤵
        Checks computer location settings
        
        PID:2252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        267⤵
        Drops file in Windows directory
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        268⤵
        Modifies registry class
        
        PID:1772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        269⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        270⤵
        
        PID:4688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        271⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        272⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:1436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        273⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        274⤵
        Drops file in Windows directory
        
        PID:2268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        275⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        276⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        277⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        278⤵
        Checks computer location settings
        
        PID:3756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        279⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        280⤵
        
        PID:3852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        281⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        282⤵
        Drops file in Windows directory
        
        PID:232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        283⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        284⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:2624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        285⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        286⤵
        Checks computer location settings
        
        PID:2784
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        287⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        288⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        289⤵
        System Location Discovery: System Language Discovery
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        290⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        291⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        292⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:4472
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        293⤵
        System Location Discovery: System Language Discovery
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        294⤵
        Modifies registry class
        
        PID:3640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        295⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        296⤵
        
        PID:1224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        297⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        298⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        299⤵
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        300⤵
        Modifies registry class
        
        PID:1884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        301⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        302⤵
        Checks computer location settings
        
        PID:824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        303⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        304⤵
        Checks computer location settings
        
        PID:2576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        305⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        306⤵
        
        PID:2956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        307⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        308⤵
        Modifies registry class
        
        PID:3552
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        309⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        310⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:4072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        311⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        312⤵
        
        PID:1940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        313⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        314⤵
        
        PID:3696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        315⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        316⤵
        Checks computer location settings
        
        PID:1828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        317⤵
        System Location Discovery: System Language Discovery
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        318⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        319⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        320⤵
        
        PID:4996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        321⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        322⤵
        
        PID:1664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        323⤵
        System Location Discovery: System Language Discovery
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        324⤵
        Drops file in Windows directory
        
        PID:3816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        325⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        326⤵
        Modifies registry class
        
        PID:4844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        327⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        328⤵
        
        PID:1424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        329⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        330⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        331⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        332⤵
        Checks computer location settings
        
        PID:1680
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        333⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        334⤵
        Modifies registry class
        
        PID:2900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        335⤵
        System Location Discovery: System Language Discovery
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        336⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        337⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        338⤵
        Checks computer location settings
        
        PID:212
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        339⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        340⤵
        Modifies registry class
        
        PID:980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        341⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        342⤵
        Modifies registry class
        
        PID:4504
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        343⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        344⤵
        
        PID:716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        345⤵
        Drops file in Windows directory
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        346⤵
        Modifies registry class
        
        PID:352
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        347⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        348⤵
        Checks computer location settings
        
        PID:3540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        349⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        350⤵
        
        PID:228

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

Filesize
368KB

MD5
eeb875c0b3c567ce160b6065fa9955c0

SHA1
ee0e1efba40d38746a54bc285f0bd38198550564

SHA256
995bd211c7e3bb5e6ed86064d2c648537b2c5c058f3ca81ab9307cdb0ac2530a

SHA512
416bece422edd84337b789bdbd1e3f888d67dfe1dabbd114ebf07b968d68b848cc10880c2ad439413b47cf1191c273125130399bcc9c4a2ed5719553c51c3ad6

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
86KB

MD5
ef63e5ccbea2788d900f1c70a6159c68

SHA1
4ac2e144f9dd97a0cd061b76be89f7850887c166

SHA256
a46d1ffbe9114015050b2a778859c26248f8bab22d5d1a302b59373bc20c6b45

SHA512
913371abb54e0adc94aa08372a20f07ced9f9fdc170f9e468cd39c7387c7e30c1ae238148ccf355d5c8b88b7fd63f914bb108c6cafca9a791d02d8b36468bfac

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE

Filesize
5.7MB

MD5
3e4c1ecf89d19b8484e386008bb37a25

SHA1
a9a92b63645928e8a92dc395713d3c5b921026b7

SHA256
1ebe469c94c2c2a5acbc3927cef19dbe2f583ba3651a55623633891c4c05cc22

SHA512
473d03abbb61609749a176a0724e427599a4f4707d72a74ed457b2198098f59fdf64b5394798db82f4064dfe964083d70af6a50a5fa2ab2674c77a99792e4e52

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe

Filesize
9.4MB

MD5
124147ede15f97b47224628152110ce2

SHA1
4530fee9b1199777693073414b82420a7c88a042

SHA256
3e815d583236b9cecd912fcc949a301d1e51b609cbb53a2285d08feea305edcd

SHA512
f4c2825380d1bb9ca889d5c5684f13aa0cacb0d6511f6409ca0972a7191195a0175e00c995407848bf09ea03cff05c7395952bf2ffd2af2015b8939f75a8e627

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

Filesize
2.4MB

MD5
d9e8a1fa55faebd36ed2342fedefbedd

SHA1
c25cc7f0035488de9c5df0121a09b5100e1c28e9

SHA256
bd7696911d75a9a35dfd125b24cb95003f1e9598592df47fa23a2568986a4a9a

SHA512
134644c68bd04536e9ea0a5da6e334d36b1ce8012a061fa6dabd31f85c16a1ac9eee8c40fee3d55f25c4d4edf0672de8ce204e344c800361cbcff092c09d7a33

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

Filesize
131KB

MD5
514972e16cdda8b53012ad8a14a26e60

SHA1
aa082c2fbe0b3dd5c47952f9a285636412203559

SHA256
49091e1e41980b39d8de055fe6c6a1dc69398f17817960d64743e7efb740efc4

SHA512
98bbd6f06e3ff3e94aee3620f20f89e254dde157bc8129a64cf78fefe5cf9b13c7902128c2acbd54b3def527e09a039bd1f66ba64efb85f3f0404d894cabbee4

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE

Filesize
254KB

MD5
c4a918069757a263adb9fbc9f5c9e00d

SHA1
66d749fc566763b6170080a40f54f4cda4644af4

SHA256
129a2bfe25ceabb871b65b645ef98f6799d7d273fc5ddfd33c1cb78f5b76fa3b

SHA512
4ecf32fa2c8f53ff7a08555ec5d37739dc1358352621d038669f608edf18b0dcc6dca168a2b602359c9ee098052e546e5c02603f83aad44a114192138de7b7b9

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE

Filesize
386KB

MD5
2e989da204d9c4c3e375a32edf4d16e7

SHA1
e8a0bf8b4ae4f26e2af5c1748de6055ba4308129

SHA256
cae320401aa01a3cef836c191c2edbd7a96bfcce9efad1a21880626a64cc4dec

SHA512
3ebf71578bef909d9411c131d0ccd38ead68cba01a8e0f845d08faa012ca2136476fe09a2859ed846641f80b7a2d9b78d49c709065a52c6b9ee149edf84c8c4f

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE

Filesize
92KB

MD5
3e8712e3f8ce04d61b1c23d9494e1154

SHA1
7e28cd92992cdee55a02b5ece4b7c2fc4dd0c5e4

SHA256
7a8ee09f8a75b3e812f99a0b611c6720626c62c6985306a408694389a996c8e9

SHA512
d07d924f338bd36ca51c8e11931f7ff069e65942725a8e1f1ff6b81076a987ab7d787452a5fb08314edf1489e081f4164db1ad299a6d78401e630796f4487dc8

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe

Filesize
125KB

MD5
66a77a65eea771304e524dd844c9846a

SHA1
f7e3b403439b5f63927e8681a64f62caafe9a360

SHA256
9a7391267ab83b45a47d9fcf1e0f76002ed6640ed6a574ba51373410b94812f6

SHA512
3643ad1036075305d76dfd753b1ed29ae611b4b9f397b2520f95b1487e85155a111adc83578db8ca5d0fd1e9fe146d018e22f572c187ef468eab8d11d48fc7f4

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE

Filesize
142KB

MD5
3ccfc6967bcfea597926999974eb0cf9

SHA1
6736e7886e848d41de098cd00b8279c9bc94d501

SHA256
a89d3e2109a8e35e263da363d3551258ea320a99bfb84a4b13ad563008eda8d9

SHA512
f550af4e053d89eff45c0fb00bb32e8d212645a155727d3536a3f12bb0b5550bed25516516334245b912fa4fc2e4e7c267e80da4f06d22ea128f20eb56ab4351

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE

Filesize
278KB

MD5
823cb3e3a3de255bdb0d1f362f6f48ab

SHA1
9027969c2f7b427527b23cb7ab1a0abc1898b262

SHA256
b8c5b99365f5ac318973b151fe3fe2a4ad12546371df69e1b7d749f7a4ce356f

SHA512
0652b60e07aa5a469b9cf1013a1ed98d0352996c59b9a66f612be2bc0081d8ec8a65a44a3977d2e188cd8ee3311edb251b818cf300d152ed5f633679a6cf834c

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE

Filesize
454KB

MD5
961c73fd70b543a6a3c816649e5f8fce

SHA1
8dbdc7daeb83110638d192f65f6d014169e0a79b

SHA256
f94ddaf929fb16d952b79c02e78439a10dd2faa78f7f66b7d52de2675e513103

SHA512
e5d97ee63b02abc65add41f6721514515b34fd79f7db23ae04cf608c2f7e0504e00b07694047b982d14d60cccf6f833b50268c693e3baf1b697d3370c0bba0b6

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe

Filesize
546KB

MD5
52927c2ff6260abef9d440b92d7894ef

SHA1
d766ec8d31a1b3ec68709adffb333b9b0aecc990

SHA256
0f5d7ae5106f842b482a1708b7ddf62803075ec7c1bebae44e21ba0fdd15db3d

SHA512
5fd72ee89f89c8008c6afa664247c97447d23086b686a9b8b1b28bba60399b82d9997cd7088e7356a992b47faff3f117c319e595f3b73fec55f4452e1d3071d4

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe

Filesize
325KB

MD5
62976c65ded41b4f31c7f379c548e05c

SHA1
3827c414ad15cd67ea8635400002c4c79704250e

SHA256
80de06ea5d221e21f765a96750f821aaaf8eee23bfd9d8cde265a8da11041c66

SHA512
ddf74814c7a54a258b7200310bd644547f3a831e373c8392dddedd08b3c1ca60e864fbe2007e68fabdcfe1e923d9207039bde42a09e0ec07d69694263057fcd7

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe

Filesize
325KB

MD5
de9e6086062f01926b48c2d80508d12b

SHA1
13610cca5e38925e22b6a79067df0dd9eca49fe3

SHA256
d2f956514bc885fed054dec3ad4c0e89e59a6a38390fa8432abd15eb201468b4

SHA512
60478e55b6a3d49686ed8e95e939a2384fb1440950d710e7beedb9eda24be0e6996c931d0703d6cc0065fbe5a85eff463b9e9eaadf14746593abe723636137c3

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE

Filesize
146KB

MD5
001760b2a66fb4fff1e2c42bc39e5421

SHA1
1980cafc246e5a31b6e78bcd5eec1726c9789046

SHA256
1ae63f874694d576e6b6c2f409a71e49cf607e62b2a7a646322294009c7b813a

SHA512
a37e499451abc2b9399eafe8d866210bdaac2c73a4f1dbe16c272fa56a8b5bcb1efe41e198effb9c84a77de269cbb5b81871d88eb726f95c3d3b4067bfc0c7df

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE

Filesize
198KB

MD5
2424d589d7997df1356c160a9a82088c

SHA1
ca9b479043636434f32c74c2299210ef9f933b98

SHA256
9d6982a566148cf69cb6aec417baddca680e647931315736a6c19f2ba91c4d60

SHA512
4dd0a69c1dfb0e88fc6b24c97e14dd0ad1ac0226dd372d09123b6a2ec3c107fc94a810764d16e111d1cf7e81a23b70b84d36cbfbf1e32986d00de3cd9e315c2b

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE

Filesize
433KB

MD5
b6283a7eb554d995d9a7c72dcfca14b5

SHA1
67d64907800c611bbcefd31d2494da12962f5022

SHA256
099da4830adbab785d86ca4680c041458acfe798ed8b301b2bb6bd47891ed881

SHA512
a6d96a13b8672d0f1d50ac22ba95b715527050ce91bb67dc261732e0a114ef2902e3380577546ff34860f65723a143153cea47ae31e12bb27dd3f4f5ee2245f3

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE

Filesize
509KB

MD5
fdad5d6d8cf37e8c446dcd6c56c718c3

SHA1
412883fd3bb56f2b850d2c29ee666d9b75636faf

SHA256
2ed31146dc94132acafc7e759086f18c83560693a813b1d842a30908f50faf7c

SHA512
9866ddd370e7ab75aea143c5ede3ee96700ed662aab7fb3e989f9beedb2800b488f985a8069a61025cc8201bbc42e23d744717988587c2a8a66f2e91ea7cbbbc

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE

Filesize
138KB

MD5
b84ae39dd0420080bd9e6b9557eea65b

SHA1
5326a058a3bcc4eb0530028e17d391e356210603

SHA256
92439a773781fc1b4e45de7fad393bb9ccd05af99dc1a1bb2246a4befb1f5924

SHA512
860ae09c5806622420147af1073cecc065786968737547276641af710b4caccd16b787bdf7212dd1d8ab16e257dd5c5cd20790bf000d75d82410cbd5bf7af388

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE

Filesize
1.6MB

MD5
452ced2176da983591ecdd916c84a50e

SHA1
0bda1896ce8f552b605d69a577a97e9cc4a9c7d7

SHA256
815dc23bf693d2fd78bf4ead59aabd7f048456840c6890090d0e5149de220022

SHA512
0118c88249f95bd4b3cbd322d09fc02f07d335255e3a8507a32fdd936db1dbf2461cc8656f71b75bd3a9bc9fcb976f81c730bb98def11267597a53fd31e1cec3

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe

Filesize
3.6MB

MD5
69e1e0de795a8bf8c4884cb98203b1f4

SHA1
a17f2ba68776596e2d1593781289c7007a805675

SHA256
2b6d153b9df86033b7a83eb4f521fd4f7aeec35dc54ef8d1ffe80f5bbd030dbb

SHA512
353b664271d0f49f94b60c7fbaf5ab6d5b8df7690383517a90ba675f750d9b28628bbd5ed92a6782879607f4c21214b15ea95fd6a5a8d6f9540a1b75ddb9e665

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE

Filesize
1.1MB

MD5
a31628879099ba1efd1b63e81771f6c7

SHA1
42d9de49d0465c907be8ee1ef1ccf3926b8825fe

SHA256
031b0b0de72eba9350a1234eba7489bc04f94823501fc6a200266fa94b8c51dc

SHA512
0e86020f61fd08578507c3cd37385ffa2ffd964407a689b4c3d532fe4dc826eea58391f938840d18ecfa6bae79c6ece31b8f63b50366c2fa4d6ecf5194475759

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE

Filesize
1.6MB

MD5
af9aba6ab24cba804abba88d1626b2b9

SHA1
6a387c9ec2c06178476f8439a5a3d9149c480a9a

SHA256
e6a06e738140a8cc089bc607e5f5e1e2b224b71d52e0be0d01f9deb8e9763a90

SHA512
9e004f2eccb4e48d2c98a8168f7fe752ad3195b66f0aa1d7ec07dd5819539bc94a50ffb1deb291e7fea11932eb88fb5938b1ef0a93cd8b1902495d1f7bd2d950

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe

Filesize
224KB

MD5
e8a87b82e5a2209b51afa5f91c45ee63

SHA1
1e43df519f9632c2fb5eb2ddea122f906843c5be

SHA256
a6d3b894d8e9c806236f463971f06dc547c14b82f40201847e455ef30a4e6be6

SHA512
5f7476ef8931acfde84d89fe0a3ea1c29507183b7a68ba8f122c035c5ee81187abd462a6824cbe8ea365b5e0b7968d9cd4971f2f4ce286ce1e945e644888d7de

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
c964bb4c53f77f16256b2816e8a02ff7

SHA1
2ba8d61469efb714ef7fcf593445cd3d6739ee42

SHA256
9c87e32fa34c4046e595ceea563a1a6648c10b1a872361ec475c56518e0177da

SHA512
62ea0320dc5a21dfae702f5f570a263be486efab9b84472770cf98af90f57ad3823f60cb5cb1883bd0cc58512babf48f75824f536e8b4e16fdcbb637493139ea

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
memory/232-253-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/700-81-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/848-301-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/952-65-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1036-319-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1188-41-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1264-311-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1340-292-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1376-252-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1376-391-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1516-245-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1624-285-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1772-17-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2100-383-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2164-333-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2228-381-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2268-263-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2300-222-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2360-277-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2364-317-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2380-308-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2616-39-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2624-284-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2632-75-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2632-293-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2684-389-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2900-351-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2992-349-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3004-77-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3052-295-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3096-140-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3148-89-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3476-215-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3556-99-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3580-260-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3592-63-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3668-404-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3712-372-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3720-53-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3852-269-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3852-45-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4008-335-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4064-241-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4072-232-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4156-204-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4268-120-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4284-332-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4352-397-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4388-373-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4504-195-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4576-276-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4592-364-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4604-365-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4764-309-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4768-357-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4776-325-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4804-405-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4828-29-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4872-341-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4884-343-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4940-261-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4952-378-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4956-412-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5104-27-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads