neshta | 7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd

Analysis

max time kernel
92s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
Size

265KB
MD5

2e74c916bee35d5b748ddde7e555693e
SHA1

d14604184262d1d42df9e9c9ad41b8b7fbdc0ed8
SHA256

7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd
SHA512

b5c8ca23f1ab8e6fab182d33c1cf6ade51450b0f9000191288462072308843c8c505021ef5f018524d522ed2e376133434415348e74706714b55c9807612b038
SSDEEP

3072:zr8WDrCbzmm71+7Xj4HOb+wlCXv3hVvr8WDrC:Pud7YXj4iRlqJu

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7DF959~1.EXE

Executes dropped EXE 64 IoCs

pid	Process
3480	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
3660	svchost.com
3488	7DF959~1.EXE
224	svchost.com
2604	7DF959~1.EXE
4272	svchost.com
676	7DF959~1.EXE
212	svchost.com
3140	7DF959~1.EXE
3472	svchost.com
3596	7DF959~1.EXE
1824	svchost.com
4592	7DF959~1.EXE
3144	svchost.com
4396	7DF959~1.EXE
3764	svchost.com
408	7DF959~1.EXE
2228	svchost.com
1372	7DF959~1.EXE
5112	svchost.com
1720	7DF959~1.EXE
4304	svchost.com
4548	7DF959~1.EXE
3136	svchost.com
808	7DF959~1.EXE
4340	svchost.com
4520	7DF959~1.EXE
3632	svchost.com
2060	7DF959~1.EXE
3020	svchost.com
2588	7DF959~1.EXE
4948	svchost.com
4908	7DF959~1.EXE
4272	svchost.com
3276	7DF959~1.EXE
3788	svchost.com
400	7DF959~1.EXE
2892	svchost.com
2968	7DF959~1.EXE
3884	svchost.com
712	7DF959~1.EXE
728	svchost.com
1792	7DF959~1.EXE
4924	svchost.com
216	7DF959~1.EXE
5040	svchost.com
3908	7DF959~1.EXE
752	svchost.com
2824	7DF959~1.EXE
4884	svchost.com
4704	7DF959~1.EXE
2768	svchost.com
3712	7DF959~1.EXE
4008	svchost.com
5052	7DF959~1.EXE
5004	svchost.com
5112	7DF959~1.EXE
832	svchost.com
3844	7DF959~1.EXE
544	svchost.com
4348	7DF959~1.EXE
2916	svchost.com
3648	7DF959~1.EXE
3620	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7DF959~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 3480	4308	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe	83
PID 4308 wrote to memory of 3480	4308	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe	83
PID 4308 wrote to memory of 3480	4308	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe	83
PID 3480 wrote to memory of 3660	3480	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe	84
PID 3480 wrote to memory of 3660	3480	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe	84
PID 3480 wrote to memory of 3660	3480	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe	84
PID 3660 wrote to memory of 3488	3660	svchost.com	85
PID 3660 wrote to memory of 3488	3660	svchost.com	85
PID 3660 wrote to memory of 3488	3660	svchost.com	85
PID 3488 wrote to memory of 224	3488	7DF959~1.EXE	86
PID 3488 wrote to memory of 224	3488	7DF959~1.EXE	86
PID 3488 wrote to memory of 224	3488	7DF959~1.EXE	86
PID 224 wrote to memory of 2604	224	svchost.com	87
PID 224 wrote to memory of 2604	224	svchost.com	87
PID 224 wrote to memory of 2604	224	svchost.com	87
PID 2604 wrote to memory of 4272	2604	7DF959~1.EXE	116
PID 2604 wrote to memory of 4272	2604	7DF959~1.EXE	116
PID 2604 wrote to memory of 4272	2604	7DF959~1.EXE	116
PID 4272 wrote to memory of 676	4272	svchost.com	89
PID 4272 wrote to memory of 676	4272	svchost.com	89
PID 4272 wrote to memory of 676	4272	svchost.com	89
PID 676 wrote to memory of 212	676	7DF959~1.EXE	90
PID 676 wrote to memory of 212	676	7DF959~1.EXE	90
PID 676 wrote to memory of 212	676	7DF959~1.EXE	90
PID 212 wrote to memory of 3140	212	svchost.com	91
PID 212 wrote to memory of 3140	212	svchost.com	91
PID 212 wrote to memory of 3140	212	svchost.com	91
PID 3140 wrote to memory of 3472	3140	7DF959~1.EXE	92
PID 3140 wrote to memory of 3472	3140	7DF959~1.EXE	92
PID 3140 wrote to memory of 3472	3140	7DF959~1.EXE	92
PID 3472 wrote to memory of 3596	3472	svchost.com	93
PID 3472 wrote to memory of 3596	3472	svchost.com	93
PID 3472 wrote to memory of 3596	3472	svchost.com	93
PID 3596 wrote to memory of 1824	3596	7DF959~1.EXE	94
PID 3596 wrote to memory of 1824	3596	7DF959~1.EXE	94
PID 3596 wrote to memory of 1824	3596	7DF959~1.EXE	94
PID 1824 wrote to memory of 4592	1824	svchost.com	95
PID 1824 wrote to memory of 4592	1824	svchost.com	95
PID 1824 wrote to memory of 4592	1824	svchost.com	95
PID 4592 wrote to memory of 3144	4592	7DF959~1.EXE	96
PID 4592 wrote to memory of 3144	4592	7DF959~1.EXE	96
PID 4592 wrote to memory of 3144	4592	7DF959~1.EXE	96
PID 3144 wrote to memory of 4396	3144	svchost.com	97
PID 3144 wrote to memory of 4396	3144	svchost.com	97
PID 3144 wrote to memory of 4396	3144	svchost.com	97
PID 4396 wrote to memory of 3764	4396	7DF959~1.EXE	98
PID 4396 wrote to memory of 3764	4396	7DF959~1.EXE	98
PID 4396 wrote to memory of 3764	4396	7DF959~1.EXE	98
PID 3764 wrote to memory of 408	3764	svchost.com	99
PID 3764 wrote to memory of 408	3764	svchost.com	99
PID 3764 wrote to memory of 408	3764	svchost.com	99
PID 408 wrote to memory of 2228	408	7DF959~1.EXE	100
PID 408 wrote to memory of 2228	408	7DF959~1.EXE	100
PID 408 wrote to memory of 2228	408	7DF959~1.EXE	100
PID 2228 wrote to memory of 1372	2228	svchost.com	101
PID 2228 wrote to memory of 1372	2228	svchost.com	101
PID 2228 wrote to memory of 1372	2228	svchost.com	101
PID 1372 wrote to memory of 5112	1372	7DF959~1.EXE	139
PID 1372 wrote to memory of 5112	1372	7DF959~1.EXE	139
PID 1372 wrote to memory of 5112	1372	7DF959~1.EXE	139
PID 5112 wrote to memory of 1720	5112	svchost.com	103
PID 5112 wrote to memory of 1720	5112	svchost.com	103
PID 5112 wrote to memory of 1720	5112	svchost.com	103
PID 1720 wrote to memory of 4304	1720	7DF959~1.EXE	104

C:\Users\Admin\AppData\Local\Temp\7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
"C:\Users\Admin\AppData\Local\Temp\7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Users\Admin\AppData\Local\Temp\3582-490\7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:3480
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:3660
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3488
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:224
      - C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        11⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        15⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        16⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        20⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        23⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:4548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        26⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:808
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        29⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        31⤵
        Executes dropped EXE
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        33⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        35⤵
        Executes dropped EXE
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        36⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3276
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:400
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        39⤵
        Executes dropped EXE
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        41⤵
        Executes dropped EXE
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        43⤵
        Executes dropped EXE
        
        PID:728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        44⤵
        Executes dropped EXE
        
        PID:1792
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        45⤵
        Executes dropped EXE
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        46⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        47⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:3908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        50⤵
        Executes dropped EXE
        
        PID:2824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        51⤵
        Executes dropped EXE
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        54⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        55⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        56⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        57⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        59⤵
        Executes dropped EXE
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        60⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        61⤵
        Executes dropped EXE
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        62⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4348
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        63⤵
        Executes dropped EXE
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        65⤵
        Executes dropped EXE
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        66⤵
        Checks computer location settings
        
        PID:4052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        67⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        68⤵
        
        PID:2312
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        69⤵
        
        PID:312
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        70⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        72⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:3348
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        73⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        74⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1120
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        76⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        77⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        78⤵
        Checks computer location settings
        
        PID:2016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:1144
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        81⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        82⤵
        Checks computer location settings
        
        PID:2696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        83⤵
        Drops file in Windows directory
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        84⤵
        Modifies registry class
        
        PID:2380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        85⤵
        Drops file in Windows directory
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        86⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4236
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        87⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        88⤵
        Checks computer location settings
        
        PID:4432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        90⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:3464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        91⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        92⤵
        
        PID:4688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        93⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        94⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        95⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        96⤵
        
        PID:2500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        97⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        98⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        99⤵
        Drops file in Windows directory
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        100⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        102⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2784
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        103⤵
        Drops file in Windows directory
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        104⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        105⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        106⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2260
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        107⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        108⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:5076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        110⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        111⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        112⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:3968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        113⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        115⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        116⤵
        Modifies registry class
        
        PID:5024
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        117⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        118⤵
        Drops file in Windows directory
        
        PID:2132
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        119⤵
        Drops file in Windows directory
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        120⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        122⤵
        Checks computer location settings
        
        PID:2288
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        123⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        124⤵
        Modifies registry class
        
        PID:3884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        125⤵
        Drops file in Windows directory
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        126⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        127⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        128⤵
        Modifies registry class
        
        PID:4792
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        129⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        130⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:1828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        131⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:4396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        134⤵
        
        PID:4568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        135⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        136⤵
        
        PID:3412
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        137⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        138⤵
        Checks computer location settings
        Modifies registry class
        
        PID:448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        139⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        140⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:1408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        141⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:3528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        143⤵
        Drops file in Windows directory
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        144⤵
        Checks computer location settings
        
        PID:4796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        145⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        146⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        147⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        148⤵
        Checks computer location settings
        
        PID:4340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        149⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        150⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:4492
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        151⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        152⤵
        
        PID:2060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        154⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4136
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        155⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        156⤵
        Modifies registry class
        
        PID:3276
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        157⤵
        Drops file in Windows directory
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:4976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        160⤵
        Checks computer location settings
        
        PID:4376
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        161⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        162⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:1332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        163⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        164⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        165⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        166⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        167⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        168⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        169⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        170⤵
        Drops file in Windows directory
        
        PID:3412
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        172⤵
        
        PID:1704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        173⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        174⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        175⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        176⤵
        
        PID:452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        177⤵
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        178⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:3940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        179⤵
        Drops file in Windows directory
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        180⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2656
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        181⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        182⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        183⤵
        Drops file in Windows directory
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        184⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4472
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        185⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        186⤵
        Modifies registry class
        
        PID:4604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        187⤵
        Drops file in Windows directory
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        188⤵
        Checks computer location settings
        
        PID:312
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        189⤵
        System Location Discovery: System Language Discovery
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        190⤵
        Modifies registry class
        
        PID:2336
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        191⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        192⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        193⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        194⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        195⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        196⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:4588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        197⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        198⤵
        Checks computer location settings
        
        PID:4480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        199⤵
        Drops file in Windows directory
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        200⤵
        
        PID:2528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        201⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        202⤵
        Drops file in Windows directory
        
        PID:4120
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        203⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        204⤵
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        205⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        206⤵
        Checks computer location settings
        
        PID:848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        207⤵
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        208⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        209⤵
        Drops file in Windows directory
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        210⤵
        
        PID:372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        211⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        212⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        213⤵
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        214⤵
        Modifies registry class
        
        PID:1860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        215⤵
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        216⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        217⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        218⤵
        Modifies registry class
        
        PID:1264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        219⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        220⤵
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        221⤵
        Drops file in Windows directory
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        222⤵
        Modifies registry class
        
        PID:2312
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        223⤵
        Drops file in Windows directory
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        224⤵
        Modifies registry class
        
        PID:2648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        225⤵
        Drops file in Windows directory
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        226⤵
        
        PID:2000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        227⤵
        System Location Discovery: System Language Discovery
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        228⤵
        Drops file in Windows directory
        
        PID:4428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        229⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        230⤵
        Checks computer location settings
        
        PID:1076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        231⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        232⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:412
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        233⤵
        Drops file in Windows directory
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        234⤵
        Checks computer location settings
        
        PID:2452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        235⤵
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        236⤵
        
        PID:3388
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        237⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        238⤵
        Checks computer location settings
        
        PID:1720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        239⤵
        System Location Discovery: System Language Discovery
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        240⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        241⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        242⤵
        
        PID:3328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

Filesize
2.4MB

MD5
d9e8a1fa55faebd36ed2342fedefbedd

SHA1
c25cc7f0035488de9c5df0121a09b5100e1c28e9

SHA256
bd7696911d75a9a35dfd125b24cb95003f1e9598592df47fa23a2568986a4a9a

SHA512
134644c68bd04536e9ea0a5da6e334d36b1ce8012a061fa6dabd31f85c16a1ac9eee8c40fee3d55f25c4d4edf0672de8ce204e344c800361cbcff092c09d7a33

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE

Filesize
254KB

MD5
c4a918069757a263adb9fbc9f5c9e00d

SHA1
66d749fc566763b6170080a40f54f4cda4644af4

SHA256
129a2bfe25ceabb871b65b645ef98f6799d7d273fc5ddfd33c1cb78f5b76fa3b

SHA512
4ecf32fa2c8f53ff7a08555ec5d37739dc1358352621d038669f608edf18b0dcc6dca168a2b602359c9ee098052e546e5c02603f83aad44a114192138de7b7b9

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE

Filesize
386KB

MD5
2e989da204d9c4c3e375a32edf4d16e7

SHA1
e8a0bf8b4ae4f26e2af5c1748de6055ba4308129

SHA256
cae320401aa01a3cef836c191c2edbd7a96bfcce9efad1a21880626a64cc4dec

SHA512
3ebf71578bef909d9411c131d0ccd38ead68cba01a8e0f845d08faa012ca2136476fe09a2859ed846641f80b7a2d9b78d49c709065a52c6b9ee149edf84c8c4f

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE

Filesize
92KB

MD5
3e8712e3f8ce04d61b1c23d9494e1154

SHA1
7e28cd92992cdee55a02b5ece4b7c2fc4dd0c5e4

SHA256
7a8ee09f8a75b3e812f99a0b611c6720626c62c6985306a408694389a996c8e9

SHA512
d07d924f338bd36ca51c8e11931f7ff069e65942725a8e1f1ff6b81076a987ab7d787452a5fb08314edf1489e081f4164db1ad299a6d78401e630796f4487dc8

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE

Filesize
142KB

MD5
3ccfc6967bcfea597926999974eb0cf9

SHA1
6736e7886e848d41de098cd00b8279c9bc94d501

SHA256
a89d3e2109a8e35e263da363d3551258ea320a99bfb84a4b13ad563008eda8d9

SHA512
f550af4e053d89eff45c0fb00bb32e8d212645a155727d3536a3f12bb0b5550bed25516516334245b912fa4fc2e4e7c267e80da4f06d22ea128f20eb56ab4351

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE

Filesize
278KB

MD5
823cb3e3a3de255bdb0d1f362f6f48ab

SHA1
9027969c2f7b427527b23cb7ab1a0abc1898b262

SHA256
b8c5b99365f5ac318973b151fe3fe2a4ad12546371df69e1b7d749f7a4ce356f

SHA512
0652b60e07aa5a469b9cf1013a1ed98d0352996c59b9a66f612be2bc0081d8ec8a65a44a3977d2e188cd8ee3311edb251b818cf300d152ed5f633679a6cf834c

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE

Filesize
494KB

MD5
af5f3fac1444c3d16fa0c95c2b4b8396

SHA1
edd73727f5ecf11e0fcc4d1cfaace90762e37c1b

SHA256
0bef9e787a64d6887f727b98f245d9321128bb9f795419fbb055826670f68780

SHA512
f315999c10256ea2365607c16463993832388a5b878141d15aa6887c4acdad274d42daa428d76b057fd6592f91a835df8b63f99248d878cb4b0187f1f5f285d0

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe

Filesize
1.2MB

MD5
e115eb174536d5fbcf5164232c89c25d

SHA1
5879354de61734962d39d13316d1fe028389cc16

SHA256
57329b38314923c17e9dd9e153e894708389dd597fcb1438d5291c7627238653

SHA512
69696a2e842e0557a57ec4d12c31d5afde0cdfb80d6028ad8d9b0b59d558ad6eaf043c9da0d31c43b16b4f12894dcea69db9366772c49c758773e6c35a9fb0c5

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe

Filesize
325KB

MD5
62976c65ded41b4f31c7f379c548e05c

SHA1
3827c414ad15cd67ea8635400002c4c79704250e

SHA256
80de06ea5d221e21f765a96750f821aaaf8eee23bfd9d8cde265a8da11041c66

SHA512
ddf74814c7a54a258b7200310bd644547f3a831e373c8392dddedd08b3c1ca60e864fbe2007e68fabdcfe1e923d9207039bde42a09e0ec07d69694263057fcd7

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe

Filesize
325KB

MD5
de9e6086062f01926b48c2d80508d12b

SHA1
13610cca5e38925e22b6a79067df0dd9eca49fe3

SHA256
d2f956514bc885fed054dec3ad4c0e89e59a6a38390fa8432abd15eb201468b4

SHA512
60478e55b6a3d49686ed8e95e939a2384fb1440950d710e7beedb9eda24be0e6996c931d0703d6cc0065fbe5a85eff463b9e9eaadf14746593abe723636137c3

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe

Filesize
546KB

MD5
d705ccf8df250903be531a1a0a908571

SHA1
38782ec5e2658421f9622bd3c27262d388baeaae

SHA256
5e1feee8cd7ab462197ddc9c385a78f6a11d6f5718886ea9bf49eb425622c799

SHA512
43acd0aab50e781e311636891e5e3ffd5bf257cc489b13c1aefb2b3f084da4c8712b7fa45c1bc5e9551b8ddc6eeafe74476a9002fa12af052fe27e6421e5ad94

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE

Filesize
146KB

MD5
6ecccb4bab82a4971897aa0bcb2f14be

SHA1
1c680d6f8ca6a0436b5935906a2d9c4699a7a412

SHA256
c661a1408b32f837e02965675400807e111dc5d43a00588011e4365dd3c24be1

SHA512
d68cae4b3c7664751bca1f73cb6b6aa0f0745bb10a76e250b9ffae82bbf2a398f17277ebe5cfd22338af9b4d4c0e0c8241eeb640bdcc0a73774612a6785ac081

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE

Filesize
221KB

MD5
a12297c17e3747647d5c29d67edd4d9a

SHA1
6a6ed9d50d8385b2fb1da6c700934bf213e1ec2d

SHA256
288f7e376d1ba967276a05a1b00fddff236315ee0df24e543cf8b604768ae7f2

SHA512
e1004b5307f26af7c22ec051539ed633105ac6673301d31a57cb530ab76551b51aa59741397d1b9fe860bed8c93c2a21d8e828edd1612750bcec1bd068898239

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE

Filesize
146KB

MD5
001760b2a66fb4fff1e2c42bc39e5421

SHA1
1980cafc246e5a31b6e78bcd5eec1726c9789046

SHA256
1ae63f874694d576e6b6c2f409a71e49cf607e62b2a7a646322294009c7b813a

SHA512
a37e499451abc2b9399eafe8d866210bdaac2c73a4f1dbe16c272fa56a8b5bcb1efe41e198effb9c84a77de269cbb5b81871d88eb726f95c3d3b4067bfc0c7df

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE

Filesize
258KB

MD5
78f77aff4993684fdbcad13c74d5f364

SHA1
0b02ed9112021b3c65778fdce0642e81dfb5b628

SHA256
9f707deff2f5b5a8c611c5926362c4ffc82f5744a4699f3fb1ee3ef6bb9b2cfb

SHA512
568c1abf5f6d13fe37cb55a5f5992dea38e30fc80812a977c0ae25ed30f67321db8f4c0da2ae4ae558e58dc430885fa13c1f7f1d6b2d6bb51ed031f042defafb

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE

Filesize
335KB

MD5
48628eeb152032e8dc9af97aaaeba7cf

SHA1
e826f32c423627ef625a6618e7250f7dbc4d2501

SHA256
f271af83d96b1d536e1a1788ec0baa0c3c583ddfe61faceccaeec1470c5676ca

SHA512
18a2a247177d04d5b1b56d126d72e29b02c8378e8aa4c89bdbaefe14bcd577d7aa054b05a5db37d142a37cf869f3bc03fe9a5bba4886a52d6c2ede5052dfcc7d

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE

Filesize
433KB

MD5
b6283a7eb554d995d9a7c72dcfca14b5

SHA1
67d64907800c611bbcefd31d2494da12962f5022

SHA256
099da4830adbab785d86ca4680c041458acfe798ed8b301b2bb6bd47891ed881

SHA512
a6d96a13b8672d0f1d50ac22ba95b715527050ce91bb67dc261732e0a114ef2902e3380577546ff34860f65723a143153cea47ae31e12bb27dd3f4f5ee2245f3

Download Submit
C:\PROGRA~2\Google\Update\DISABL~1.EXE

Filesize
198KB

MD5
2424d589d7997df1356c160a9a82088c

SHA1
ca9b479043636434f32c74c2299210ef9f933b98

SHA256
9d6982a566148cf69cb6aec417baddca680e647931315736a6c19f2ba91c4d60

SHA512
4dd0a69c1dfb0e88fc6b24c97e14dd0ad1ac0226dd372d09123b6a2ec3c107fc94a810764d16e111d1cf7e81a23b70b84d36cbfbf1e32986d00de3cd9e315c2b

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE

Filesize
509KB

MD5
fdad5d6d8cf37e8c446dcd6c56c718c3

SHA1
412883fd3bb56f2b850d2c29ee666d9b75636faf

SHA256
2ed31146dc94132acafc7e759086f18c83560693a813b1d842a30908f50faf7c

SHA512
9866ddd370e7ab75aea143c5ede3ee96700ed662aab7fb3e989f9beedb2800b488f985a8069a61025cc8201bbc42e23d744717988587c2a8a66f2e91ea7cbbbc

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE

Filesize
138KB

MD5
b84ae39dd0420080bd9e6b9557eea65b

SHA1
5326a058a3bcc4eb0530028e17d391e356210603

SHA256
92439a773781fc1b4e45de7fad393bb9ccd05af99dc1a1bb2246a4befb1f5924

SHA512
860ae09c5806622420147af1073cecc065786968737547276641af710b4caccd16b787bdf7212dd1d8ab16e257dd5c5cd20790bf000d75d82410cbd5bf7af388

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE

Filesize
1.6MB

MD5
ae390fa093b459a84c27b6c266888a7e

SHA1
ad88709a7f286fc7d65559e9aee3812be6baf4b2

SHA256
738b7b5da8ca4798043672d2a32913e0f64268c7861eecc9fcc4c7f9d440d8cd

SHA512
096b5190efefe4c5272637e0721dcd339883f551c5e0cce568ed0bd63b31fb9acef6b09d310966482dbc7a944cc7a5878b0ad6bd68c30d1871254865a1660851

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE

Filesize
1.1MB

MD5
24eeb998cb16869438b95642d49ac3dd

SHA1
b45aa87f45250aa3482c29b24fa4aa3d57ae4c71

SHA256
a2cfd55902b1750070e9154a90e29a10b9e6fa0c03bc82d8f198678e9bc46cd0

SHA512
2ac6de5c3e52b31355300ff4e846ed0627d8d4af02c4c07c0886694a09237ef2ee76e004883fae76a959bef0b60bd4138a9c88ad22139c6b859786c8e37bb358

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe

Filesize
3.6MB

MD5
69e1e0de795a8bf8c4884cb98203b1f4

SHA1
a17f2ba68776596e2d1593781289c7007a805675

SHA256
2b6d153b9df86033b7a83eb4f521fd4f7aeec35dc54ef8d1ffe80f5bbd030dbb

SHA512
353b664271d0f49f94b60c7fbaf5ab6d5b8df7690383517a90ba675f750d9b28628bbd5ed92a6782879607f4c21214b15ea95fd6a5a8d6f9540a1b75ddb9e665

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE

Filesize
1.6MB

MD5
af9aba6ab24cba804abba88d1626b2b9

SHA1
6a387c9ec2c06178476f8439a5a3d9149c480a9a

SHA256
e6a06e738140a8cc089bc607e5f5e1e2b224b71d52e0be0d01f9deb8e9763a90

SHA512
9e004f2eccb4e48d2c98a8168f7fe752ad3195b66f0aa1d7ec07dd5819539bc94a50ffb1deb291e7fea11932eb88fb5938b1ef0a93cd8b1902495d1f7bd2d950

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE

Filesize
2.8MB

MD5
032ee4d65b62d87cf809438556d30429

SHA1
34458fcefe3c67f19c3d2c94389fc99e54e74801

SHA256
0099c710e406e0423bb0b11eb4c113508c67f84a0972a2d14c038687cac1753b

SHA512
6b912d51e93f1e4756ecc5321ec08a6eb5e15413a9d9cf568bd14ce2a5199d064f6dd5c7d9d5155296d1a4ab5852c81a8fc138565fb788e7402c09b61281a5cd

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE

Filesize
1.3MB

MD5
b8bffe8467716db4da9d94061dc33d07

SHA1
db4bac1757b1b60b26e2fef0fc88ce708efad352

SHA256
b03986224aa28f1e1850bd2fcd1a5f5f2fea34c2c0815d8e6943f0a98b754af2

SHA512
5d6f6363c9c87c61d2be785280d420725fe7cc4b68908e78fc82dc480260a400500a84f1c9247b34437cd520d702ef5fc4546024fed891231630514d1418592c

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE

Filesize
1.1MB

MD5
a31628879099ba1efd1b63e81771f6c7

SHA1
42d9de49d0465c907be8ee1ef1ccf3926b8825fe

SHA256
031b0b0de72eba9350a1234eba7489bc04f94823501fc6a200266fa94b8c51dc

SHA512
0e86020f61fd08578507c3cd37385ffa2ffd964407a689b4c3d532fe4dc826eea58391f938840d18ecfa6bae79c6ece31b8f63b50366c2fa4d6ecf5194475759

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe

Filesize
3.2MB

MD5
6b7a2ce420e8dd7484ca4fa4460894ae

SHA1
df07e4a085fc29168ae9ec4781b88002077f7594

SHA256
dec51011b3bd2d82c42d13f043fac935b52adeaa17427ce4e21e34fcbd2231e4

SHA512
7d2cd278ee45ec0e14145f2be26b8cdbe3312b300aa216532c41e839ba61c12ae379025568c85634f0ec3bc95cc481bb17f99ab30c711986651569f0f1f81beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe

Filesize
224KB

MD5
e8a87b82e5a2209b51afa5f91c45ee63

SHA1
1e43df519f9632c2fb5eb2ddea122f906843c5be

SHA256
a6d3b894d8e9c806236f463971f06dc547c14b82f40201847e455ef30a4e6be6

SHA512
5f7476ef8931acfde84d89fe0a3ea1c29507183b7a68ba8f122c035c5ee81187abd462a6824cbe8ea365b5e0b7968d9cd4971f2f4ce286ce1e945e644888d7de

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
c964bb4c53f77f16256b2816e8a02ff7

SHA1
2ba8d61469efb714ef7fcf593445cd3d6739ee42

SHA256
9c87e32fa34c4046e595ceea563a1a6648c10b1a872361ec475c56518e0177da

SHA512
62ea0320dc5a21dfae702f5f570a263be486efab9b84472770cf98af90f57ad3823f60cb5cb1883bd0cc58512babf48f75824f536e8b4e16fdcbb637493139ea

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
memory/212-53-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/216-336-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/224-29-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/400-304-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/408-229-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/544-398-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/676-52-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/712-320-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/728-326-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/752-350-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/808-261-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/832-390-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1372-237-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1720-245-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1792-328-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1824-102-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2060-272-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2228-230-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2588-280-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2604-39-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2768-366-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2824-352-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2892-310-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2916-406-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2968-317-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3020-278-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3136-254-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3140-57-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3144-114-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3276-296-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3472-65-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3488-21-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3596-75-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3620-414-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3632-270-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3648-413-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3660-17-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3712-368-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3764-222-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3788-302-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3844-392-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3884-318-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3908-344-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4008-374-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4052-416-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4272-41-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4272-294-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4304-246-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4340-262-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4348-400-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4396-125-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4520-269-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4548-253-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4592-113-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4704-360-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4884-358-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4908-288-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4924-334-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4948-286-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5004-382-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5040-342-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5052-381-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5112-384-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5112-238-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads