neshta | fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec

Analysis

max time kernel
93s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2024, 05:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
Size

383KB
MD5

22f70db1f27b3553a4942d1b3cbe7275
SHA1

3c6aba77ef2c4f9355a66154cacc8ea514c16c06
SHA256

fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec
SHA512

3adb4c03d1dd124f6de7716490733df250397dd59d950d777ca300e8424dcb4d7cecba71e585c1d72780ed9446d0a769bcfd741bfc1052086d9d43e61fc5ba09
SSDEEP

3072:zr8WDrCjXrtbl44nwb+E/UeH+QyJen3nt3fJaiakiO8sd8rKzXetLYruD5fDeFru:PujXM4nntUNfJzeOxXeyro5uu

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE

Executes dropped EXE 64 IoCs

pid	Process
4368	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
2932	svchost.com
2352	FD662C~1.EXE
4012	svchost.com
1040	FD662C~1.EXE
4116	svchost.com
3004	FD662C~1.EXE
1824	svchost.com
1164	FD662C~1.EXE
5024	svchost.com
232	FD662C~1.EXE
4156	svchost.com
5040	FD662C~1.EXE
2056	svchost.com
1052	FD662C~1.EXE
4936	svchost.com
4504	FD662C~1.EXE
4836	svchost.com
1184	FD662C~1.EXE
2332	svchost.com
1212	FD662C~1.EXE
1132	svchost.com
3156	FD662C~1.EXE
4068	svchost.com
2596	FD662C~1.EXE
2236	svchost.com
1804	FD662C~1.EXE
2784	svchost.com
4564	FD662C~1.EXE
2612	svchost.com
1484	FD662C~1.EXE
4964	svchost.com
3128	FD662C~1.EXE
2876	svchost.com
4228	FD662C~1.EXE
3588	svchost.com
1984	FD662C~1.EXE
1032	svchost.com
4440	FD662C~1.EXE
2168	svchost.com
3224	FD662C~1.EXE
540	svchost.com
1012	FD662C~1.EXE
460	svchost.com
4268	FD662C~1.EXE
4652	svchost.com
5084	FD662C~1.EXE
4808	svchost.com
2592	FD662C~1.EXE
2696	svchost.com
3504	FD662C~1.EXE
2480	svchost.com
3592	FD662C~1.EXE
3552	svchost.com
2072	FD662C~1.EXE
3144	svchost.com
3508	FD662C~1.EXE
4632	svchost.com
4196	FD662C~1.EXE
1444	svchost.com
3620	FD662C~1.EXE
4500	svchost.com
4312	FD662C~1.EXE
3004	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FD662C~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 4368	900	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe	82
PID 900 wrote to memory of 4368	900	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe	82
PID 900 wrote to memory of 4368	900	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe	82
PID 4368 wrote to memory of 2932	4368	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe	83
PID 4368 wrote to memory of 2932	4368	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe	83
PID 4368 wrote to memory of 2932	4368	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe	83
PID 2932 wrote to memory of 2352	2932	svchost.com	84
PID 2932 wrote to memory of 2352	2932	svchost.com	84
PID 2932 wrote to memory of 2352	2932	svchost.com	84
PID 2352 wrote to memory of 4012	2352	FD662C~1.EXE	85
PID 2352 wrote to memory of 4012	2352	FD662C~1.EXE	85
PID 2352 wrote to memory of 4012	2352	FD662C~1.EXE	85
PID 4012 wrote to memory of 1040	4012	svchost.com	86
PID 4012 wrote to memory of 1040	4012	svchost.com	86
PID 4012 wrote to memory of 1040	4012	svchost.com	86
PID 1040 wrote to memory of 4116	1040	FD662C~1.EXE	87
PID 1040 wrote to memory of 4116	1040	FD662C~1.EXE	87
PID 1040 wrote to memory of 4116	1040	FD662C~1.EXE	87
PID 4116 wrote to memory of 3004	4116	svchost.com	88
PID 4116 wrote to memory of 3004	4116	svchost.com	88
PID 4116 wrote to memory of 3004	4116	svchost.com	88
PID 3004 wrote to memory of 1824	3004	FD662C~1.EXE	89
PID 3004 wrote to memory of 1824	3004	FD662C~1.EXE	89
PID 3004 wrote to memory of 1824	3004	FD662C~1.EXE	89
PID 1824 wrote to memory of 1164	1824	svchost.com	90
PID 1824 wrote to memory of 1164	1824	svchost.com	90
PID 1824 wrote to memory of 1164	1824	svchost.com	90
PID 1164 wrote to memory of 5024	1164	FD662C~1.EXE	151
PID 1164 wrote to memory of 5024	1164	FD662C~1.EXE	151
PID 1164 wrote to memory of 5024	1164	FD662C~1.EXE	151
PID 5024 wrote to memory of 232	5024	svchost.com	92
PID 5024 wrote to memory of 232	5024	svchost.com	92
PID 5024 wrote to memory of 232	5024	svchost.com	92
PID 232 wrote to memory of 4156	232	FD662C~1.EXE	93
PID 232 wrote to memory of 4156	232	FD662C~1.EXE	93
PID 232 wrote to memory of 4156	232	FD662C~1.EXE	93
PID 4156 wrote to memory of 5040	4156	svchost.com	94
PID 4156 wrote to memory of 5040	4156	svchost.com	94
PID 4156 wrote to memory of 5040	4156	svchost.com	94
PID 5040 wrote to memory of 2056	5040	FD662C~1.EXE	95
PID 5040 wrote to memory of 2056	5040	FD662C~1.EXE	95
PID 5040 wrote to memory of 2056	5040	FD662C~1.EXE	95
PID 2056 wrote to memory of 1052	2056	svchost.com	96
PID 2056 wrote to memory of 1052	2056	svchost.com	96
PID 2056 wrote to memory of 1052	2056	svchost.com	96
PID 1052 wrote to memory of 4936	1052	FD662C~1.EXE	97
PID 1052 wrote to memory of 4936	1052	FD662C~1.EXE	97
PID 1052 wrote to memory of 4936	1052	FD662C~1.EXE	97
PID 4936 wrote to memory of 4504	4936	svchost.com	98
PID 4936 wrote to memory of 4504	4936	svchost.com	98
PID 4936 wrote to memory of 4504	4936	svchost.com	98
PID 4504 wrote to memory of 4836	4504	FD662C~1.EXE	99
PID 4504 wrote to memory of 4836	4504	FD662C~1.EXE	99
PID 4504 wrote to memory of 4836	4504	FD662C~1.EXE	99
PID 4836 wrote to memory of 1184	4836	svchost.com	100
PID 4836 wrote to memory of 1184	4836	svchost.com	100
PID 4836 wrote to memory of 1184	4836	svchost.com	100
PID 1184 wrote to memory of 2332	1184	FD662C~1.EXE	101
PID 1184 wrote to memory of 2332	1184	FD662C~1.EXE	101
PID 1184 wrote to memory of 2332	1184	FD662C~1.EXE	101
PID 2332 wrote to memory of 1212	2332	svchost.com	102
PID 2332 wrote to memory of 1212	2332	svchost.com	102
PID 2332 wrote to memory of 1212	2332	svchost.com	102
PID 1212 wrote to memory of 1132	1212	FD662C~1.EXE	103

C:\Users\Admin\AppData\Local\Temp\fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
"C:\Users\Admin\AppData\Local\Temp\fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:900
- C:\Users\Admin\AppData\Local\Temp\3582-490\fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4368
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2352
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4012
      - C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        13⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        21⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        22⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        23⤵
        Executes dropped EXE
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3156
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        26⤵
        Executes dropped EXE
        
        PID:2596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        28⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:1804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        29⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:4564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        31⤵
        Executes dropped EXE
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        32⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        33⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        34⤵
        Executes dropped EXE
        
        PID:3128
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        35⤵
        Executes dropped EXE
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        37⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        39⤵
        Executes dropped EXE
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        40⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:4440
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        41⤵
        Executes dropped EXE
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        45⤵
        Executes dropped EXE
        
        PID:460
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        46⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:4268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        47⤵
        Executes dropped EXE
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        49⤵
        Executes dropped EXE
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:2592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        51⤵
        Executes dropped EXE
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3504
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        53⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        54⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        55⤵
        Executes dropped EXE
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        56⤵
        Executes dropped EXE
        
        PID:2072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        57⤵
        Executes dropped EXE
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        58⤵
        Executes dropped EXE
        
        PID:3508
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        59⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        60⤵
        Executes dropped EXE
        
        PID:4196
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        61⤵
        Executes dropped EXE
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        62⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4312
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        65⤵
        Executes dropped EXE
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        66⤵
        
        PID:2424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        67⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        68⤵
        Checks computer location settings
        
        PID:3956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        69⤵
        Drops file in Windows directory
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        70⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        71⤵
        Drops file in Windows directory
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        72⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1524
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        73⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        74⤵
        Checks computer location settings
        
        PID:3764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        75⤵
        Drops file in Windows directory
        
        PID:472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        76⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        77⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        78⤵
        Modifies registry class
        
        PID:2956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        79⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        80⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3140
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        81⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        82⤵
        
        PID:4652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        84⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:3684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        85⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        86⤵
        Checks computer location settings
        
        PID:3292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        88⤵
        Checks computer location settings
        
        PID:4184
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        89⤵
        Drops file in Windows directory
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        90⤵
        Modifies registry class
        
        PID:3968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        91⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        92⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        93⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        94⤵
        
        PID:2924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        95⤵
        Drops file in Windows directory
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        96⤵
        
        PID:1228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        97⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        98⤵
        
        PID:32
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        99⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        100⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2172
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        101⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        102⤵
        
        PID:1748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        103⤵
        Drops file in Windows directory
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        104⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        105⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        106⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4160
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        107⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        108⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3120
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        109⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        110⤵
        
        PID:392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        111⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        112⤵
        Modifies registry class
        
        PID:1608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        114⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        115⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        116⤵
        Modifies registry class
        
        PID:3108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        117⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        118⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        119⤵
        Drops file in Windows directory
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        120⤵
        Modifies registry class
        
        PID:208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        121⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        122⤵
        Modifies registry class
        
        PID:4588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        123⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        124⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        125⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        126⤵
        Modifies registry class
        
        PID:3156
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        127⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        128⤵
        Drops file in Windows directory
        
        PID:3516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        129⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        130⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:4856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        131⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        132⤵
        Checks computer location settings
        
        PID:2784
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        134⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        135⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        136⤵
        Checks computer location settings
        
        PID:1720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        137⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        138⤵
        
        PID:3572
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        140⤵
        
        PID:3860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        142⤵
        
        PID:3456
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        143⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        144⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2312
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        145⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        146⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        147⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        148⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4352
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        149⤵
        Drops file in Windows directory
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        150⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1212
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        151⤵
        Drops file in Windows directory
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        152⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        153⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        154⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:1480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        155⤵
        Drops file in Windows directory
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        156⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        157⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        158⤵
        Modifies registry class
        
        PID:4604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        159⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        160⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1444
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        161⤵
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        162⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        163⤵
        Drops file in Windows directory
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        164⤵
        
        PID:3692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        165⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        166⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        167⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        168⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        169⤵
        Drops file in Windows directory
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        170⤵
        Checks computer location settings
        
        PID:5004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        171⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        172⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        173⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        174⤵
        
        PID:2168
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        175⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        176⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        177⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        178⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        179⤵
        Drops file in Windows directory
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        180⤵
        
        PID:5084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        181⤵
        Drops file in Windows directory
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        182⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        183⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        184⤵
        Modifies registry class
        
        PID:5100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        185⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        186⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2356
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        187⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        188⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        189⤵
        Drops file in Windows directory
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        190⤵
        
        PID:3788
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        191⤵
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        192⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:3684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        193⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        194⤵
        Checks computer location settings
        
        PID:1152
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        195⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        196⤵
        
        PID:4500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        197⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        198⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        199⤵
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        200⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1236
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        201⤵
        System Location Discovery: System Language Discovery
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        202⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4136
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        203⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        204⤵
        
        PID:4572
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        205⤵
        Drops file in Windows directory
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        206⤵
        Modifies registry class
        
        PID:3648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        207⤵
        Drops file in Windows directory
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        208⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        209⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        210⤵
        
        PID:3772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        211⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        212⤵
        
        PID:4488
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        213⤵
        System Location Discovery: System Language Discovery
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        214⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        215⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        216⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        217⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        218⤵
        
        PID:3016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        219⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        220⤵
        System Location Discovery: System Language Discovery
        
        PID:3496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        221⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        222⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        223⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        224⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4196
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        225⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        226⤵
        Checks computer location settings
        
        PID:4720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        227⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        228⤵
        Checks computer location settings
        
        PID:4500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        229⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        230⤵
        Checks computer location settings
        Modifies registry class
        
        PID:724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        231⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        232⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        233⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        234⤵
        
        PID:2476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        235⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        236⤵
        Checks computer location settings
        
        PID:4852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        237⤵
        Drops file in Windows directory
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        238⤵
        Modifies registry class
        
        PID:3648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        239⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        240⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        241⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        242⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        243⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        244⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        245⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        246⤵
        Checks computer location settings
        Modifies registry class
        
        PID:340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        247⤵
        System Location Discovery: System Language Discovery
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        248⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        249⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        250⤵
        Checks computer location settings
        
        PID:2072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        251⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        252⤵
        Drops file in Windows directory
        
        PID:3816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        253⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        254⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        255⤵
        Drops file in Windows directory
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        256⤵
        Checks computer location settings
        
        PID:4424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        257⤵
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        258⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        259⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        260⤵
        
        PID:4660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        261⤵
        Drops file in Windows directory
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        262⤵
        Drops file in Windows directory
        
        PID:4028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        263⤵
        Drops file in Windows directory
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        264⤵
        
        PID:1236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        265⤵
        
        PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

Filesize
368KB

MD5
eeb875c0b3c567ce160b6065fa9955c0

SHA1
ee0e1efba40d38746a54bc285f0bd38198550564

SHA256
995bd211c7e3bb5e6ed86064d2c648537b2c5c058f3ca81ab9307cdb0ac2530a

SHA512
416bece422edd84337b789bdbd1e3f888d67dfe1dabbd114ebf07b968d68b848cc10880c2ad439413b47cf1191c273125130399bcc9c4a2ed5719553c51c3ad6

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe

Filesize
9.4MB

MD5
124147ede15f97b47224628152110ce2

SHA1
4530fee9b1199777693073414b82420a7c88a042

SHA256
3e815d583236b9cecd912fcc949a301d1e51b609cbb53a2285d08feea305edcd

SHA512
f4c2825380d1bb9ca889d5c5684f13aa0cacb0d6511f6409ca0972a7191195a0175e00c995407848bf09ea03cff05c7395952bf2ffd2af2015b8939f75a8e627

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

Filesize
131KB

MD5
514972e16cdda8b53012ad8a14a26e60

SHA1
aa082c2fbe0b3dd5c47952f9a285636412203559

SHA256
49091e1e41980b39d8de055fe6c6a1dc69398f17817960d64743e7efb740efc4

SHA512
98bbd6f06e3ff3e94aee3620f20f89e254dde157bc8129a64cf78fefe5cf9b13c7902128c2acbd54b3def527e09a039bd1f66ba64efb85f3f0404d894cabbee4

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe

Filesize
1.2MB

MD5
e115eb174536d5fbcf5164232c89c25d

SHA1
5879354de61734962d39d13316d1fe028389cc16

SHA256
57329b38314923c17e9dd9e153e894708389dd597fcb1438d5291c7627238653

SHA512
69696a2e842e0557a57ec4d12c31d5afde0cdfb80d6028ad8d9b0b59d558ad6eaf043c9da0d31c43b16b4f12894dcea69db9366772c49c758773e6c35a9fb0c5

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe

Filesize
325KB

MD5
62976c65ded41b4f31c7f379c548e05c

SHA1
3827c414ad15cd67ea8635400002c4c79704250e

SHA256
80de06ea5d221e21f765a96750f821aaaf8eee23bfd9d8cde265a8da11041c66

SHA512
ddf74814c7a54a258b7200310bd644547f3a831e373c8392dddedd08b3c1ca60e864fbe2007e68fabdcfe1e923d9207039bde42a09e0ec07d69694263057fcd7

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe

Filesize
325KB

MD5
de9e6086062f01926b48c2d80508d12b

SHA1
13610cca5e38925e22b6a79067df0dd9eca49fe3

SHA256
d2f956514bc885fed054dec3ad4c0e89e59a6a38390fa8432abd15eb201468b4

SHA512
60478e55b6a3d49686ed8e95e939a2384fb1440950d710e7beedb9eda24be0e6996c931d0703d6cc0065fbe5a85eff463b9e9eaadf14746593abe723636137c3

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe

Filesize
505KB

MD5
7aac73055860fcd079d9407cab08276d

SHA1
482b9f337d60270c95950353f9ca8929d8926b1d

SHA256
97508a81b805937e1ca57711a51d2e8d715a2748e2f9d27d39dfecc28f3fb9e5

SHA512
f183a10eb13c083c7cd8e785a7978eee4998c33d1eb104a0ab0e54146e10651f68612249e668baa08919a5840f6f929b5452c93f71a232b30aab9e2857109fb5

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE

Filesize
221KB

MD5
a12297c17e3747647d5c29d67edd4d9a

SHA1
6a6ed9d50d8385b2fb1da6c700934bf213e1ec2d

SHA256
288f7e376d1ba967276a05a1b00fddff236315ee0df24e543cf8b604768ae7f2

SHA512
e1004b5307f26af7c22ec051539ed633105ac6673301d31a57cb530ab76551b51aa59741397d1b9fe860bed8c93c2a21d8e828edd1612750bcec1bd068898239

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE

Filesize
146KB

MD5
001760b2a66fb4fff1e2c42bc39e5421

SHA1
1980cafc246e5a31b6e78bcd5eec1726c9789046

SHA256
1ae63f874694d576e6b6c2f409a71e49cf607e62b2a7a646322294009c7b813a

SHA512
a37e499451abc2b9399eafe8d866210bdaac2c73a4f1dbe16c272fa56a8b5bcb1efe41e198effb9c84a77de269cbb5b81871d88eb726f95c3d3b4067bfc0c7df

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE

Filesize
258KB

MD5
78f77aff4993684fdbcad13c74d5f364

SHA1
0b02ed9112021b3c65778fdce0642e81dfb5b628

SHA256
9f707deff2f5b5a8c611c5926362c4ffc82f5744a4699f3fb1ee3ef6bb9b2cfb

SHA512
568c1abf5f6d13fe37cb55a5f5992dea38e30fc80812a977c0ae25ed30f67321db8f4c0da2ae4ae558e58dc430885fa13c1f7f1d6b2d6bb51ed031f042defafb

Download Submit
C:\PROGRA~2\Google\Update\DISABL~1.EXE

Filesize
198KB

MD5
2424d589d7997df1356c160a9a82088c

SHA1
ca9b479043636434f32c74c2299210ef9f933b98

SHA256
9d6982a566148cf69cb6aec417baddca680e647931315736a6c19f2ba91c4d60

SHA512
4dd0a69c1dfb0e88fc6b24c97e14dd0ad1ac0226dd372d09123b6a2ec3c107fc94a810764d16e111d1cf7e81a23b70b84d36cbfbf1e32986d00de3cd9e315c2b

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe

Filesize
250KB

MD5
cd4af683704c71887125716ca891e18c

SHA1
64d02bac29cfeeed31978438d572230f316d61df

SHA256
1e6a087180f0e5a8e738718de2d4d99c1a4b6d89bd2a84ad19ab45f7dd9225c5

SHA512
dda5661f1e95e1a6dc0ce62a5b476aa335ddde431d47fb6cabffe36947376f6c583f83560dc43da4bc4432052a95ed61f0553ade59308582510c25a5f828921a

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE

Filesize
509KB

MD5
fdad5d6d8cf37e8c446dcd6c56c718c3

SHA1
412883fd3bb56f2b850d2c29ee666d9b75636faf

SHA256
2ed31146dc94132acafc7e759086f18c83560693a813b1d842a30908f50faf7c

SHA512
9866ddd370e7ab75aea143c5ede3ee96700ed662aab7fb3e989f9beedb2800b488f985a8069a61025cc8201bbc42e23d744717988587c2a8a66f2e91ea7cbbbc

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE

Filesize
1.1MB

MD5
a31628879099ba1efd1b63e81771f6c7

SHA1
42d9de49d0465c907be8ee1ef1ccf3926b8825fe

SHA256
031b0b0de72eba9350a1234eba7489bc04f94823501fc6a200266fa94b8c51dc

SHA512
0e86020f61fd08578507c3cd37385ffa2ffd964407a689b4c3d532fe4dc826eea58391f938840d18ecfa6bae79c6ece31b8f63b50366c2fa4d6ecf5194475759

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE

Filesize
1.6MB

MD5
af9aba6ab24cba804abba88d1626b2b9

SHA1
6a387c9ec2c06178476f8439a5a3d9149c480a9a

SHA256
e6a06e738140a8cc089bc607e5f5e1e2b224b71d52e0be0d01f9deb8e9763a90

SHA512
9e004f2eccb4e48d2c98a8168f7fe752ad3195b66f0aa1d7ec07dd5819539bc94a50ffb1deb291e7fea11932eb88fb5938b1ef0a93cd8b1902495d1f7bd2d950

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE

Filesize
2.8MB

MD5
032ee4d65b62d87cf809438556d30429

SHA1
34458fcefe3c67f19c3d2c94389fc99e54e74801

SHA256
0099c710e406e0423bb0b11eb4c113508c67f84a0972a2d14c038687cac1753b

SHA512
6b912d51e93f1e4756ecc5321ec08a6eb5e15413a9d9cf568bd14ce2a5199d064f6dd5c7d9d5155296d1a4ab5852c81a8fc138565fb788e7402c09b61281a5cd

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE

Filesize
1.3MB

MD5
b8bffe8467716db4da9d94061dc33d07

SHA1
db4bac1757b1b60b26e2fef0fc88ce708efad352

SHA256
b03986224aa28f1e1850bd2fcd1a5f5f2fea34c2c0815d8e6943f0a98b754af2

SHA512
5d6f6363c9c87c61d2be785280d420725fe7cc4b68908e78fc82dc480260a400500a84f1c9247b34437cd520d702ef5fc4546024fed891231630514d1418592c

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE

Filesize
1.1MB

MD5
ecda5b4161dbf34af2cd3bd4b4ca92a6

SHA1
a76347d21e3bfc8d9a528097318e4b037d7b1351

SHA256
98e7a35dd61a5eeea32ca5ff0f195b7e5931429e2e4b12d1e75ca09ddab3278f

SHA512
3cd3d64e7670ab824d36a792faa5d16a61f080d52345e07b0ef8396b2a1481876a3b30fc702bf0018a1b02c7788c3c7f1b016590c5b31485a90e3a375f11dade

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe

Filesize
3.2MB

MD5
6b7a2ce420e8dd7484ca4fa4460894ae

SHA1
df07e4a085fc29168ae9ec4781b88002077f7594

SHA256
dec51011b3bd2d82c42d13f043fac935b52adeaa17427ce4e21e34fcbd2231e4

SHA512
7d2cd278ee45ec0e14145f2be26b8cdbe3312b300aa216532c41e839ba61c12ae379025568c85634f0ec3bc95cc481bb17f99ab30c711986651569f0f1f81beb

Download Submit
C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE

Filesize
274KB

MD5
7fbf415b935535d546d5f9203964ed7e

SHA1
ce6a5d5117940e7435f4a0ff412741f40a5cbafb

SHA256
ea24198d33ecd695b9892068d4d155435318e41531d7ca5379b45b344a086a28

SHA512
5e613b6f43f16f298ae67ff1928354e7f40adfc574bec5996dbdef99c8c053f1c32c677f18093c7ff78ec2f883e6d377af8515c76380823264633dd8c78cd2ec

Download Submit
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE

Filesize
141KB

MD5
144294f89c5a1ad929b9056ec0760f0f

SHA1
91175b430042997c8fb899596afc53bea4bb38c8

SHA256
9d1eeb4a9b9ef3d686891ac34e9b4a2379f24fc02ea2e9fc00071d03a86d42ab

SHA512
77c2fd3dc1bc710e652e4e4ca7cd73076a3988cf395d977b5a46a395cedd943560f3a5ad2251365c63cd2d3e681e7cf9fc3510d8d778732d7c692831c2fc9898

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe

Filesize
342KB

MD5
7ef0e707c6eeb711aad73ee0889d53e9

SHA1
e64c3e990891817e0d8bc9cfa1af375d7715baf7

SHA256
dca0b776d9de5f91c2e66450fc6f37e31039d646fd249102cb4f6027917f2b44

SHA512
72f19a17d51e50996f61a96bbd5c7fdc5873129722fa4b07f4ca821260e0786355b183583fda1dccd1dd7370b45f1eb9062e831e81558a846504682b9ca6d46e

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
837625c937c93f660ebea9a810fe8f45

SHA1
f6446f892333ca2ebb8ece4fbbb150ed97c54e74

SHA256
b4ed11330c4889e37122a9eda274badc2f11c80ace26d11ecf29e60da51e36c3

SHA512
235a610d3931b7b62199d9058b804636faa93d2e75e3c4a2383ca753e370185eed2db3f6acd0907f3fddc0c0717be1d3b4457b058f0c0ae22e74d260e5de5fe7

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
memory/232-71-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/460-328-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/540-320-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1012-327-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1032-304-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1040-40-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1052-121-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1132-240-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1164-57-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1184-181-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1212-227-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1444-392-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1484-274-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1804-258-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1824-53-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1984-298-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2056-110-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2072-370-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2168-312-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2236-256-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2332-214-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2352-21-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2424-410-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2480-360-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2592-346-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2596-255-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2612-272-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2696-352-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2784-264-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2876-288-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2932-17-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3004-45-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3004-408-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3128-287-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3144-376-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3156-247-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3224-314-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3504-359-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3508-378-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3552-368-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3588-296-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3592-362-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3620-394-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4012-29-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4068-248-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4116-41-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4156-98-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4196-386-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4228-290-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4268-335-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4312-407-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4440-306-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4500-400-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4504-126-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4564-271-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4632-384-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4652-336-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4808-344-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4836-152-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4936-122-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4964-280-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5024-65-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5040-109-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5084-343-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads