neshta | f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c

Analysis

max time kernel
61s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 05:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
Size

1.4MB
MD5

da0dabd3074a2f56d1239bf8c1cb5ecc
SHA1

6a872ac401adc8a44326a0ef14cd215ac9eceacc
SHA256

f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c
SHA512

aa158a2196849c7a66b309c81022f2222576c00bea9716357be788d83a0ca1e815dc2c9636a2e0d830e007f14979ed4df6e94e2e5ef67f3229d07e652db3106a
SSDEEP

24576:epaiGhP1x+96UBz1V/7hw5CILSbvCDpmdLq9zyMfNyAGW6xRZzXeyNbgQF:BiI1k9/HYCtMpK2zyM45fzuYbgQF

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F4A905~1.EXE

Executes dropped EXE 64 IoCs

pid	Process
1576	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
1060	svchost.com
652	F4A905~1.EXE
1872	svchost.com
4960	F4A905~1.EXE
2184	svchost.com
624	F4A905~1.EXE
3076	svchost.com
3276	F4A905~1.EXE
4268	svchost.com
2720	F4A905~1.EXE
3692	svchost.com
772	F4A905~1.EXE
2636	svchost.com
1908	F4A905~1.EXE
116	svchost.com
3864	F4A905~1.EXE
2796	svchost.com
4472	F4A905~1.EXE
3492	svchost.com
2700	F4A905~1.EXE
4360	svchost.com
2992	F4A905~1.EXE
3112	svchost.com
3896	F4A905~1.EXE
4704	svchost.com
3500	F4A905~1.EXE
3696	svchost.com
2388	F4A905~1.EXE
4784	svchost.com
2164	F4A905~1.EXE
2124	svchost.com
1692	F4A905~1.EXE
3880	svchost.com
2652	F4A905~1.EXE
556	svchost.com
4980	F4A905~1.EXE
2292	svchost.com
4400	F4A905~1.EXE
2864	svchost.com
1560	F4A905~1.EXE
1064	svchost.com
1760	F4A905~1.EXE
3592	svchost.com
3088	F4A905~1.EXE
4460	svchost.com
4136	F4A905~1.EXE
3484	svchost.com
3052	F4A905~1.EXE
388	svchost.com
2968	F4A905~1.EXE
4472	svchost.com
1372	F4A905~1.EXE
1308	svchost.com
2964	F4A905~1.EXE
1392	svchost.com
1836	F4A905~1.EXE
2000	svchost.com
3804	F4A905~1.EXE
3500	svchost.com
4960	F4A905~1.EXE
2608	svchost.com
624	F4A905~1.EXE
4232	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	F4A905~1.EXE
File opened for modification	C:\Windows\svchost.com	F4A905~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	F4A905~1.EXE
File opened for modification	C:\Windows\directx.sys	F4A905~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	F4A905~1.EXE
File opened for modification	C:\Windows\directx.sys	F4A905~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	F4A905~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	F4A905~1.EXE
File opened for modification	C:\Windows\svchost.com	F4A905~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	F4A905~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	F4A905~1.EXE
File opened for modification	C:\Windows\directx.sys	F4A905~1.EXE
File opened for modification	C:\Windows\directx.sys	F4A905~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	F4A905~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	F4A905~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	F4A905~1.EXE
File opened for modification	C:\Windows\directx.sys	F4A905~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	F4A905~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	F4A905~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	F4A905~1.EXE
File opened for modification	C:\Windows\directx.sys	F4A905~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	F4A905~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	F4A905~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	F4A905~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 1576	3024	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe	83
PID 3024 wrote to memory of 1576	3024	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe	83
PID 3024 wrote to memory of 1576	3024	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe	83
PID 1576 wrote to memory of 1060	1576	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe	84
PID 1576 wrote to memory of 1060	1576	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe	84
PID 1576 wrote to memory of 1060	1576	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe	84
PID 1060 wrote to memory of 652	1060	svchost.com	85
PID 1060 wrote to memory of 652	1060	svchost.com	85
PID 1060 wrote to memory of 652	1060	svchost.com	85
PID 652 wrote to memory of 1872	652	F4A905~1.EXE	86
PID 652 wrote to memory of 1872	652	F4A905~1.EXE	86
PID 652 wrote to memory of 1872	652	F4A905~1.EXE	86
PID 1872 wrote to memory of 4960	1872	svchost.com	87
PID 1872 wrote to memory of 4960	1872	svchost.com	87
PID 1872 wrote to memory of 4960	1872	svchost.com	87
PID 4960 wrote to memory of 2184	4960	F4A905~1.EXE	88
PID 4960 wrote to memory of 2184	4960	F4A905~1.EXE	88
PID 4960 wrote to memory of 2184	4960	F4A905~1.EXE	88
PID 2184 wrote to memory of 624	2184	svchost.com	89
PID 2184 wrote to memory of 624	2184	svchost.com	89
PID 2184 wrote to memory of 624	2184	svchost.com	89
PID 624 wrote to memory of 3076	624	F4A905~1.EXE	90
PID 624 wrote to memory of 3076	624	F4A905~1.EXE	90
PID 624 wrote to memory of 3076	624	F4A905~1.EXE	90
PID 3076 wrote to memory of 3276	3076	svchost.com	91
PID 3076 wrote to memory of 3276	3076	svchost.com	91
PID 3076 wrote to memory of 3276	3076	svchost.com	91
PID 3276 wrote to memory of 4268	3276	F4A905~1.EXE	92
PID 3276 wrote to memory of 4268	3276	F4A905~1.EXE	92
PID 3276 wrote to memory of 4268	3276	F4A905~1.EXE	92
PID 4268 wrote to memory of 2720	4268	svchost.com	93
PID 4268 wrote to memory of 2720	4268	svchost.com	93
PID 4268 wrote to memory of 2720	4268	svchost.com	93
PID 2720 wrote to memory of 3692	2720	F4A905~1.EXE	94
PID 2720 wrote to memory of 3692	2720	F4A905~1.EXE	94
PID 2720 wrote to memory of 3692	2720	F4A905~1.EXE	94
PID 3692 wrote to memory of 772	3692	svchost.com	95
PID 3692 wrote to memory of 772	3692	svchost.com	95
PID 3692 wrote to memory of 772	3692	svchost.com	95
PID 772 wrote to memory of 2636	772	F4A905~1.EXE	96
PID 772 wrote to memory of 2636	772	F4A905~1.EXE	96
PID 772 wrote to memory of 2636	772	F4A905~1.EXE	96
PID 2636 wrote to memory of 1908	2636	svchost.com	97
PID 2636 wrote to memory of 1908	2636	svchost.com	97
PID 2636 wrote to memory of 1908	2636	svchost.com	97
PID 1908 wrote to memory of 116	1908	F4A905~1.EXE	98
PID 1908 wrote to memory of 116	1908	F4A905~1.EXE	98
PID 1908 wrote to memory of 116	1908	F4A905~1.EXE	98
PID 116 wrote to memory of 3864	116	svchost.com	99
PID 116 wrote to memory of 3864	116	svchost.com	99
PID 116 wrote to memory of 3864	116	svchost.com	99
PID 3864 wrote to memory of 2796	3864	F4A905~1.EXE	100
PID 3864 wrote to memory of 2796	3864	F4A905~1.EXE	100
PID 3864 wrote to memory of 2796	3864	F4A905~1.EXE	100
PID 2796 wrote to memory of 4472	2796	svchost.com	138
PID 2796 wrote to memory of 4472	2796	svchost.com	138
PID 2796 wrote to memory of 4472	2796	svchost.com	138
PID 4472 wrote to memory of 3492	4472	F4A905~1.EXE	102
PID 4472 wrote to memory of 3492	4472	F4A905~1.EXE	102
PID 4472 wrote to memory of 3492	4472	F4A905~1.EXE	102
PID 3492 wrote to memory of 2700	3492	svchost.com	103
PID 3492 wrote to memory of 2700	3492	svchost.com	103
PID 3492 wrote to memory of 2700	3492	svchost.com	103
PID 2700 wrote to memory of 4360	2700	F4A905~1.EXE	104

C:\Users\Admin\AppData\Local\Temp\f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
"C:\Users\Admin\AppData\Local\Temp\f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Users\Admin\AppData\Local\Temp\3582-490\f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1060
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:652
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1872
      - C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        9⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        15⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        23⤵
        Executes dropped EXE
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        26⤵
        Executes dropped EXE
        
        PID:3896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        27⤵
        Executes dropped EXE
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        28⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        29⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        30⤵
        Executes dropped EXE
        
        PID:2388
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        33⤵
        Executes dropped EXE
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        34⤵
        Executes dropped EXE
        
        PID:1692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        36⤵
        Executes dropped EXE
        
        PID:2652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        37⤵
        Executes dropped EXE
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        38⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:4980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        39⤵
        Executes dropped EXE
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        40⤵
        Executes dropped EXE
        
        PID:4400
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        41⤵
        Executes dropped EXE
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        43⤵
        Executes dropped EXE
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        44⤵
        Executes dropped EXE
        
        PID:1760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        46⤵
        Executes dropped EXE
        
        PID:3088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        47⤵
        Executes dropped EXE
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4136
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        50⤵
        Executes dropped EXE
        
        PID:3052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        51⤵
        Executes dropped EXE
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        52⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        53⤵
        Executes dropped EXE
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        54⤵
        Executes dropped EXE
        
        PID:1372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        55⤵
        Executes dropped EXE
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        56⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        58⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        61⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        62⤵
        Executes dropped EXE
        
        PID:4960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        63⤵
        Executes dropped EXE
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        64⤵
        Executes dropped EXE
        
        PID:624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        66⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4172
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        67⤵
        Drops file in Windows directory
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        68⤵
        Modifies registry class
        
        PID:3964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        69⤵
        Drops file in Windows directory
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        70⤵
        
        PID:5032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        71⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        72⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3456
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        73⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        74⤵
        
        PID:3596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        75⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        76⤵
        Modifies registry class
        
        PID:3428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        77⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        78⤵
        Modifies registry class
        
        PID:1096
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        79⤵
        Drops file in Windows directory
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        80⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4136
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        81⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        82⤵
        
        PID:3968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        83⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        84⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:3148
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        85⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        86⤵
        Modifies registry class
        
        PID:1308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        87⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        88⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        90⤵
        
        PID:2160
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        91⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        92⤵
        Modifies registry class
        
        PID:4928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        93⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        94⤵
        
        PID:4428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        95⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        96⤵
        Checks computer location settings
        
        PID:2164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        97⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        98⤵
        Modifies registry class
        
        PID:3080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        99⤵
        Drops file in Windows directory
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        100⤵
        
        PID:3272
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        102⤵
        Checks computer location settings
        
        PID:1380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        103⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        104⤵
        
        PID:3624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        105⤵
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        106⤵
        
        PID:1416
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        107⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        108⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2248
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        109⤵
        Drops file in Windows directory
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        110⤵
        Checks computer location settings
        
        PID:1252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        111⤵
        Drops file in Windows directory
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        112⤵
        
        PID:4108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        113⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        114⤵
        
        PID:3920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        115⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        116⤵
        Checks computer location settings
        
        PID:2772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        117⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:3484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        119⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        120⤵
        Checks computer location settings
        
        PID:3704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        121⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        122⤵
        
        PID:5056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        123⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        124⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        125⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        126⤵
        Modifies registry class
        
        PID:4756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        127⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        128⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        129⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        130⤵
        
        PID:2720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        132⤵
        
        PID:1144
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        134⤵
        Checks computer location settings
        
        PID:1908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        135⤵
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        136⤵
        Checks computer location settings
        Modifies registry class
        
        PID:992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        137⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        138⤵
        
        PID:464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        139⤵
        Drops file in Windows directory
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        140⤵
        
        PID:2908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        141⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        142⤵
        Checks computer location settings
        
        PID:3132
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        143⤵
        Drops file in Windows directory
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        144⤵
        
        PID:5060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        146⤵
        
        PID:4352
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        147⤵
        
        PID:64
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        148⤵
        Checks computer location settings
        
        PID:2948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        149⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        150⤵
        Modifies registry class
        
        PID:2000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        151⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        152⤵
        Checks computer location settings
        
        PID:2188
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        153⤵
        Drops file in Windows directory
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        154⤵
        
        PID:3268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        156⤵
        
        PID:4904
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        157⤵
        Drops file in Windows directory
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        158⤵
        Drops file in Windows directory
        
        PID:4020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        159⤵
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        160⤵
        Checks computer location settings
        
        PID:5104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        161⤵
        Drops file in Windows directory
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        162⤵
        Modifies registry class
        
        PID:4012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        163⤵
        Drops file in Windows directory
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        164⤵
        Checks computer location settings
        
        PID:468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        165⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        166⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        167⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        168⤵
        Drops file in Windows directory
        
        PID:4804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        169⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        170⤵
        Drops file in Windows directory
        
        PID:2780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        171⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        172⤵
        Modifies registry class
        
        PID:4328
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        173⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        174⤵
        Checks computer location settings
        
        PID:3908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        175⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        176⤵
        
        PID:4852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        177⤵
        Drops file in Windows directory
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        178⤵
        
        PID:4476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        179⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        180⤵
        System Location Discovery: System Language Discovery
        
        PID:1208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        182⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        183⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        184⤵
        Modifies registry class
        
        PID:2116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        185⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        186⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        187⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        188⤵
        Checks computer location settings
        
        PID:1692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        189⤵
        Drops file in Windows directory
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        190⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        191⤵
        Drops file in Windows directory
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        192⤵
        
        PID:1324
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        193⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        194⤵
        
        PID:184
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        195⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        196⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        197⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        198⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        199⤵
        Drops file in Windows directory
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        200⤵
        Modifies registry class
        
        PID:1088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        201⤵
        Drops file in Windows directory
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        202⤵
        Checks computer location settings
        
        PID:1452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        203⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        204⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        205⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        206⤵
        Checks computer location settings
        
        PID:3388
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        207⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        208⤵
        
        PID:2780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        209⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        210⤵
        
        PID:3512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        211⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        212⤵
        
        PID:2228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        213⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        214⤵
        Checks computer location settings
        Modifies registry class
        
        PID:860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        215⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        216⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:324
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        217⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        218⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:1144
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        219⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        220⤵
        Modifies registry class
        
        PID:2840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        221⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        222⤵
        Drops file in Windows directory
        
        PID:4012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        223⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        224⤵
        
        PID:3596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        225⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        226⤵
        Modifies registry class
        
        PID:3820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        227⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        228⤵
        
        PID:2160
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        229⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        230⤵
        Modifies registry class
        
        PID:3524
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        231⤵
        System Location Discovery: System Language Discovery
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        232⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        233⤵
        Drops file in Windows directory
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        234⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        235⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        236⤵
        Modifies registry class
        
        PID:4364
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        237⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        238⤵
        
        PID:2804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        239⤵
        Drops file in Windows directory
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        240⤵
        
        PID:4848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        241⤵
        Drops file in Windows directory
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        242⤵
        Checks computer location settings
        
        PID:4384
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        243⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        244⤵
        
        PID:4392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        245⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        246⤵
        
        PID:1744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        247⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        248⤵
        System Location Discovery: System Language Discovery
        
        PID:4696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        249⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        250⤵
        Checks computer location settings
        
        PID:5096
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        251⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        252⤵
        System Location Discovery: System Language Discovery
        
        PID:1332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        253⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        254⤵
        
        PID:1116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        255⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        256⤵
        
        PID:3484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        257⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        258⤵
        
        PID:2232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        259⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        260⤵
        
        PID:1156
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        261⤵
        System Location Discovery: System Language Discovery
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        262⤵
        Checks computer location settings
        
        PID:2968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        263⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        264⤵
        Checks computer location settings
        
        PID:1208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        265⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        266⤵
        Drops file in Windows directory
        
        PID:4652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        267⤵
        System Location Discovery: System Language Discovery
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        268⤵
        
        PID:2780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        269⤵
        Drops file in Windows directory
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        270⤵
        
        PID:3644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        271⤵
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        272⤵
        
        PID:2944
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        273⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        274⤵
        
        PID:1008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        275⤵
        Drops file in Windows directory
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        276⤵
        
        PID:1876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        277⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        278⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:4892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        279⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        280⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:4664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        281⤵
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        282⤵
        
        PID:2332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        283⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        284⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        285⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        286⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1148
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        287⤵
        System Location Discovery: System Language Discovery
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        288⤵
        
        PID:5012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        289⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        290⤵
        
        PID:4044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        291⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        292⤵
        Drops file in Windows directory
        
        PID:4012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        293⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        294⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3132
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        295⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        296⤵
        
        PID:1960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        297⤵
        System Location Discovery: System Language Discovery
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        298⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:3636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        299⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        300⤵
        
        PID:2696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        301⤵
        Drops file in Windows directory
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        302⤵
        
        PID:4840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        303⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        304⤵
        Modifies registry class
        
        PID:1192
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        305⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        306⤵
        
        PID:2968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        307⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        308⤵
        
        PID:548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        309⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        310⤵
        Checks computer location settings
        
        PID:3608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        311⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        312⤵
        Drops file in Windows directory
        
        PID:2252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        313⤵
        Drops file in Windows directory
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        314⤵
        Checks computer location settings
        
        PID:5068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        315⤵
        Drops file in Windows directory
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        316⤵
        Checks computer location settings
        
        PID:2920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        317⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        318⤵
        
        PID:4392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        319⤵
        System Location Discovery: System Language Discovery
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        320⤵
        
        PID:1952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        321⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        322⤵
        
        PID:5096
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        323⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        324⤵
        Modifies registry class
        
        PID:3384
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        325⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        326⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        327⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        328⤵
        
        PID:388
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        329⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        330⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        331⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        332⤵
        
        PID:2188
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        333⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        334⤵
        Drops file in Windows directory
        
        PID:1784
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        335⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        336⤵
        
        PID:652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        337⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        338⤵
        Modifies registry class
        
        PID:4952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        339⤵
        Drops file in Windows directory
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        340⤵
        
        PID:2244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        341⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        342⤵
        
        PID:1864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        343⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        344⤵
        Checks computer location settings
        
        PID:4708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        345⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        346⤵
        System Location Discovery: System Language Discovery
        
        PID:4656
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        347⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        348⤵
        Checks computer location settings
        
        PID:772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        349⤵
        Drops file in Windows directory
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        350⤵
        System Location Discovery: System Language Discovery
        
        PID:5032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        351⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        352⤵
        
        PID:3088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        353⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        354⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        355⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        356⤵
        Checks computer location settings
        Modifies registry class
        
        PID:940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        357⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        358⤵
        
        PID:4544
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        359⤵
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        360⤵
        
        PID:3444
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        361⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        362⤵
        Checks computer location settings
        
        PID:5060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        363⤵
        System Location Discovery: System Language Discovery
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        364⤵
        
        PID:1156
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        365⤵
        System Location Discovery: System Language Discovery
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        366⤵
        
        PID:4652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        367⤵
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        368⤵
        
        PID:2360
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        369⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        370⤵
        
        PID:2928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        371⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        372⤵
        Checks computer location settings
        
        PID:1632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        373⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        374⤵
        Modifies registry class
        
        PID:2944
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        375⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        376⤵
        
        PID:4520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        377⤵
        System Location Discovery: System Language Discovery
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        378⤵
        System Location Discovery: System Language Discovery
        
        PID:3360
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        379⤵
        Drops file in Windows directory
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        380⤵
        Modifies registry class
        
        PID:3880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        381⤵
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        382⤵
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        383⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        384⤵
        Checks computer location settings
        
        PID:2248
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        385⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        386⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        387⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        388⤵
        Modifies registry class
        
        PID:452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        389⤵
        System Location Discovery: System Language Discovery
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        390⤵
        
        PID:4996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        391⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        392⤵
        Checks computer location settings
        
        PID:4368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        393⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        394⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:4712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        395⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        396⤵
        Drops file in Windows directory
        
        PID:4992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        397⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        398⤵
        
        PID:4840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        399⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        400⤵
        Drops file in Windows directory
        
        PID:2092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        401⤵
        Drops file in Windows directory
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        402⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        403⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        404⤵
        
        PID:2256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        405⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        406⤵
        
        PID:1696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        407⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        408⤵
        Checks computer location settings
        
        PID:2252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        409⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        410⤵
        Modifies registry class
        
        PID:1864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        411⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        412⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:5112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        413⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        414⤵
        
        PID:2920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        415⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        416⤵
        Modifies registry class
        
        PID:4688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        417⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        418⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        419⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        420⤵
        
        PID:628
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        421⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        422⤵
        Checks computer location settings
        
        PID:1252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        423⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        424⤵
        
        PID:4996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        425⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        426⤵
        
        PID:4368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        427⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        428⤵
        
        PID:4712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        429⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        430⤵
        
        PID:5056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        431⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        432⤵
        
        PID:3124
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        433⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        434⤵
        
        PID:2964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        435⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        436⤵
        
        PID:548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        437⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        438⤵
        
        PID:1084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        439⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        440⤵
        
        PID:1696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        441⤵
        
        PID:4904

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3968

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
86KB

MD5
ef63e5ccbea2788d900f1c70a6159c68

SHA1
4ac2e144f9dd97a0cd061b76be89f7850887c166

SHA256
a46d1ffbe9114015050b2a778859c26248f8bab22d5d1a302b59373bc20c6b45

SHA512
913371abb54e0adc94aa08372a20f07ced9f9fdc170f9e468cd39c7387c7e30c1ae238148ccf355d5c8b88b7fd63f914bb108c6cafca9a791d02d8b36468bfac

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE

Filesize
5.7MB

MD5
3e4c1ecf89d19b8484e386008bb37a25

SHA1
a9a92b63645928e8a92dc395713d3c5b921026b7

SHA256
1ebe469c94c2c2a5acbc3927cef19dbe2f583ba3651a55623633891c4c05cc22

SHA512
473d03abbb61609749a176a0724e427599a4f4707d72a74ed457b2198098f59fdf64b5394798db82f4064dfe964083d70af6a50a5fa2ab2674c77a99792e4e52

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe

Filesize
175KB

MD5
3da833f022988fbc093129595cc8591c

SHA1
fdde5a7fb7a60169d2967ff88c6aba8273f12e36

SHA256
1ad4c736829dbcb0fcc620fd897fe0941b9c01e14ccba5d18085b3ca0416ab66

SHA512
1299d63337c958e8072d6aaa057904cbbaa51c2eec4457269ead6b72c4eb2a10882e4a5dc7afcdcab5a6910d2105c2e5ee706850074e0425ae7f87d9ea1e5537

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

Filesize
2.4MB

MD5
d9e8a1fa55faebd36ed2342fedefbedd

SHA1
c25cc7f0035488de9c5df0121a09b5100e1c28e9

SHA256
bd7696911d75a9a35dfd125b24cb95003f1e9598592df47fa23a2568986a4a9a

SHA512
134644c68bd04536e9ea0a5da6e334d36b1ce8012a061fa6dabd31f85c16a1ac9eee8c40fee3d55f25c4d4edf0672de8ce204e344c800361cbcff092c09d7a33

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

Filesize
131KB

MD5
514972e16cdda8b53012ad8a14a26e60

SHA1
aa082c2fbe0b3dd5c47952f9a285636412203559

SHA256
49091e1e41980b39d8de055fe6c6a1dc69398f17817960d64743e7efb740efc4

SHA512
98bbd6f06e3ff3e94aee3620f20f89e254dde157bc8129a64cf78fefe5cf9b13c7902128c2acbd54b3def527e09a039bd1f66ba64efb85f3f0404d894cabbee4

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE

Filesize
254KB

MD5
c4a918069757a263adb9fbc9f5c9e00d

SHA1
66d749fc566763b6170080a40f54f4cda4644af4

SHA256
129a2bfe25ceabb871b65b645ef98f6799d7d273fc5ddfd33c1cb78f5b76fa3b

SHA512
4ecf32fa2c8f53ff7a08555ec5d37739dc1358352621d038669f608edf18b0dcc6dca168a2b602359c9ee098052e546e5c02603f83aad44a114192138de7b7b9

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE

Filesize
386KB

MD5
2e989da204d9c4c3e375a32edf4d16e7

SHA1
e8a0bf8b4ae4f26e2af5c1748de6055ba4308129

SHA256
cae320401aa01a3cef836c191c2edbd7a96bfcce9efad1a21880626a64cc4dec

SHA512
3ebf71578bef909d9411c131d0ccd38ead68cba01a8e0f845d08faa012ca2136476fe09a2859ed846641f80b7a2d9b78d49c709065a52c6b9ee149edf84c8c4f

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE

Filesize
92KB

MD5
3e8712e3f8ce04d61b1c23d9494e1154

SHA1
7e28cd92992cdee55a02b5ece4b7c2fc4dd0c5e4

SHA256
7a8ee09f8a75b3e812f99a0b611c6720626c62c6985306a408694389a996c8e9

SHA512
d07d924f338bd36ca51c8e11931f7ff069e65942725a8e1f1ff6b81076a987ab7d787452a5fb08314edf1489e081f4164db1ad299a6d78401e630796f4487dc8

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE

Filesize
142KB

MD5
3ccfc6967bcfea597926999974eb0cf9

SHA1
6736e7886e848d41de098cd00b8279c9bc94d501

SHA256
a89d3e2109a8e35e263da363d3551258ea320a99bfb84a4b13ad563008eda8d9

SHA512
f550af4e053d89eff45c0fb00bb32e8d212645a155727d3536a3f12bb0b5550bed25516516334245b912fa4fc2e4e7c267e80da4f06d22ea128f20eb56ab4351

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE

Filesize
278KB

MD5
823cb3e3a3de255bdb0d1f362f6f48ab

SHA1
9027969c2f7b427527b23cb7ab1a0abc1898b262

SHA256
b8c5b99365f5ac318973b151fe3fe2a4ad12546371df69e1b7d749f7a4ce356f

SHA512
0652b60e07aa5a469b9cf1013a1ed98d0352996c59b9a66f612be2bc0081d8ec8a65a44a3977d2e188cd8ee3311edb251b818cf300d152ed5f633679a6cf834c

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe

Filesize
325KB

MD5
62976c65ded41b4f31c7f379c548e05c

SHA1
3827c414ad15cd67ea8635400002c4c79704250e

SHA256
80de06ea5d221e21f765a96750f821aaaf8eee23bfd9d8cde265a8da11041c66

SHA512
ddf74814c7a54a258b7200310bd644547f3a831e373c8392dddedd08b3c1ca60e864fbe2007e68fabdcfe1e923d9207039bde42a09e0ec07d69694263057fcd7

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe

Filesize
325KB

MD5
de9e6086062f01926b48c2d80508d12b

SHA1
13610cca5e38925e22b6a79067df0dd9eca49fe3

SHA256
d2f956514bc885fed054dec3ad4c0e89e59a6a38390fa8432abd15eb201468b4

SHA512
60478e55b6a3d49686ed8e95e939a2384fb1440950d710e7beedb9eda24be0e6996c931d0703d6cc0065fbe5a85eff463b9e9eaadf14746593abe723636137c3

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe

Filesize
546KB

MD5
52927c2ff6260abef9d440b92d7894ef

SHA1
d766ec8d31a1b3ec68709adffb333b9b0aecc990

SHA256
0f5d7ae5106f842b482a1708b7ddf62803075ec7c1bebae44e21ba0fdd15db3d

SHA512
5fd72ee89f89c8008c6afa664247c97447d23086b686a9b8b1b28bba60399b82d9997cd7088e7356a992b47faff3f117c319e595f3b73fec55f4452e1d3071d4

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE

Filesize
221KB

MD5
a12297c17e3747647d5c29d67edd4d9a

SHA1
6a6ed9d50d8385b2fb1da6c700934bf213e1ec2d

SHA256
288f7e376d1ba967276a05a1b00fddff236315ee0df24e543cf8b604768ae7f2

SHA512
e1004b5307f26af7c22ec051539ed633105ac6673301d31a57cb530ab76551b51aa59741397d1b9fe860bed8c93c2a21d8e828edd1612750bcec1bd068898239

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE

Filesize
146KB

MD5
001760b2a66fb4fff1e2c42bc39e5421

SHA1
1980cafc246e5a31b6e78bcd5eec1726c9789046

SHA256
1ae63f874694d576e6b6c2f409a71e49cf607e62b2a7a646322294009c7b813a

SHA512
a37e499451abc2b9399eafe8d866210bdaac2c73a4f1dbe16c272fa56a8b5bcb1efe41e198effb9c84a77de269cbb5b81871d88eb726f95c3d3b4067bfc0c7df

Download Submit
C:\PROGRA~2\Google\Update\DISABL~1.EXE

Filesize
198KB

MD5
2424d589d7997df1356c160a9a82088c

SHA1
ca9b479043636434f32c74c2299210ef9f933b98

SHA256
9d6982a566148cf69cb6aec417baddca680e647931315736a6c19f2ba91c4d60

SHA512
4dd0a69c1dfb0e88fc6b24c97e14dd0ad1ac0226dd372d09123b6a2ec3c107fc94a810764d16e111d1cf7e81a23b70b84d36cbfbf1e32986d00de3cd9e315c2b

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE

Filesize
139KB

MD5
415671ceca4f8e9fd6830ba812e41597

SHA1
0e5095e00711a69d44bfff529a8700528093ca52

SHA256
235bea563512a5532851bd2b1b2927cc0365904e1f851d7d94010b65e531092b

SHA512
ccafc59de0d100fc54d4099fd07b83e8a4d962e12bcecc3d1145ab41edc89bb3a5b9f3a00cc4d9df57bd7784666da7c00effc11cc5b991f9f97587cb8affeee8

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE

Filesize
1.7MB

MD5
619314ef3e2e5abde1bb19dbce363220

SHA1
5fc9e9c74d8fdc9d185f524dc1364500883c4eef

SHA256
763c48c14695500dd1f8b1b88f7be84a9fe95d9a7bb63211f74cbe210e0a58af

SHA512
5389516629a884b109950254398d1453fd573ce6f73ff3479322c1361ec990b53cd0cec2fbe366e7ab0ba704bfb1f5fd58dc7ec3d81254c9256973f4983ec360

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe

Filesize
250KB

MD5
cd4af683704c71887125716ca891e18c

SHA1
64d02bac29cfeeed31978438d572230f316d61df

SHA256
1e6a087180f0e5a8e738718de2d4d99c1a4b6d89bd2a84ad19ab45f7dd9225c5

SHA512
dda5661f1e95e1a6dc0ce62a5b476aa335ddde431d47fb6cabffe36947376f6c583f83560dc43da4bc4432052a95ed61f0553ade59308582510c25a5f828921a

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE

Filesize
509KB

MD5
fdad5d6d8cf37e8c446dcd6c56c718c3

SHA1
412883fd3bb56f2b850d2c29ee666d9b75636faf

SHA256
2ed31146dc94132acafc7e759086f18c83560693a813b1d842a30908f50faf7c

SHA512
9866ddd370e7ab75aea143c5ede3ee96700ed662aab7fb3e989f9beedb2800b488f985a8069a61025cc8201bbc42e23d744717988587c2a8a66f2e91ea7cbbbc

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE

Filesize
138KB

MD5
b84ae39dd0420080bd9e6b9557eea65b

SHA1
5326a058a3bcc4eb0530028e17d391e356210603

SHA256
92439a773781fc1b4e45de7fad393bb9ccd05af99dc1a1bb2246a4befb1f5924

SHA512
860ae09c5806622420147af1073cecc065786968737547276641af710b4caccd16b787bdf7212dd1d8ab16e257dd5c5cd20790bf000d75d82410cbd5bf7af388

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE

Filesize
1.3MB

MD5
b8bffe8467716db4da9d94061dc33d07

SHA1
db4bac1757b1b60b26e2fef0fc88ce708efad352

SHA256
b03986224aa28f1e1850bd2fcd1a5f5f2fea34c2c0815d8e6943f0a98b754af2

SHA512
5d6f6363c9c87c61d2be785280d420725fe7cc4b68908e78fc82dc480260a400500a84f1c9247b34437cd520d702ef5fc4546024fed891231630514d1418592c

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe

Filesize
3.2MB

MD5
6b7a2ce420e8dd7484ca4fa4460894ae

SHA1
df07e4a085fc29168ae9ec4781b88002077f7594

SHA256
dec51011b3bd2d82c42d13f043fac935b52adeaa17427ce4e21e34fcbd2231e4

SHA512
7d2cd278ee45ec0e14145f2be26b8cdbe3312b300aa216532c41e839ba61c12ae379025568c85634f0ec3bc95cc481bb17f99ab30c711986651569f0f1f81beb

Download Submit
C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE

Filesize
495KB

MD5
e2b4d2c7b6fa09e5bd3f6df9fc6e8655

SHA1
eca5d5cc3475a9628b504102f61e0bd9dac9ad02

SHA256
b00ec004498d598e10f285bb322b859cd57b640c500c804e7b15a212aaded5fa

SHA512
db02329122f67bb2241bbe91d5b0c2570782d643ba382e691cfa6ee306eb257b2f92c0920a34f2b56d656d8fb2c02e22cb933faa03884848d7b66028de05b1ed

Download Submit
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe

Filesize
534KB

MD5
72671b444a2396e4ca4fd54e4a6951ef

SHA1
d2fe57901223c965c3f4f513cec90d60bc3e2ea1

SHA256
8d828b8e9a8a90810c569c1e5a43f5fd9e1a126386ebb16c3980609507744bac

SHA512
cf4f0332b5f359372ad8e56619aef8c2771d5e3a2bfd0023409822c162fbd9933206b5781e5fd5f67a50a2b68721b5e0f2cb2b03cdab8a05b4f28d28c93f8b7e

Download Submit
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE

Filesize
6.7MB

MD5
6300a726756bfdf266b92f280a0e79f3

SHA1
c1d31d9e79102f137cb6825feb49090698486a22

SHA256
e4150e18e46af7fbcd5ce928dba86e3eed7f5ab0f122b2bb9d1bab99122fef4b

SHA512
2070828dc743a56866c2668337f04e7a052f501279d75bbae802424ed3ea5cc82ecb27c779a701b9d29953c07ee8eff7b61b326617001d9167389d02f068af7c

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE

Filesize
485KB

MD5
048da0aced67fe14cbc1801a057b8cef

SHA1
9ddac6ad86b54d0b7e1d22fbc1ff75ccfa9c17ea

SHA256
2f37cac4a1dbf7944d43f1154ce293311c3f9d44317276a06b49cd41123d9d96

SHA512
1d2b23dc25ea03002a3ccbcdf08a7ebf47ee2158bf9211b71830a92dfa4bef584529c1804148ebe2cb662e579cc97e9f702a6a42071f2600a129c642a6b92c16

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE

Filesize
674KB

MD5
fc1fae6a02f5ef05113aec947eda5996

SHA1
ed831802511f89d436c02f0fd3deecf37f770d3b

SHA256
cc92fdf41d3600a028d91ba0c2d28d3c6cd77e3ed58d257164d5d3d907908356

SHA512
0e6b3707c331cd2d1740513730cc6e0da3f750d5b9d08b398ef4cdd2ace9ee8f076f0706cdfe621de93bdf3d4e9ee015c6fbd68484da13affbbc05576eaa90da

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE

Filesize
674KB

MD5
80c124900fe2a6955fa8ef8e317da894

SHA1
4a6224f6b9344261cd8d373b572dc5a89f9e1ae7

SHA256
244efc6b493b0e65285259a2c1755d5fc84e3622b2487bd8d89dbc077654fdd8

SHA512
5a1a34a6e6179ab3a690e8186abf5b7e2407126632758e127b55f5af6af5eb7657629472bf4898b1883e7d725f03e7e8e45337687ebed19f6204b74593d8b047

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE

Filesize
495KB

MD5
96c338591ac8ea4483337c8371cfbab9

SHA1
21bed3f86db1c33912390db397678631c876f431

SHA256
7237de120dcf61936d33394b8e211d4af88a7e4c6ee53cf053a54b8b60c23a1e

SHA512
44e44c466ca812a1ce21f5ba8e3e57434ae7ff1549b0315d3887cd467da40e1604ec9a69f07d7e3c834aa1d96c8206628ce173ae8a8a59a9d713b516f58e9455

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe

Filesize
1.4MB

MD5
2136c7c810ee3819856089a1ab19cea0

SHA1
153e52d42dc1c0faf524d65515b4b3b7bd228fab

SHA256
1778fda3c179515355b6c3814d6b673d60601e75f145654ce122fc203f3a2cb0

SHA512
e644ae3c6bec165e18a9bf521b09f07288be5dec8988b8ce1c666a416941ed61533782275fe9279316d9b84528a4d87d50248bf0a4755adf95b135f5ca233052

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
cc7668bafeaf4f410ebea75e0b709784

SHA1
349a049b07dc521c5cde8bb9b6cf1da63185a2c7

SHA256
97c04dfc6c6c3dd612f05646be74c04828706739656b94d8d5235a9b9d498841

SHA512
6686888dfd543998037e87b397b88f9285dcc9e84d6380e9da89d9072c968c5013f851b94dac1988b5ddead7e0d68a2a8061f1ae8e9c3edc01c1710a103c3512

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
92ba5cb9e059080b94a4c49fe48bb793

SHA1
516b09666b583802335dbf9ea17e0253848bc5b4

SHA256
ad9a9ad0a341229389a4dcaad9e52f645fd4b69e679122b4e74a15f6c1bb2903

SHA512
711f2b644a0519eea8c604ae330b2cc2d419ad94b92d2f3fc792acc19de9d582a47ce42a84fd691dba4bee9d8d705836bd61b17ccab2707dfa21776d315122f7

Download Submit
memory/116-224-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/388-360-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/556-304-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/624-52-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/624-412-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/652-21-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/772-88-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1060-17-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1064-328-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1308-377-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1372-371-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1392-385-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1560-322-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1576-409-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1692-295-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1760-330-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1836-387-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1872-29-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1908-126-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2000-393-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2124-288-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2164-282-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2184-41-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2292-312-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2388-274-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2608-410-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2636-102-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2652-299-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2700-247-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2720-69-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2796-232-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2864-320-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2964-384-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2968-362-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2992-250-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3024-368-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3052-354-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3076-53-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3088-338-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3112-256-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3276-63-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3484-352-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3492-240-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3500-271-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3500-401-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3592-336-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3692-77-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3696-272-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3804-400-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3864-231-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3880-296-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3896-263-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4136-346-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4268-65-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4360-248-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4400-314-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4460-344-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4472-369-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4472-239-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4704-264-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4784-280-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4960-403-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4960-39-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4980-311-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads