neshta | 7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6

Analysis

max time kernel
144s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 00:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
Size

6.0MB
MD5

e7dda9ad078dd60ef757b2fe7f273df6
SHA1

730da0f3a6079b2587a3275ff8a987b55668b565
SHA256

7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6
SHA512

e41bd58ec4f5d89d8f600c2bc6a2469f451dd3d09c38e885d6563d9c74a776bd1b218e29ce4e7cdcff6385273fb530517787df385bc26a0e2e7ec6c9beeaa58c
SSDEEP

98304:42io0F6n4DKhOPqSUze/aEO0j514bP35GB2sB9mqq3zY+WziaHLwU9S2iZt:4A0pD8OPqZx0z64rB/8CiaHEU9SZt

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7C0E1B~1.EXE

Executes dropped EXE 64 IoCs

pid	Process
2828	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
4364	svchost.com
1448	7C0E1B~1.EXE
3652	svchost.com
1060	7C0E1B~1.EXE
1928	svchost.com
4488	7C0E1B~1.EXE
5028	svchost.com
4796	7C0E1B~1.EXE
2632	svchost.com
4528	7C0E1B~1.EXE
3624	svchost.com
1476	7C0E1B~1.EXE
3220	svchost.com
4904	7C0E1B~1.EXE
3548	svchost.com
2168	7C0E1B~1.EXE
3588	svchost.com
3108	7C0E1B~1.EXE
5068	svchost.com
3616	7C0E1B~1.EXE
872	svchost.com
4760	7C0E1B~1.EXE
4352	svchost.com
4380	7C0E1B~1.EXE
3860	svchost.com
4968	7C0E1B~1.EXE
3536	svchost.com
3068	7C0E1B~1.EXE
2464	svchost.com
4880	7C0E1B~1.EXE
1060	svchost.com
2608	7C0E1B~1.EXE
2964	svchost.com
2536	7C0E1B~1.EXE
2700	svchost.com
5076	7C0E1B~1.EXE
4976	svchost.com
5040	7C0E1B~1.EXE
100	svchost.com
1420	7C0E1B~1.EXE
1400	svchost.com
4396	7C0E1B~1.EXE
2512	svchost.com
1192	7C0E1B~1.EXE
3604	svchost.com
1100	7C0E1B~1.EXE
948	svchost.com
3304	7C0E1B~1.EXE
4784	svchost.com
2284	7C0E1B~1.EXE
4500	svchost.com
1816	7C0E1B~1.EXE
4904	svchost.com
1988	7C0E1B~1.EXE
2640	svchost.com
1820	7C0E1B~1.EXE
4728	svchost.com
2072	7C0E1B~1.EXE
2840	svchost.com
4940	7C0E1B~1.EXE
5080	svchost.com
1676	7C0E1B~1.EXE
3836	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1136	7C0E1B~1.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\directx.sys	7C0E1B~1.EXE
File opened for modification	C:\Windows\directx.sys	7C0E1B~1.EXE
File opened for modification	C:\Windows\svchost.com	7C0E1B~1.EXE
File opened for modification	C:\Windows\directx.sys	7C0E1B~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	7C0E1B~1.EXE
File opened for modification	C:\Windows\svchost.com	7C0E1B~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	7C0E1B~1.EXE
File opened for modification	C:\Windows\directx.sys	7C0E1B~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	7C0E1B~1.EXE
File opened for modification	C:\Windows\svchost.com	7C0E1B~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	7C0E1B~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	7C0E1B~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	7C0E1B~1.EXE
File opened for modification	C:\Windows\directx.sys	7C0E1B~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	7C0E1B~1.EXE
File opened for modification	C:\Windows\svchost.com	7C0E1B~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	7C0E1B~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	7C0E1B~1.EXE
File opened for modification	C:\Windows\directx.sys	7C0E1B~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	7C0E1B~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	7C0E1B~1.EXE
File opened for modification	C:\Windows\svchost.com	7C0E1B~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	7C0E1B~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	7C0E1B~1.EXE
File opened for modification	C:\Windows\svchost.com	7C0E1B~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	7C0E1B~1.EXE
File opened for modification	C:\Windows\directx.sys	7C0E1B~1.EXE
File opened for modification	C:\Windows\directx.sys	7C0E1B~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	7C0E1B~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	7C0E1B~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	7C0E1B~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	7C0E1B~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7C0E1B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7C0E1B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7C0E1B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7C0E1B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7C0E1B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7C0E1B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7C0E1B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7C0E1B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7C0E1B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7C0E1B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7C0E1B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7C0E1B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7C0E1B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7C0E1B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7C0E1B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7C0E1B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7C0E1B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7C0E1B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7C0E1B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7C0E1B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7C0E1B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7C0E1B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7C0E1B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7C0E1B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7C0E1B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7C0E1B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7C0E1B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7C0E1B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7C0E1B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7C0E1B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7C0E1B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7C0E1B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7C0E1B~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7C0E1B~1.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	7C0E1B~1.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1136	7C0E1B~1.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1136	7C0E1B~1.EXE
1136	7C0E1B~1.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1136	7C0E1B~1.EXE
1136	7C0E1B~1.EXE
1136	7C0E1B~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 2828	1140	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe	83
PID 1140 wrote to memory of 2828	1140	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe	83
PID 1140 wrote to memory of 2828	1140	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe	83
PID 2828 wrote to memory of 4364	2828	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe	84
PID 2828 wrote to memory of 4364	2828	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe	84
PID 2828 wrote to memory of 4364	2828	7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe	84
PID 4364 wrote to memory of 1448	4364	svchost.com	85
PID 4364 wrote to memory of 1448	4364	svchost.com	85
PID 4364 wrote to memory of 1448	4364	svchost.com	85
PID 1448 wrote to memory of 3652	1448	7C0E1B~1.EXE	86
PID 1448 wrote to memory of 3652	1448	7C0E1B~1.EXE	86
PID 1448 wrote to memory of 3652	1448	7C0E1B~1.EXE	86
PID 3652 wrote to memory of 1060	3652	svchost.com	114
PID 3652 wrote to memory of 1060	3652	svchost.com	114
PID 3652 wrote to memory of 1060	3652	svchost.com	114
PID 1060 wrote to memory of 1928	1060	7C0E1B~1.EXE	88
PID 1060 wrote to memory of 1928	1060	7C0E1B~1.EXE	88
PID 1060 wrote to memory of 1928	1060	7C0E1B~1.EXE	88
PID 1928 wrote to memory of 4488	1928	svchost.com	89
PID 1928 wrote to memory of 4488	1928	svchost.com	89
PID 1928 wrote to memory of 4488	1928	svchost.com	89
PID 4488 wrote to memory of 5028	4488	7C0E1B~1.EXE	90
PID 4488 wrote to memory of 5028	4488	7C0E1B~1.EXE	90
PID 4488 wrote to memory of 5028	4488	7C0E1B~1.EXE	90
PID 5028 wrote to memory of 4796	5028	svchost.com	91
PID 5028 wrote to memory of 4796	5028	svchost.com	91
PID 5028 wrote to memory of 4796	5028	svchost.com	91
PID 4796 wrote to memory of 2632	4796	7C0E1B~1.EXE	92
PID 4796 wrote to memory of 2632	4796	7C0E1B~1.EXE	92
PID 4796 wrote to memory of 2632	4796	7C0E1B~1.EXE	92
PID 2632 wrote to memory of 4528	2632	svchost.com	93
PID 2632 wrote to memory of 4528	2632	svchost.com	93
PID 2632 wrote to memory of 4528	2632	svchost.com	93
PID 4528 wrote to memory of 3624	4528	7C0E1B~1.EXE	94
PID 4528 wrote to memory of 3624	4528	7C0E1B~1.EXE	94
PID 4528 wrote to memory of 3624	4528	7C0E1B~1.EXE	94
PID 3624 wrote to memory of 1476	3624	svchost.com	95
PID 3624 wrote to memory of 1476	3624	svchost.com	95
PID 3624 wrote to memory of 1476	3624	svchost.com	95
PID 1476 wrote to memory of 3220	1476	7C0E1B~1.EXE	213
PID 1476 wrote to memory of 3220	1476	7C0E1B~1.EXE	213
PID 1476 wrote to memory of 3220	1476	7C0E1B~1.EXE	213
PID 3220 wrote to memory of 4904	3220	svchost.com	136
PID 3220 wrote to memory of 4904	3220	svchost.com	136
PID 3220 wrote to memory of 4904	3220	svchost.com	136
PID 4904 wrote to memory of 3548	4904	7C0E1B~1.EXE	98
PID 4904 wrote to memory of 3548	4904	7C0E1B~1.EXE	98
PID 4904 wrote to memory of 3548	4904	7C0E1B~1.EXE	98
PID 3548 wrote to memory of 2168	3548	svchost.com	99
PID 3548 wrote to memory of 2168	3548	svchost.com	99
PID 3548 wrote to memory of 2168	3548	svchost.com	99
PID 2168 wrote to memory of 3588	2168	7C0E1B~1.EXE	100
PID 2168 wrote to memory of 3588	2168	7C0E1B~1.EXE	100
PID 2168 wrote to memory of 3588	2168	7C0E1B~1.EXE	100
PID 3588 wrote to memory of 3108	3588	svchost.com	101
PID 3588 wrote to memory of 3108	3588	svchost.com	101
PID 3588 wrote to memory of 3108	3588	svchost.com	101
PID 3108 wrote to memory of 5068	3108	7C0E1B~1.EXE	102
PID 3108 wrote to memory of 5068	3108	7C0E1B~1.EXE	102
PID 3108 wrote to memory of 5068	3108	7C0E1B~1.EXE	102
PID 5068 wrote to memory of 3616	5068	svchost.com	103
PID 5068 wrote to memory of 3616	5068	svchost.com	103
PID 5068 wrote to memory of 3616	5068	svchost.com	103
PID 3616 wrote to memory of 872	3616	7C0E1B~1.EXE	181

C:\Users\Admin\AppData\Local\Temp\7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
"C:\Users\Admin\AppData\Local\Temp\7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Users\Admin\AppData\Local\Temp\3582-490\7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4364
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1448
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3652
      - C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        15⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        19⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        21⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        23⤵
        Executes dropped EXE
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        24⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        25⤵
        Executes dropped EXE
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        26⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        27⤵
        Executes dropped EXE
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        29⤵
        Executes dropped EXE
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        30⤵
        Executes dropped EXE
        
        PID:3068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        31⤵
        Executes dropped EXE
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        33⤵
        Executes dropped EXE
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        34⤵
        Executes dropped EXE
        
        PID:2608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        35⤵
        Executes dropped EXE
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        36⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        37⤵
        Executes dropped EXE
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        38⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        39⤵
        Executes dropped EXE
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        41⤵
        Executes dropped EXE
        
        PID:100
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1420
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        43⤵
        Executes dropped EXE
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        44⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        45⤵
        Executes dropped EXE
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        46⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1192
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        47⤵
        Executes dropped EXE
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        48⤵
        Executes dropped EXE
        
        PID:1100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        51⤵
        Executes dropped EXE
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        53⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        54⤵
        Executes dropped EXE
        
        PID:1816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        55⤵
        Executes dropped EXE
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        57⤵
        Executes dropped EXE
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        59⤵
        Executes dropped EXE
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        60⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        61⤵
        Executes dropped EXE
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        62⤵
        Executes dropped EXE
        
        PID:4940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        63⤵
        Executes dropped EXE
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        65⤵
        Executes dropped EXE
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        66⤵
        
        PID:320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        70⤵
        Checks computer location settings
        
        PID:1084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        71⤵
        Drops file in Windows directory
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        72⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        73⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        74⤵
        
        PID:412
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        75⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        76⤵
        Checks computer location settings
        
        PID:100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        77⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        78⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        80⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        81⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        82⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        83⤵
        Drops file in Windows directory
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        84⤵
        Drops file in Windows directory
        
        PID:2928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        85⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        86⤵
        
        PID:4712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        87⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        88⤵
        
        PID:4016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        89⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        90⤵
        Modifies registry class
        
        PID:3684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        91⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        92⤵
        Modifies registry class
        
        PID:2816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        93⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:4728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        95⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        96⤵
        
        PID:756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        97⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        98⤵
        
        PID:5056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        100⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        101⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        102⤵
        
        PID:3136
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        103⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        104⤵
        Modifies registry class
        
        PID:4056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        105⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        106⤵
        
        PID:1136
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        107⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        108⤵
        Drops file in Windows directory
        
        PID:208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        109⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        110⤵
        Drops file in Windows directory
        
        PID:2996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        111⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        112⤵
        Modifies registry class
        
        PID:4184
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        113⤵
        Drops file in Windows directory
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        115⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        116⤵
        Checks computer location settings
        
        PID:1400
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        117⤵
        Drops file in Windows directory
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        118⤵
        Modifies registry class
        
        PID:3688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        119⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        120⤵
        Modifies registry class
        
        PID:2916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        122⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:5088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        123⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        124⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        125⤵
        Drops file in Windows directory
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        126⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4508
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        127⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        128⤵
        Modifies registry class
        
        PID:2640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        129⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        130⤵
        Modifies registry class
        
        PID:4644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        131⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        132⤵
        Modifies registry class
        
        PID:1784
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        133⤵
        Drops file in Windows directory
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        134⤵
        
        PID:3540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        135⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:4164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        137⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        138⤵
        Checks computer location settings
        
        PID:1136
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        140⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        141⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        142⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        143⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        144⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:5040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        145⤵
        
        PID:656
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        146⤵
        Modifies registry class
        
        PID:1832
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        147⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        148⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:1952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        149⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        150⤵
        Checks computer location settings
        
        PID:4012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        151⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        152⤵
        
        PID:948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        153⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        154⤵
        
        PID:4784
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        155⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        156⤵
        Checks computer location settings
        
        PID:624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        158⤵
        Modifies registry class
        
        PID:1248
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        159⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        160⤵
        Modifies registry class
        
        PID:4588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        161⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        162⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4444
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        163⤵
        System Location Discovery: System Language Discovery
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        164⤵
        Modifies registry class
        
        PID:1496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        165⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        166⤵
        Modifies registry class
        
        PID:1848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        167⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        168⤵
        
        PID:1448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        170⤵
        Modifies registry class
        
        PID:1056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        171⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        172⤵
        Modifies registry class
        
        PID:2768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        173⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        174⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        175⤵
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        176⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        177⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        178⤵
        Modifies registry class
        
        PID:2816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        179⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        180⤵
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        181⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        182⤵
        
        PID:5040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        183⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        184⤵
        
        PID:976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        185⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        186⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4440
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        187⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        188⤵
        System Location Discovery: System Language Discovery
        
        PID:4820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        189⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        190⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1504
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        191⤵
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        192⤵
        
        PID:2948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        193⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        194⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:5036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        195⤵
        Drops file in Windows directory
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        196⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:1580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        197⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        198⤵
        
        PID:2168
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        199⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        200⤵
        Checks computer location settings
        
        PID:3240
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        201⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        202⤵
        Checks computer location settings
        
        PID:3716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        203⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        204⤵
        Modifies registry class
        
        PID:1212
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        205⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        206⤵
        
        PID:3652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        207⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        208⤵
        Drops file in Windows directory
        
        PID:720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        209⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        210⤵
        Drops file in Windows directory
        
        PID:3532
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        211⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        212⤵
        
        PID:3964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        213⤵
        Drops file in Windows directory
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        214⤵
        
        PID:3720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        215⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        216⤵
        
        PID:220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        217⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        218⤵
        
        PID:2924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        219⤵
        Drops file in Windows directory
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        220⤵
        Checks computer location settings
        
        PID:2816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        221⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        222⤵
        
        PID:4948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        223⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        224⤵
        
        PID:3120
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        225⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        226⤵
        Modifies registry class
        
        PID:4020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        227⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        228⤵
        
        PID:4220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        229⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        230⤵
        Drops file in Windows directory
        
        PID:744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        231⤵
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        232⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:2392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        233⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        234⤵
        Checks computer location settings
        
        PID:4904
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        235⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        236⤵
        System Location Discovery: System Language Discovery
        
        PID:3684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        237⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        238⤵
        
        PID:3240
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        239⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        240⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        241⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        242⤵
        
        PID:3652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        243⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        244⤵
        Checks computer location settings
        
        PID:1056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        245⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        246⤵
        
        PID:3492
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        247⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        248⤵
        
        PID:1840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        249⤵
        Drops file in Windows directory
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        250⤵
        Drops file in Windows directory
        
        PID:4936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        251⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        252⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        253⤵
        Drops file in Windows directory
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        254⤵
        
        PID:2572
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        255⤵
        System Location Discovery: System Language Discovery
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        256⤵
        
        PID:2512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        257⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        258⤵
        Modifies registry class
        
        PID:2304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        259⤵
        Drops file in Windows directory
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        260⤵
        Modifies registry class
        
        PID:1064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        261⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        262⤵
        Drops file in Windows directory
        
        PID:4860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        263⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        264⤵
        Checks computer location settings
        
        PID:2432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        265⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        266⤵
        Modifies registry class
        
        PID:4788
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        267⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        268⤵
        
        PID:1436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        269⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        270⤵
        Modifies registry class
        
        PID:3824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        271⤵
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        272⤵
        
        PID:2464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        273⤵
        Drops file in Windows directory
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        274⤵
        
        PID:4884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        275⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        276⤵
        
        PID:3720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        277⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        278⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        279⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        280⤵
        Checks computer location settings
        Modifies registry class
        
        PID:432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        281⤵
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        282⤵
        Drops file in Windows directory
        
        PID:3908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        283⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        284⤵
        
        PID:2728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        285⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        286⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        287⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        288⤵
        Checks computer location settings
        
        PID:2676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        289⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        290⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        291⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        292⤵
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        293⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        294⤵
        Checks computer location settings
        
        PID:3684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        295⤵
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        296⤵
        Drops file in Windows directory
        
        PID:2172
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        297⤵
        Drops file in Windows directory
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        298⤵
        
        PID:840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        299⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        300⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        301⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        302⤵
        Modifies registry class
        
        PID:640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        303⤵
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        304⤵
        
        PID:2468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        305⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        306⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:2536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        307⤵
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        308⤵
        
        PID:3768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        309⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        310⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        311⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        312⤵
        
        PID:3644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        313⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        314⤵
        
        PID:780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        315⤵
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        316⤵
        Modifies registry class
        
        PID:4020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        317⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        318⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:4744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        319⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        320⤵
        
        PID:3548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        321⤵
        Drops file in Windows directory
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        322⤵
        Checks computer location settings
        
        PID:3592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        323⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        324⤵
        
        PID:1396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        325⤵
        System Location Discovery: System Language Discovery
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        326⤵
        Modifies registry class
        
        PID:5056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        327⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        328⤵
        Checks computer location settings
        
        PID:3500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        329⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        330⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        331⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        332⤵
        Modifies registry class
        
        PID:1848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        333⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        334⤵
        Modifies registry class
        
        PID:2464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        335⤵
        System Location Discovery: System Language Discovery
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        336⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:1516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        337⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        338⤵
        
        PID:2208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        339⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        340⤵
        
        PID:4368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        341⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        342⤵
        Modifies registry class
        
        PID:1876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        343⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        344⤵
        Checks computer location settings
        
        PID:1956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        345⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        346⤵
        Checks computer location settings
        
        PID:1096
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        347⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        348⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        349⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        350⤵
        
        PID:1900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        351⤵
        Drops file in Windows directory
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        352⤵
        
        PID:1676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        353⤵
        Drops file in Windows directory
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        354⤵
        Checks computer location settings
        
        PID:756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        355⤵
        Drops file in Windows directory
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        356⤵
        Checks computer location settings
        Modifies registry class
        
        PID:324
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        357⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        358⤵
        System Location Discovery: System Language Discovery
        
        PID:452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        359⤵
        System Location Discovery: System Language Discovery
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        360⤵
        Modifies registry class
        
        PID:3068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        361⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        362⤵
        
        PID:3540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        363⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        364⤵
        
        PID:768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        365⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        366⤵
        System Location Discovery: System Language Discovery
        
        PID:4168
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        367⤵
        Drops file in Windows directory
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        368⤵
        Checks computer location settings
        
        PID:3476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        369⤵
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        370⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        371⤵
        Drops file in Windows directory
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        372⤵
        
        PID:4764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        373⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        374⤵
        
        PID:1284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        375⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        376⤵
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        377⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        378⤵
        
        PID:4468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        379⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        380⤵
        Checks computer location settings
        Modifies registry class
        
        PID:976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        381⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        382⤵
        
        PID:4772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        383⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        384⤵
        Modifies registry class
        
        PID:1244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        385⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        386⤵
        
        PID:4860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        387⤵
        Drops file in Windows directory
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        388⤵
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        389⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        390⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        391⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        392⤵
        Drops file in Windows directory
        
        PID:1496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        393⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        394⤵
        
        PID:4748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        395⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        396⤵
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        397⤵
        System Location Discovery: System Language Discovery
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        398⤵
        Checks computer location settings
        
        PID:4336
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        399⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        400⤵
        Checks computer location settings
        
        PID:1892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        401⤵
        System Location Discovery: System Language Discovery
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        402⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        403⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        404⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        405⤵
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        406⤵
        
        PID:3788
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        407⤵
        Drops file in Windows directory
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        408⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE"
        409⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7C0E1B~1.EXE
        410⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1136
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwi5lObcypTsAhVh-yoKHRUeAHIQFjAPegQICBAC&url=https%3A%2F%2Feasy-firmware.com%2Findex.php%3Fa%3Ddownloads%26b%3Dfolder%26id%3D5691&usg=AOvVaw1nTDxuCisH83j8a8AgvYGa
        411⤵
        
        PID:2512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe" --single-argument https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwi5lObcypTsAhVh-yoKHRUeAHIQFjAPegQICBAC&url=https%3A%2F%2Feasy-firmware.com%2Findex.php%3Fa%3Ddownloads%26b%3Dfolder%26id%3D5691&usg=AOvVaw1nTDxuCisH83j8a8AgvYGa
        412⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe --single-argument https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwi5lObcypTsAhVh-yoKHRUeAHIQFjAPegQICBAC&url=https%3A%2F%2Feasy-firmware.com%2Findex.php%3Fa%3Ddownloads%26b%3Dfolder%26id%3D5691&usg=AOvVaw1nTDxuCisH83j8a8AgvYGa
        413⤵
        
        PID:4932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:3220

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:5088

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

Filesize
368KB

MD5
eeb875c0b3c567ce160b6065fa9955c0

SHA1
ee0e1efba40d38746a54bc285f0bd38198550564

SHA256
995bd211c7e3bb5e6ed86064d2c648537b2c5c058f3ca81ab9307cdb0ac2530a

SHA512
416bece422edd84337b789bdbd1e3f888d67dfe1dabbd114ebf07b968d68b848cc10880c2ad439413b47cf1191c273125130399bcc9c4a2ed5719553c51c3ad6

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
86KB

MD5
ef63e5ccbea2788d900f1c70a6159c68

SHA1
4ac2e144f9dd97a0cd061b76be89f7850887c166

SHA256
a46d1ffbe9114015050b2a778859c26248f8bab22d5d1a302b59373bc20c6b45

SHA512
913371abb54e0adc94aa08372a20f07ced9f9fdc170f9e468cd39c7387c7e30c1ae238148ccf355d5c8b88b7fd63f914bb108c6cafca9a791d02d8b36468bfac

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe

Filesize
175KB

MD5
3da833f022988fbc093129595cc8591c

SHA1
fdde5a7fb7a60169d2967ff88c6aba8273f12e36

SHA256
1ad4c736829dbcb0fcc620fd897fe0941b9c01e14ccba5d18085b3ca0416ab66

SHA512
1299d63337c958e8072d6aaa057904cbbaa51c2eec4457269ead6b72c4eb2a10882e4a5dc7afcdcab5a6910d2105c2e5ee706850074e0425ae7f87d9ea1e5537

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

Filesize
2.4MB

MD5
d9e8a1fa55faebd36ed2342fedefbedd

SHA1
c25cc7f0035488de9c5df0121a09b5100e1c28e9

SHA256
bd7696911d75a9a35dfd125b24cb95003f1e9598592df47fa23a2568986a4a9a

SHA512
134644c68bd04536e9ea0a5da6e334d36b1ce8012a061fa6dabd31f85c16a1ac9eee8c40fee3d55f25c4d4edf0672de8ce204e344c800361cbcff092c09d7a33

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE

Filesize
183KB

MD5
4ab023aa6def7b300dec4fc7ef55dbe7

SHA1
aa30491eb799fa5bdf79691f8fe5e087467463f1

SHA256
8ca27077312716f79f39309156c905719a908e8ded4bf88c2ba6fa821e574673

SHA512
000e33cc2399efa9dc56c06a42f91eb64b94f30b78cf260469f45f3b876f518d2d2b62e33d8f697660ae560d595e5bd5b7a5f847c316d5f97adeb3d8f9248ab5

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

Filesize
131KB

MD5
514972e16cdda8b53012ad8a14a26e60

SHA1
aa082c2fbe0b3dd5c47952f9a285636412203559

SHA256
49091e1e41980b39d8de055fe6c6a1dc69398f17817960d64743e7efb740efc4

SHA512
98bbd6f06e3ff3e94aee3620f20f89e254dde157bc8129a64cf78fefe5cf9b13c7902128c2acbd54b3def527e09a039bd1f66ba64efb85f3f0404d894cabbee4

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE

Filesize
92KB

MD5
3e8712e3f8ce04d61b1c23d9494e1154

SHA1
7e28cd92992cdee55a02b5ece4b7c2fc4dd0c5e4

SHA256
7a8ee09f8a75b3e812f99a0b611c6720626c62c6985306a408694389a996c8e9

SHA512
d07d924f338bd36ca51c8e11931f7ff069e65942725a8e1f1ff6b81076a987ab7d787452a5fb08314edf1489e081f4164db1ad299a6d78401e630796f4487dc8

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE

Filesize
142KB

MD5
3ccfc6967bcfea597926999974eb0cf9

SHA1
6736e7886e848d41de098cd00b8279c9bc94d501

SHA256
a89d3e2109a8e35e263da363d3551258ea320a99bfb84a4b13ad563008eda8d9

SHA512
f550af4e053d89eff45c0fb00bb32e8d212645a155727d3536a3f12bb0b5550bed25516516334245b912fa4fc2e4e7c267e80da4f06d22ea128f20eb56ab4351

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE

Filesize
278KB

MD5
823cb3e3a3de255bdb0d1f362f6f48ab

SHA1
9027969c2f7b427527b23cb7ab1a0abc1898b262

SHA256
b8c5b99365f5ac318973b151fe3fe2a4ad12546371df69e1b7d749f7a4ce356f

SHA512
0652b60e07aa5a469b9cf1013a1ed98d0352996c59b9a66f612be2bc0081d8ec8a65a44a3977d2e188cd8ee3311edb251b818cf300d152ed5f633679a6cf834c

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE

Filesize
494KB

MD5
1b0841fe3786ef37affe9115404637a0

SHA1
c3209520ae779f2fd2babe293e4b4fedb394aef9

SHA256
e1a35f201df61ddcc4aa8ed88ecf5c46f376e39bfdee40a728083ae7f3431dcc

SHA512
421e0ba5a08428ef2f1efd804b1c57de544a6f9128ed0f8fdbccb6c03fe08cb3128d2b0d99da22c38114183d7b538d560a889d6e4bfe9158e4e3678cc23dc569

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE

Filesize
121KB

MD5
6b27dd3f7c6898e7d1bcff73d6e29858

SHA1
55102c244643d43aeaf625145c6475e78dfbe9de

SHA256
53e47df12f0ce2005f4a2a773d194c9431b325b64c205dfa4cfba45c973b65f3

SHA512
52b7a596b07935f15f008c2de38c5dfd85df18b49e5083e363b90fb321d4f1bf588627dcbe94fa6434c460243b254c5ca1dbcf2c956e49baa92e13e104500f2f

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe

Filesize
366KB

MD5
bbda5e6b7727d985751f80801d337668

SHA1
98c8e87c500d1e065a633aec5650501b6d2e0407

SHA256
797644b71acfc00c6c45e0491ab60f7580acda30aa3cad828baa7fd2902d58b1

SHA512
444f0488ecd7849f1f53342eb72a8c22cd0c329df2a7916caf45f6745f97e3b5f673fcc97b3246ca88bc34d160e63b6190c2709fdf5cda67cc4a85797c5fd1af

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe

Filesize
325KB

MD5
62976c65ded41b4f31c7f379c548e05c

SHA1
3827c414ad15cd67ea8635400002c4c79704250e

SHA256
80de06ea5d221e21f765a96750f821aaaf8eee23bfd9d8cde265a8da11041c66

SHA512
ddf74814c7a54a258b7200310bd644547f3a831e373c8392dddedd08b3c1ca60e864fbe2007e68fabdcfe1e923d9207039bde42a09e0ec07d69694263057fcd7

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE

Filesize
146KB

MD5
6ecccb4bab82a4971897aa0bcb2f14be

SHA1
1c680d6f8ca6a0436b5935906a2d9c4699a7a412

SHA256
c661a1408b32f837e02965675400807e111dc5d43a00588011e4365dd3c24be1

SHA512
d68cae4b3c7664751bca1f73cb6b6aa0f0745bb10a76e250b9ffae82bbf2a398f17277ebe5cfd22338af9b4d4c0e0c8241eeb640bdcc0a73774612a6785ac081

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE

Filesize
146KB

MD5
001760b2a66fb4fff1e2c42bc39e5421

SHA1
1980cafc246e5a31b6e78bcd5eec1726c9789046

SHA256
1ae63f874694d576e6b6c2f409a71e49cf607e62b2a7a646322294009c7b813a

SHA512
a37e499451abc2b9399eafe8d866210bdaac2c73a4f1dbe16c272fa56a8b5bcb1efe41e198effb9c84a77de269cbb5b81871d88eb726f95c3d3b4067bfc0c7df

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE

Filesize
433KB

MD5
b6283a7eb554d995d9a7c72dcfca14b5

SHA1
67d64907800c611bbcefd31d2494da12962f5022

SHA256
099da4830adbab785d86ca4680c041458acfe798ed8b301b2bb6bd47891ed881

SHA512
a6d96a13b8672d0f1d50ac22ba95b715527050ce91bb67dc261732e0a114ef2902e3380577546ff34860f65723a143153cea47ae31e12bb27dd3f4f5ee2245f3

Download Submit
C:\PROGRA~2\Google\Update\DISABL~1.EXE

Filesize
198KB

MD5
2424d589d7997df1356c160a9a82088c

SHA1
ca9b479043636434f32c74c2299210ef9f933b98

SHA256
9d6982a566148cf69cb6aec417baddca680e647931315736a6c19f2ba91c4d60

SHA512
4dd0a69c1dfb0e88fc6b24c97e14dd0ad1ac0226dd372d09123b6a2ec3c107fc94a810764d16e111d1cf7e81a23b70b84d36cbfbf1e32986d00de3cd9e315c2b

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE

Filesize
244KB

MD5
788fde156cc6e54ee2962198ac4a6c53

SHA1
09e1560bf5ec8fb5706a91eff97e327af7b962ae

SHA256
4c4344610c8ba2c3b2c0f2e47c45b1d8c9799ef3448d409607d1f139ee523ebc

SHA512
8ed288766dd4cc65328136d200bb1ed3a38c33b82720979be78ab02466b8dbaf800cceb0c5967268286b1adf3ec6446ceec42b1f12ab6f0ccb77fef29b0c2e8c

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE

Filesize
276KB

MD5
ba7183fd7df27ec1e611f848d25ffdee

SHA1
0cc8f3e9c24da5f02ff57a66b9e7485763604beb

SHA256
7de95943142a2ccc03a6e84846b045c374bdb71a444b6116901d43f9f9e635ac

SHA512
2c6316e94a6d3dc668892aa7919ed2b8b852b5844c9e223329e3c91a4d0e6c3f5eb03dc327e3a92265e0fed89406cb2210b9b919331e3a8eda1ef4a55f74d3a5

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe

Filesize
250KB

MD5
cd4af683704c71887125716ca891e18c

SHA1
64d02bac29cfeeed31978438d572230f316d61df

SHA256
1e6a087180f0e5a8e738718de2d4d99c1a4b6d89bd2a84ad19ab45f7dd9225c5

SHA512
dda5661f1e95e1a6dc0ce62a5b476aa335ddde431d47fb6cabffe36947376f6c583f83560dc43da4bc4432052a95ed61f0553ade59308582510c25a5f828921a

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE

Filesize
1.1MB

MD5
ecda5b4161dbf34af2cd3bd4b4ca92a6

SHA1
a76347d21e3bfc8d9a528097318e4b037d7b1351

SHA256
98e7a35dd61a5eeea32ca5ff0f195b7e5931429e2e4b12d1e75ca09ddab3278f

SHA512
3cd3d64e7670ab824d36a792faa5d16a61f080d52345e07b0ef8396b2a1481876a3b30fc702bf0018a1b02c7788c3c7f1b016590c5b31485a90e3a375f11dade

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe

Filesize
3.2MB

MD5
b30563cc31305ef1397cfa0f379b8963

SHA1
5a78c13fc0035cddb68117e2085dd794d17e13f5

SHA256
c4443fb6195c73ee05f0718f948df0f3a8ec259d72196a2a0edc5f7eaed96bae

SHA512
3b376c2b8daf658de6d6f23d3b36dd64b57b4bdcac045f2caa45ea22f9eed92ee1cb314b385776663bef563fb30e7b54c3cbe072c88e6b8db37171a14ff85a56

Download Submit
C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE

Filesize
495KB

MD5
e2b4d2c7b6fa09e5bd3f6df9fc6e8655

SHA1
eca5d5cc3475a9628b504102f61e0bd9dac9ad02

SHA256
b00ec004498d598e10f285bb322b859cd57b640c500c804e7b15a212aaded5fa

SHA512
db02329122f67bb2241bbe91d5b0c2570782d643ba382e691cfa6ee306eb257b2f92c0920a34f2b56d656d8fb2c02e22cb933faa03884848d7b66028de05b1ed

Download Submit
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe

Filesize
534KB

MD5
72671b444a2396e4ca4fd54e4a6951ef

SHA1
d2fe57901223c965c3f4f513cec90d60bc3e2ea1

SHA256
8d828b8e9a8a90810c569c1e5a43f5fd9e1a126386ebb16c3980609507744bac

SHA512
cf4f0332b5f359372ad8e56619aef8c2771d5e3a2bfd0023409822c162fbd9933206b5781e5fd5f67a50a2b68721b5e0f2cb2b03cdab8a05b4f28d28c93f8b7e

Download Submit
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE

Filesize
6.7MB

MD5
6300a726756bfdf266b92f280a0e79f3

SHA1
c1d31d9e79102f137cb6825feb49090698486a22

SHA256
e4150e18e46af7fbcd5ce928dba86e3eed7f5ab0f122b2bb9d1bab99122fef4b

SHA512
2070828dc743a56866c2668337f04e7a052f501279d75bbae802424ed3ea5cc82ecb27c779a701b9d29953c07ee8eff7b61b326617001d9167389d02f068af7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\7c0e1b66cb2f91b0927be6b270b05b519085b9c6d69947fb6a1fba6f4931cfd6.exe

Filesize
6.0MB

MD5
7c23416f00dd1b5b4fdfc9b816b36223

SHA1
138c9ab82c24b5c2262f53aafa1b5ee143db5d1d

SHA256
efda4c98ed2d52847307c8f39c52ab29274018d58900495e1c663484bb1c346b

SHA512
60e9f19534acecb4b3b223e71506978d6f023c64cc58012fa89f14acf38c5687494f14e64421fbb8dbbf54bde634401b62c02a46fc649de7732612366a03216c

Download Submit
C:\Windows\directx.sys

Filesize
55B

MD5
cc2f3b51f2e78cafce999e604a8b3277

SHA1
f2e64b7d1f0581052cbfea99a8a809922a62e69c

SHA256
e6475c558d13bbad756c32a904648acf36c3f9bddd7aad597847cc159696c06f

SHA512
2cba040b4f1a5e137e9e44b1364ccec43173b677a24a3318b599c86ea4482ae2aaeb9f2af3be72fe6514dda0879b0bd506acd1e08b48f963c6ae446fc06cb6a1

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
7c3b641ebc11051157eceea2e3b33136

SHA1
d776b0b45a7507b0dcf9128023e4775729195df5

SHA256
13b85a107f28d538b7e21e741afa554a0888ffceba85cb7994970475db3d577f

SHA512
890a14514417814df154b05354e6717d1cb85de47c6027a1fcbbc01bf390e912ac48e1e2be6c514acd3078194eff46b592562017fa163d1c2214816e84abc267

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
5ae24b380489fcb2e139b9709eb2f093

SHA1
6e3fb5cae02fa7b41381127a529ecba0c0f5bf02

SHA256
5bf5b7a492b20c9afbff74653e3df6af013f13ab6963573e20f182533d1b56af

SHA512
1c7d7fb53dbe125aa00af5caf1ce06770290e436d26edbd6b26ba10ff227ae45dea38f930006f7fa5bd11ab7df57d40748431c2b995d6d81786bfb74d98e5099

Download Submit
memory/100-320-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/872-253-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/948-352-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1060-41-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1060-288-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1100-346-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1136-1545-0x0000000000CF0000-0x0000000001D0B000-memory.dmp

Filesize
16.1MB

Download
memory/1136-1521-0x0000000000CF0000-0x0000000001D0B000-memory.dmp

Filesize
16.1MB

Download
memory/1140-385-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1192-343-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1400-328-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1420-322-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1448-29-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1476-158-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1676-416-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1816-375-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1820-392-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1928-49-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1988-383-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2072-400-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2168-225-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2284-362-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2464-280-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2512-336-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2536-298-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2608-290-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2632-94-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2640-384-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2700-304-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2840-401-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2964-296-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3068-274-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3108-244-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3220-202-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3304-359-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3536-272-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3548-214-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3588-226-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3604-344-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3616-252-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3624-146-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3652-31-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3836-417-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3860-264-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4352-256-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4364-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4380-258-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4396-330-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4488-70-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4500-368-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4528-114-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4728-393-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4760-255-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4784-360-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4796-89-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4880-282-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4904-213-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4904-376-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4940-403-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4968-266-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4976-312-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5028-79-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5040-314-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5068-245-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5076-306-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5080-409-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download