neshta | 7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd

Analysis

max time kernel
93s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
Size

301KB
MD5

408826cfe2454311f032f323a3f62e99
SHA1

547d37b16f499c68e9affe4de72b644bf5321cda
SHA256

7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd
SHA512

3056ef3263c0be2b528fb92f5ddef481136d182c71f192da4b88a392d0acad616226ce31e3b2c41bc7de21e79a6dd7b984deedd5b3217d55b65c73f00e52ef58
SSDEEP

3072:zr8WDrCxjoByFgAsaCRSkrmfAPXSPBIFXMN3uCo//9urTWuFsxihGrJW/UmTXItd:PuqchCReAPC0XMRqGWUlxTXb0bYu

Score

10^/10

neshta discovery persistence pyinstaller spyware stealer

Malware Config

Signatures

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7CFCC6~1.EXE

Executes dropped EXE 64 IoCs

pid	Process
2556	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
4924	svchost.com
404	7CFCC6~1.EXE
3640	svchost.com
3972	7CFCC6~1.EXE
4244	svchost.com
4420	7CFCC6~1.EXE
4580	svchost.com
4960	7CFCC6~1.EXE
1428	svchost.com
4028	7CFCC6~1.EXE
4820	svchost.com
3900	7CFCC6~1.EXE
4100	svchost.com
1124	7CFCC6~1.EXE
1700	svchost.com
4756	7CFCC6~1.EXE
2196	svchost.com
4684	7CFCC6~1.EXE
1768	svchost.com
4872	7CFCC6~1.EXE
4316	svchost.com
4456	7CFCC6~1.EXE
3424	svchost.com
4448	7CFCC6~1.EXE
4596	svchost.com
1296	7CFCC6~1.EXE
4396	svchost.com
3096	7CFCC6~1.EXE
2036	svchost.com
4868	7CFCC6~1.EXE
3836	svchost.com
2956	7CFCC6~1.EXE
4888	svchost.com
1456	7CFCC6~1.EXE
3392	svchost.com
3216	7CFCC6~1.EXE
3820	svchost.com
2876	7CFCC6~1.EXE
2516	svchost.com
2476	7CFCC6~1.EXE
2384	svchost.com
2936	7CFCC6~1.EXE
508	svchost.com
1124	7CFCC6~1.EXE
3852	svchost.com
3384	7CFCC6~1.EXE
1568	svchost.com
3336	7CFCC6~1.EXE
3892	svchost.com
2092	7CFCC6~1.EXE
4928	svchost.com
1436	7CFCC6~1.EXE
4844	svchost.com
2388	7CFCC6~1.EXE
1084	svchost.com
2308	7CFCC6~1.EXE
4500	svchost.com
100	7CFCC6~1.EXE
1112	svchost.com
4512	7CFCC6~1.EXE
436	svchost.com
5100	7CFCC6~1.EXE
2736	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x000a000000023b8c-4.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7CFCC6~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2556	2436	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe	83
PID 2436 wrote to memory of 2556	2436	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe	83
PID 2436 wrote to memory of 2556	2436	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe	83
PID 2556 wrote to memory of 4924	2556	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe	84
PID 2556 wrote to memory of 4924	2556	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe	84
PID 2556 wrote to memory of 4924	2556	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe	84
PID 4924 wrote to memory of 404	4924	svchost.com	85
PID 4924 wrote to memory of 404	4924	svchost.com	85
PID 4924 wrote to memory of 404	4924	svchost.com	85
PID 404 wrote to memory of 3640	404	7CFCC6~1.EXE	86
PID 404 wrote to memory of 3640	404	7CFCC6~1.EXE	86
PID 404 wrote to memory of 3640	404	7CFCC6~1.EXE	86
PID 3640 wrote to memory of 3972	3640	svchost.com	87
PID 3640 wrote to memory of 3972	3640	svchost.com	87
PID 3640 wrote to memory of 3972	3640	svchost.com	87
PID 3972 wrote to memory of 4244	3972	7CFCC6~1.EXE	88
PID 3972 wrote to memory of 4244	3972	7CFCC6~1.EXE	88
PID 3972 wrote to memory of 4244	3972	7CFCC6~1.EXE	88
PID 4244 wrote to memory of 4420	4244	svchost.com	89
PID 4244 wrote to memory of 4420	4244	svchost.com	89
PID 4244 wrote to memory of 4420	4244	svchost.com	89
PID 4420 wrote to memory of 4580	4420	7CFCC6~1.EXE	90
PID 4420 wrote to memory of 4580	4420	7CFCC6~1.EXE	90
PID 4420 wrote to memory of 4580	4420	7CFCC6~1.EXE	90
PID 4580 wrote to memory of 4960	4580	svchost.com	91
PID 4580 wrote to memory of 4960	4580	svchost.com	91
PID 4580 wrote to memory of 4960	4580	svchost.com	91
PID 4960 wrote to memory of 1428	4960	7CFCC6~1.EXE	157
PID 4960 wrote to memory of 1428	4960	7CFCC6~1.EXE	157
PID 4960 wrote to memory of 1428	4960	7CFCC6~1.EXE	157
PID 1428 wrote to memory of 4028	1428	svchost.com	93
PID 1428 wrote to memory of 4028	1428	svchost.com	93
PID 1428 wrote to memory of 4028	1428	svchost.com	93
PID 4028 wrote to memory of 4820	4028	7CFCC6~1.EXE	94
PID 4028 wrote to memory of 4820	4028	7CFCC6~1.EXE	94
PID 4028 wrote to memory of 4820	4028	7CFCC6~1.EXE	94
PID 4820 wrote to memory of 3900	4820	svchost.com	95
PID 4820 wrote to memory of 3900	4820	svchost.com	95
PID 4820 wrote to memory of 3900	4820	svchost.com	95
PID 3900 wrote to memory of 4100	3900	7CFCC6~1.EXE	96
PID 3900 wrote to memory of 4100	3900	7CFCC6~1.EXE	96
PID 3900 wrote to memory of 4100	3900	7CFCC6~1.EXE	96
PID 4100 wrote to memory of 1124	4100	svchost.com	127
PID 4100 wrote to memory of 1124	4100	svchost.com	127
PID 4100 wrote to memory of 1124	4100	svchost.com	127
PID 1124 wrote to memory of 1700	1124	7CFCC6~1.EXE	98
PID 1124 wrote to memory of 1700	1124	7CFCC6~1.EXE	98
PID 1124 wrote to memory of 1700	1124	7CFCC6~1.EXE	98
PID 1700 wrote to memory of 4756	1700	svchost.com	99
PID 1700 wrote to memory of 4756	1700	svchost.com	99
PID 1700 wrote to memory of 4756	1700	svchost.com	99
PID 4756 wrote to memory of 2196	4756	7CFCC6~1.EXE	100
PID 4756 wrote to memory of 2196	4756	7CFCC6~1.EXE	100
PID 4756 wrote to memory of 2196	4756	7CFCC6~1.EXE	100
PID 2196 wrote to memory of 4684	2196	svchost.com	101
PID 2196 wrote to memory of 4684	2196	svchost.com	101
PID 2196 wrote to memory of 4684	2196	svchost.com	101
PID 4684 wrote to memory of 1768	4684	7CFCC6~1.EXE	102
PID 4684 wrote to memory of 1768	4684	7CFCC6~1.EXE	102
PID 4684 wrote to memory of 1768	4684	7CFCC6~1.EXE	102
PID 1768 wrote to memory of 4872	1768	svchost.com	213
PID 1768 wrote to memory of 4872	1768	svchost.com	213
PID 1768 wrote to memory of 4872	1768	svchost.com	213
PID 4872 wrote to memory of 4316	4872	7CFCC6~1.EXE	104

C:\Users\Admin\AppData\Local\Temp\7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
"C:\Users\Admin\AppData\Local\Temp\7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Users\Admin\AppData\Local\Temp\3582-490\7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:4924
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:404
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3640
      - C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        12⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        13⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        23⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        24⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4456
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        25⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        27⤵
        Executes dropped EXE
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        29⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3096
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        32⤵
        Executes dropped EXE
        
        PID:4868
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        34⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        35⤵
        Executes dropped EXE
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1456
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        37⤵
        Executes dropped EXE
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        39⤵
        Executes dropped EXE
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        40⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        42⤵
        Executes dropped EXE
        
        PID:2476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        43⤵
        Executes dropped EXE
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        44⤵
        Executes dropped EXE
        
        PID:2936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        45⤵
        Executes dropped EXE
        
        PID:508
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        46⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:1124
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        47⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        48⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3384
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        49⤵
        Executes dropped EXE
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        50⤵
        Executes dropped EXE
        
        PID:3336
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        51⤵
        Executes dropped EXE
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        53⤵
        Executes dropped EXE
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        55⤵
        Executes dropped EXE
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2388
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        57⤵
        Executes dropped EXE
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        58⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        59⤵
        Executes dropped EXE
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        60⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        61⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        64⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        65⤵
        Executes dropped EXE
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        66⤵
        Checks computer location settings
        
        PID:2428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        67⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        68⤵
        Checks computer location settings
        
        PID:4580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        69⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        70⤵
        
        PID:3084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        71⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        72⤵
        Drops file in Windows directory
        
        PID:1428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        73⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        74⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        75⤵
        Drops file in Windows directory
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        76⤵
        Modifies registry class
        
        PID:3052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        77⤵
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        78⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        80⤵
        Checks computer location settings
        
        PID:3452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        81⤵
        Drops file in Windows directory
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        82⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4508
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        83⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        84⤵
        Checks computer location settings
        
        PID:4592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        85⤵
        Drops file in Windows directory
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        86⤵
        Modifies registry class
        
        PID:2092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        87⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        88⤵
        Modifies registry class
        
        PID:5116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        89⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        90⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        91⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        92⤵
        Modifies registry class
        
        PID:1084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        93⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        94⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:3028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        95⤵
        Drops file in Windows directory
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        96⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        97⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        98⤵
        Checks computer location settings
        
        PID:3840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        100⤵
        Modifies registry class
        
        PID:4228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        101⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        102⤵
        Checks computer location settings
        
        PID:2016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        103⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        104⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2148
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        105⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        106⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:3836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        108⤵
        
        PID:4988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        110⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:3700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        112⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:4788
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        113⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        115⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        116⤵
        Checks computer location settings
        
        PID:4064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        117⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        118⤵
        
        PID:2636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        119⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:4852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        121⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        122⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        123⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        124⤵
        Checks computer location settings
        
        PID:4872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        125⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        126⤵
        Checks computer location settings
        Modifies registry class
        
        PID:100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        127⤵
        Drops file in Windows directory
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        128⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:3092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        129⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        130⤵
        Checks computer location settings
        
        PID:4880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        132⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        134⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        135⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        136⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        137⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        138⤵
        Checks computer location settings
        
        PID:2516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        139⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        140⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4504
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        141⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        142⤵
        
        PID:60
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        143⤵
        Drops file in Windows directory
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        144⤵
        
        PID:756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        145⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        146⤵
        Modifies registry class
        
        PID:4084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        147⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        148⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        149⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        150⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:3868
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        151⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        152⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4124
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        153⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        154⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        155⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        156⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:3092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        157⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        158⤵
        
        PID:1416
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        159⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        160⤵
        
        PID:4912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        162⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        163⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        164⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        165⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        166⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        167⤵
        System Location Discovery: System Language Discovery
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        168⤵
        Modifies registry class
        
        PID:1328
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        169⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        170⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:1208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        171⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        173⤵
        Drops file in Windows directory
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        174⤵
        Checks computer location settings
        Modifies registry class
        
        PID:232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        175⤵
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        176⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2388
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        177⤵
        Drops file in Windows directory
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        178⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1248
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        179⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        180⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2132
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        181⤵
        Drops file in Windows directory
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        182⤵
        
        PID:3400
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        184⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        185⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        186⤵
        Drops file in Windows directory
        
        PID:2056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        187⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        188⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        189⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        190⤵
        Drops file in Windows directory
        
        PID:3836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        191⤵
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        192⤵
        Checks computer location settings
        
        PID:3908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        193⤵
        Drops file in Windows directory
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        194⤵
        Modifies registry class
        
        PID:3884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        195⤵
        Drops file in Windows directory
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        196⤵
        Drops file in Windows directory
        
        PID:3920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        197⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        198⤵
        Modifies registry class
        
        PID:2312
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        199⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        200⤵
        Checks computer location settings
        
        PID:4592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        201⤵
        Drops file in Windows directory
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        202⤵
        Modifies registry class
        
        PID:5088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        203⤵
        System Location Discovery: System Language Discovery
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        204⤵
        System Location Discovery: System Language Discovery
        
        PID:4704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        205⤵
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        206⤵
        Drops file in Windows directory
        
        PID:2320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        207⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        208⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        209⤵
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        210⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        211⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        212⤵
        Modifies registry class
        
        PID:4244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        213⤵
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        214⤵
        
        PID:3940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        215⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        216⤵
        Checks computer location settings
        
        PID:3748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        217⤵
        System Location Discovery: System Language Discovery
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        218⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        219⤵
        Drops file in Windows directory
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        220⤵
        
        PID:1932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        221⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        222⤵
        
        PID:1080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        223⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        224⤵
        Modifies registry class
        
        PID:3080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        225⤵
        Drops file in Windows directory
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        226⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1328
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        227⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        228⤵
        Checks computer location settings
        
        PID:3108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        229⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        230⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        231⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        232⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        233⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        234⤵
        Drops file in Windows directory
        
        PID:3580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        235⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        236⤵
        Checks computer location settings
        
        PID:2352
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        237⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        238⤵
        Modifies registry class
        
        PID:4596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        239⤵
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        240⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:1104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        241⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        242⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        243⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        244⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        245⤵
        System Location Discovery: System Language Discovery
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        246⤵
        Drops file in Windows directory
        
        PID:4248
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        247⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        248⤵
        Checks computer location settings
        
        PID:3452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        249⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        250⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:5068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        251⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        252⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        253⤵
        Drops file in Windows directory
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        254⤵
        Modifies registry class
        
        PID:3660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        255⤵
        System Location Discovery: System Language Discovery
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        256⤵
        
        PID:4800

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

Filesize
368KB

MD5
eeb875c0b3c567ce160b6065fa9955c0

SHA1
ee0e1efba40d38746a54bc285f0bd38198550564

SHA256
995bd211c7e3bb5e6ed86064d2c648537b2c5c058f3ca81ab9307cdb0ac2530a

SHA512
416bece422edd84337b789bdbd1e3f888d67dfe1dabbd114ebf07b968d68b848cc10880c2ad439413b47cf1191c273125130399bcc9c4a2ed5719553c51c3ad6

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe

Filesize
175KB

MD5
3da833f022988fbc093129595cc8591c

SHA1
fdde5a7fb7a60169d2967ff88c6aba8273f12e36

SHA256
1ad4c736829dbcb0fcc620fd897fe0941b9c01e14ccba5d18085b3ca0416ab66

SHA512
1299d63337c958e8072d6aaa057904cbbaa51c2eec4457269ead6b72c4eb2a10882e4a5dc7afcdcab5a6910d2105c2e5ee706850074e0425ae7f87d9ea1e5537

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE

Filesize
183KB

MD5
4ab023aa6def7b300dec4fc7ef55dbe7

SHA1
aa30491eb799fa5bdf79691f8fe5e087467463f1

SHA256
8ca27077312716f79f39309156c905719a908e8ded4bf88c2ba6fa821e574673

SHA512
000e33cc2399efa9dc56c06a42f91eb64b94f30b78cf260469f45f3b876f518d2d2b62e33d8f697660ae560d595e5bd5b7a5f847c316d5f97adeb3d8f9248ab5

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe

Filesize
125KB

MD5
66a77a65eea771304e524dd844c9846a

SHA1
f7e3b403439b5f63927e8681a64f62caafe9a360

SHA256
9a7391267ab83b45a47d9fcf1e0f76002ed6640ed6a574ba51373410b94812f6

SHA512
3643ad1036075305d76dfd753b1ed29ae611b4b9f397b2520f95b1487e85155a111adc83578db8ca5d0fd1e9fe146d018e22f572c187ef468eab8d11d48fc7f4

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe

Filesize
325KB

MD5
62976c65ded41b4f31c7f379c548e05c

SHA1
3827c414ad15cd67ea8635400002c4c79704250e

SHA256
80de06ea5d221e21f765a96750f821aaaf8eee23bfd9d8cde265a8da11041c66

SHA512
ddf74814c7a54a258b7200310bd644547f3a831e373c8392dddedd08b3c1ca60e864fbe2007e68fabdcfe1e923d9207039bde42a09e0ec07d69694263057fcd7

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe

Filesize
546KB

MD5
47b83d851ab7ef181eaf877d4eab8741

SHA1
246ec2d514709bd0fc1abe51c67536d0f7938d1f

SHA256
25ad1b1629e026a904d1ff54286ca8cd3b766bbe8055ccfa925f2850721914d3

SHA512
9cd5200521943a83ee562ec2f6457fc8d9779863ffe7bc93e6d268d1a39ca71e64f1b8fac594fd6557e8d0fe65fb319a033957adbaf6111c616e55dc848c00cd

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe

Filesize
325KB

MD5
de9e6086062f01926b48c2d80508d12b

SHA1
13610cca5e38925e22b6a79067df0dd9eca49fe3

SHA256
d2f956514bc885fed054dec3ad4c0e89e59a6a38390fa8432abd15eb201468b4

SHA512
60478e55b6a3d49686ed8e95e939a2384fb1440950d710e7beedb9eda24be0e6996c931d0703d6cc0065fbe5a85eff463b9e9eaadf14746593abe723636137c3

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE

Filesize
146KB

MD5
6ecccb4bab82a4971897aa0bcb2f14be

SHA1
1c680d6f8ca6a0436b5935906a2d9c4699a7a412

SHA256
c661a1408b32f837e02965675400807e111dc5d43a00588011e4365dd3c24be1

SHA512
d68cae4b3c7664751bca1f73cb6b6aa0f0745bb10a76e250b9ffae82bbf2a398f17277ebe5cfd22338af9b4d4c0e0c8241eeb640bdcc0a73774612a6785ac081

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE

Filesize
221KB

MD5
a12297c17e3747647d5c29d67edd4d9a

SHA1
6a6ed9d50d8385b2fb1da6c700934bf213e1ec2d

SHA256
288f7e376d1ba967276a05a1b00fddff236315ee0df24e543cf8b604768ae7f2

SHA512
e1004b5307f26af7c22ec051539ed633105ac6673301d31a57cb530ab76551b51aa59741397d1b9fe860bed8c93c2a21d8e828edd1612750bcec1bd068898239

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE

Filesize
146KB

MD5
001760b2a66fb4fff1e2c42bc39e5421

SHA1
1980cafc246e5a31b6e78bcd5eec1726c9789046

SHA256
1ae63f874694d576e6b6c2f409a71e49cf607e62b2a7a646322294009c7b813a

SHA512
a37e499451abc2b9399eafe8d866210bdaac2c73a4f1dbe16c272fa56a8b5bcb1efe41e198effb9c84a77de269cbb5b81871d88eb726f95c3d3b4067bfc0c7df

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE

Filesize
258KB

MD5
78f77aff4993684fdbcad13c74d5f364

SHA1
0b02ed9112021b3c65778fdce0642e81dfb5b628

SHA256
9f707deff2f5b5a8c611c5926362c4ffc82f5744a4699f3fb1ee3ef6bb9b2cfb

SHA512
568c1abf5f6d13fe37cb55a5f5992dea38e30fc80812a977c0ae25ed30f67321db8f4c0da2ae4ae558e58dc430885fa13c1f7f1d6b2d6bb51ed031f042defafb

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE

Filesize
433KB

MD5
b6283a7eb554d995d9a7c72dcfca14b5

SHA1
67d64907800c611bbcefd31d2494da12962f5022

SHA256
099da4830adbab785d86ca4680c041458acfe798ed8b301b2bb6bd47891ed881

SHA512
a6d96a13b8672d0f1d50ac22ba95b715527050ce91bb67dc261732e0a114ef2902e3380577546ff34860f65723a143153cea47ae31e12bb27dd3f4f5ee2245f3

Download Submit
C:\PROGRA~2\Google\Update\DISABL~1.EXE

Filesize
198KB

MD5
2424d589d7997df1356c160a9a82088c

SHA1
ca9b479043636434f32c74c2299210ef9f933b98

SHA256
9d6982a566148cf69cb6aec417baddca680e647931315736a6c19f2ba91c4d60

SHA512
4dd0a69c1dfb0e88fc6b24c97e14dd0ad1ac0226dd372d09123b6a2ec3c107fc94a810764d16e111d1cf7e81a23b70b84d36cbfbf1e32986d00de3cd9e315c2b

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE

Filesize
1.7MB

MD5
619314ef3e2e5abde1bb19dbce363220

SHA1
5fc9e9c74d8fdc9d185f524dc1364500883c4eef

SHA256
763c48c14695500dd1f8b1b88f7be84a9fe95d9a7bb63211f74cbe210e0a58af

SHA512
5389516629a884b109950254398d1453fd573ce6f73ff3479322c1361ec990b53cd0cec2fbe366e7ab0ba704bfb1f5fd58dc7ec3d81254c9256973f4983ec360

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE

Filesize
244KB

MD5
788fde156cc6e54ee2962198ac4a6c53

SHA1
09e1560bf5ec8fb5706a91eff97e327af7b962ae

SHA256
4c4344610c8ba2c3b2c0f2e47c45b1d8c9799ef3448d409607d1f139ee523ebc

SHA512
8ed288766dd4cc65328136d200bb1ed3a38c33b82720979be78ab02466b8dbaf800cceb0c5967268286b1adf3ec6446ceec42b1f12ab6f0ccb77fef29b0c2e8c

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE

Filesize
276KB

MD5
ba7183fd7df27ec1e611f848d25ffdee

SHA1
0cc8f3e9c24da5f02ff57a66b9e7485763604beb

SHA256
7de95943142a2ccc03a6e84846b045c374bdb71a444b6116901d43f9f9e635ac

SHA512
2c6316e94a6d3dc668892aa7919ed2b8b852b5844c9e223329e3c91a4d0e6c3f5eb03dc327e3a92265e0fed89406cb2210b9b919331e3a8eda1ef4a55f74d3a5

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe

Filesize
290KB

MD5
f6642c55c5ff21542f7fff8a3d798c95

SHA1
e95c4c96758becf918380ae96749addb22a13fc1

SHA256
49449482d8ac20ed019f28b858c806c6aa75392aea28785366dc0c902bb88ec6

SHA512
530ccc2cc080a383fb87b8ebad84ec541cd17cf4e41bf6b0a8e41897b2aede840282c5bc4c3a65016f7f4b2d4b87396d60524ae2217d9624b5d574de419e6a61

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE

Filesize
509KB

MD5
fdad5d6d8cf37e8c446dcd6c56c718c3

SHA1
412883fd3bb56f2b850d2c29ee666d9b75636faf

SHA256
2ed31146dc94132acafc7e759086f18c83560693a813b1d842a30908f50faf7c

SHA512
9866ddd370e7ab75aea143c5ede3ee96700ed662aab7fb3e989f9beedb2800b488f985a8069a61025cc8201bbc42e23d744717988587c2a8a66f2e91ea7cbbbc

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE

Filesize
138KB

MD5
b84ae39dd0420080bd9e6b9557eea65b

SHA1
5326a058a3bcc4eb0530028e17d391e356210603

SHA256
92439a773781fc1b4e45de7fad393bb9ccd05af99dc1a1bb2246a4befb1f5924

SHA512
860ae09c5806622420147af1073cecc065786968737547276641af710b4caccd16b787bdf7212dd1d8ab16e257dd5c5cd20790bf000d75d82410cbd5bf7af388

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE

Filesize
1.1MB

MD5
24eeb998cb16869438b95642d49ac3dd

SHA1
b45aa87f45250aa3482c29b24fa4aa3d57ae4c71

SHA256
a2cfd55902b1750070e9154a90e29a10b9e6fa0c03bc82d8f198678e9bc46cd0

SHA512
2ac6de5c3e52b31355300ff4e846ed0627d8d4af02c4c07c0886694a09237ef2ee76e004883fae76a959bef0b60bd4138a9c88ad22139c6b859786c8e37bb358

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe

Filesize
3.6MB

MD5
69e1e0de795a8bf8c4884cb98203b1f4

SHA1
a17f2ba68776596e2d1593781289c7007a805675

SHA256
2b6d153b9df86033b7a83eb4f521fd4f7aeec35dc54ef8d1ffe80f5bbd030dbb

SHA512
353b664271d0f49f94b60c7fbaf5ab6d5b8df7690383517a90ba675f750d9b28628bbd5ed92a6782879607f4c21214b15ea95fd6a5a8d6f9540a1b75ddb9e665

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE

Filesize
1.1MB

MD5
a31628879099ba1efd1b63e81771f6c7

SHA1
42d9de49d0465c907be8ee1ef1ccf3926b8825fe

SHA256
031b0b0de72eba9350a1234eba7489bc04f94823501fc6a200266fa94b8c51dc

SHA512
0e86020f61fd08578507c3cd37385ffa2ffd964407a689b4c3d532fe4dc826eea58391f938840d18ecfa6bae79c6ece31b8f63b50366c2fa4d6ecf5194475759

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE

Filesize
1.6MB

MD5
af9aba6ab24cba804abba88d1626b2b9

SHA1
6a387c9ec2c06178476f8439a5a3d9149c480a9a

SHA256
e6a06e738140a8cc089bc607e5f5e1e2b224b71d52e0be0d01f9deb8e9763a90

SHA512
9e004f2eccb4e48d2c98a8168f7fe752ad3195b66f0aa1d7ec07dd5819539bc94a50ffb1deb291e7fea11932eb88fb5938b1ef0a93cd8b1902495d1f7bd2d950

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE

Filesize
1.3MB

MD5
b8bffe8467716db4da9d94061dc33d07

SHA1
db4bac1757b1b60b26e2fef0fc88ce708efad352

SHA256
b03986224aa28f1e1850bd2fcd1a5f5f2fea34c2c0815d8e6943f0a98b754af2

SHA512
5d6f6363c9c87c61d2be785280d420725fe7cc4b68908e78fc82dc480260a400500a84f1c9247b34437cd520d702ef5fc4546024fed891231630514d1418592c

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe

Filesize
3.2MB

MD5
6b7a2ce420e8dd7484ca4fa4460894ae

SHA1
df07e4a085fc29168ae9ec4781b88002077f7594

SHA256
dec51011b3bd2d82c42d13f043fac935b52adeaa17427ce4e21e34fcbd2231e4

SHA512
7d2cd278ee45ec0e14145f2be26b8cdbe3312b300aa216532c41e839ba61c12ae379025568c85634f0ec3bc95cc481bb17f99ab30c711986651569f0f1f81beb

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE

Filesize
1.1MB

MD5
4a8c0567db2df44b7de7b30326e6a5ec

SHA1
5c4fbf627116245185453683b2b57c034283a96f

SHA256
41329db7f75270906bad6d29005d0337bf01c396ca4e98003d86d04ac667be35

SHA512
44d0d92a9ac20af8fb3f5942912d2236debf86a60a7085db529bb1af5fb5ba8ff29bd1b6d45ed44eb2e9dbf1ce921d5fe0ce5babd63420f1103e300276af3f08

Download Submit
C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE

Filesize
495KB

MD5
96c338591ac8ea4483337c8371cfbab9

SHA1
21bed3f86db1c33912390db397678631c876f431

SHA256
7237de120dcf61936d33394b8e211d4af88a7e4c6ee53cf053a54b8b60c23a1e

SHA512
44e44c466ca812a1ce21f5ba8e3e57434ae7ff1549b0315d3887cd467da40e1604ec9a69f07d7e3c834aa1d96c8206628ce173ae8a8a59a9d713b516f58e9455

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe

Filesize
260KB

MD5
527d3369afe964e85e82b9c7095e1274

SHA1
194faba89123aa0125178c970903f74f34b3529a

SHA256
df4523a0ecfb63fb8b8b6da8aff955bcaa87f1a16a2d70ee3fc8dbd22f6e3fca

SHA512
444c1d377a6092098799f914cdc316719aa5cba638ad64bf18db17a8ac8535bac92944865f6acaa87e41f5b8ab34d81f549753f7eb45f863f5a3c36cbb858fc3

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
e8d561e162ed1fb7fecd9dc375f93968

SHA1
c4e4ae68333265bf038de64856b4089726a046b7

SHA256
4c821f06812ef3ef15b95da08a7e5b3b5220cbdeff08f8fe385dd9235db79ed1

SHA512
0bb18784785ee95abe05d2c2ca970b6c1152e2b414e7d50e237df9008bbe3e1defdcd076933ef3e7f8e1e2e2ed6bf1bb3f43770fcde814a0524d36276707047b

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
memory/100-391-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/404-27-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/436-405-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/508-333-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1084-381-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1112-397-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1124-118-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1124-335-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1296-263-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1428-65-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1436-367-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1456-295-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1568-349-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1700-215-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1768-237-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2036-277-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2092-359-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2196-227-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2308-388-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2384-325-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2388-375-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2436-414-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2476-319-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2516-317-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2736-413-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2876-311-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2936-327-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2956-292-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3096-271-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3216-308-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3336-351-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3384-343-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3392-301-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3424-253-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3640-30-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3820-309-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3836-285-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3852-341-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3892-357-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3900-112-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3972-40-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4028-76-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4100-113-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4244-41-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4316-245-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4396-269-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4420-52-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4448-255-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4456-247-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4500-389-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4512-404-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4580-53-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4596-261-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4684-236-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4756-224-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4820-101-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4844-373-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4868-284-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4872-239-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4888-293-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4924-17-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4928-365-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4960-63-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5100-412-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads