neshta | ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5

Analysis

max time kernel
93s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
Size

334KB
MD5

cbd55ec0a11cf6344414b28037fed7ab
SHA1

a2b66415e19f7a5c055c656fe3b717602fcb89e5
SHA256

ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5
SHA512

5a1ff9f7a8b4fffa10d827da20a4ef7101e6a55f023ed0574a63527d91cb516eac4884190abc505c100254922b6e750c76734438406d06196d4fca5596363c21
SSDEEP

3072:zr8WDrCoMeyoRJLc15QIvoKHcfAn8L2eoH0vuHimNdEMXH5yO4LP6gg/uYKr8WD2:PuRGLWoKHIAn8wuYNj5yO+6luYyu

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FFE8EB~1.EXE

Executes dropped EXE 64 IoCs

pid	Process
760	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
1592	svchost.com
4264	FFE8EB~1.EXE
1540	svchost.com
1084	FFE8EB~1.EXE
2028	svchost.com
4292	FFE8EB~1.EXE
3288	svchost.com
2748	FFE8EB~1.EXE
3092	svchost.com
32	FFE8EB~1.EXE
2780	svchost.com
4084	FFE8EB~1.EXE
2868	svchost.com
4844	FFE8EB~1.EXE
60	svchost.com
4432	FFE8EB~1.EXE
4216	svchost.com
4576	FFE8EB~1.EXE
4304	svchost.com
4564	FFE8EB~1.EXE
3596	svchost.com
4044	FFE8EB~1.EXE
1428	svchost.com
5052	FFE8EB~1.EXE
4368	svchost.com
2956	FFE8EB~1.EXE
5036	svchost.com
2132	FFE8EB~1.EXE
5048	svchost.com
1536	FFE8EB~1.EXE
3980	svchost.com
3736	FFE8EB~1.EXE
696	svchost.com
3840	FFE8EB~1.EXE
4500	svchost.com
3276	FFE8EB~1.EXE
3092	svchost.com
4652	FFE8EB~1.EXE
1488	svchost.com
4404	FFE8EB~1.EXE
1884	svchost.com
3716	FFE8EB~1.EXE
2880	svchost.com
1968	FFE8EB~1.EXE
4508	svchost.com
4776	FFE8EB~1.EXE
2852	svchost.com
4348	FFE8EB~1.EXE
3124	svchost.com
4860	FFE8EB~1.EXE
3368	svchost.com
3896	FFE8EB~1.EXE
2988	svchost.com
2328	FFE8EB~1.EXE
1684	svchost.com
3344	FFE8EB~1.EXE
3496	svchost.com
3800	FFE8EB~1.EXE
1316	svchost.com
1480	FFE8EB~1.EXE
3228	svchost.com
2956	FFE8EB~1.EXE
3192	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\directx.sys	FFE8EB~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	FFE8EB~1.EXE
File opened for modification	C:\Windows\directx.sys	FFE8EB~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FFE8EB~1.EXE
File opened for modification	C:\Windows\svchost.com	FFE8EB~1.EXE
File opened for modification	C:\Windows\svchost.com	FFE8EB~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	FFE8EB~1.EXE
File opened for modification	C:\Windows\svchost.com	FFE8EB~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FFE8EB~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	FFE8EB~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	FFE8EB~1.EXE
File opened for modification	C:\Windows\directx.sys	FFE8EB~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FFE8EB~1.EXE
File opened for modification	C:\Windows\svchost.com	FFE8EB~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	FFE8EB~1.EXE
File opened for modification	C:\Windows\directx.sys	FFE8EB~1.EXE
File opened for modification	C:\Windows\svchost.com	FFE8EB~1.EXE
File opened for modification	C:\Windows\directx.sys	FFE8EB~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	FFE8EB~1.EXE
File opened for modification	C:\Windows\directx.sys	FFE8EB~1.EXE
File opened for modification	C:\Windows\directx.sys	FFE8EB~1.EXE
File opened for modification	C:\Windows\directx.sys	FFE8EB~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FFE8EB~1.EXE
File opened for modification	C:\Windows\svchost.com	FFE8EB~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FFE8EB~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	FFE8EB~1.EXE
File opened for modification	C:\Windows\directx.sys	FFE8EB~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FFE8EB~1.EXE
File opened for modification	C:\Windows\directx.sys	FFE8EB~1.EXE
File opened for modification	C:\Windows\directx.sys	FFE8EB~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	FFE8EB~1.EXE
File opened for modification	C:\Windows\directx.sys	FFE8EB~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	FFE8EB~1.EXE
File opened for modification	C:\Windows\directx.sys	FFE8EB~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFE8EB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	FFE8EB~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 760	2372	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe	85
PID 2372 wrote to memory of 760	2372	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe	85
PID 2372 wrote to memory of 760	2372	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe	85
PID 760 wrote to memory of 1592	760	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe	86
PID 760 wrote to memory of 1592	760	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe	86
PID 760 wrote to memory of 1592	760	ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe	86
PID 1592 wrote to memory of 4264	1592	svchost.com	87
PID 1592 wrote to memory of 4264	1592	svchost.com	87
PID 1592 wrote to memory of 4264	1592	svchost.com	87
PID 4264 wrote to memory of 1540	4264	FFE8EB~1.EXE	88
PID 4264 wrote to memory of 1540	4264	FFE8EB~1.EXE	88
PID 4264 wrote to memory of 1540	4264	FFE8EB~1.EXE	88
PID 1540 wrote to memory of 1084	1540	svchost.com	89
PID 1540 wrote to memory of 1084	1540	svchost.com	89
PID 1540 wrote to memory of 1084	1540	svchost.com	89
PID 1084 wrote to memory of 2028	1084	FFE8EB~1.EXE	90
PID 1084 wrote to memory of 2028	1084	FFE8EB~1.EXE	90
PID 1084 wrote to memory of 2028	1084	FFE8EB~1.EXE	90
PID 2028 wrote to memory of 4292	2028	svchost.com	91
PID 2028 wrote to memory of 4292	2028	svchost.com	91
PID 2028 wrote to memory of 4292	2028	svchost.com	91
PID 4292 wrote to memory of 3288	4292	FFE8EB~1.EXE	92
PID 4292 wrote to memory of 3288	4292	FFE8EB~1.EXE	92
PID 4292 wrote to memory of 3288	4292	FFE8EB~1.EXE	92
PID 3288 wrote to memory of 2748	3288	svchost.com	93
PID 3288 wrote to memory of 2748	3288	svchost.com	93
PID 3288 wrote to memory of 2748	3288	svchost.com	93
PID 2748 wrote to memory of 3092	2748	FFE8EB~1.EXE	124
PID 2748 wrote to memory of 3092	2748	FFE8EB~1.EXE	124
PID 2748 wrote to memory of 3092	2748	FFE8EB~1.EXE	124
PID 3092 wrote to memory of 32	3092	svchost.com	95
PID 3092 wrote to memory of 32	3092	svchost.com	95
PID 3092 wrote to memory of 32	3092	svchost.com	95
PID 32 wrote to memory of 2780	32	FFE8EB~1.EXE	164
PID 32 wrote to memory of 2780	32	FFE8EB~1.EXE	164
PID 32 wrote to memory of 2780	32	FFE8EB~1.EXE	164
PID 2780 wrote to memory of 4084	2780	svchost.com	97
PID 2780 wrote to memory of 4084	2780	svchost.com	97
PID 2780 wrote to memory of 4084	2780	svchost.com	97
PID 4084 wrote to memory of 2868	4084	FFE8EB~1.EXE	98
PID 4084 wrote to memory of 2868	4084	FFE8EB~1.EXE	98
PID 4084 wrote to memory of 2868	4084	FFE8EB~1.EXE	98
PID 2868 wrote to memory of 4844	2868	svchost.com	99
PID 2868 wrote to memory of 4844	2868	svchost.com	99
PID 2868 wrote to memory of 4844	2868	svchost.com	99
PID 4844 wrote to memory of 60	4844	FFE8EB~1.EXE	100
PID 4844 wrote to memory of 60	4844	FFE8EB~1.EXE	100
PID 4844 wrote to memory of 60	4844	FFE8EB~1.EXE	100
PID 60 wrote to memory of 4432	60	svchost.com	101
PID 60 wrote to memory of 4432	60	svchost.com	101
PID 60 wrote to memory of 4432	60	svchost.com	101
PID 4432 wrote to memory of 4216	4432	FFE8EB~1.EXE	102
PID 4432 wrote to memory of 4216	4432	FFE8EB~1.EXE	102
PID 4432 wrote to memory of 4216	4432	FFE8EB~1.EXE	102
PID 4216 wrote to memory of 4576	4216	svchost.com	103
PID 4216 wrote to memory of 4576	4216	svchost.com	103
PID 4216 wrote to memory of 4576	4216	svchost.com	103
PID 4576 wrote to memory of 4304	4576	FFE8EB~1.EXE	104
PID 4576 wrote to memory of 4304	4576	FFE8EB~1.EXE	104
PID 4576 wrote to memory of 4304	4576	FFE8EB~1.EXE	104
PID 4304 wrote to memory of 4564	4304	svchost.com	105
PID 4304 wrote to memory of 4564	4304	svchost.com	105
PID 4304 wrote to memory of 4564	4304	svchost.com	105
PID 4564 wrote to memory of 3596	4564	FFE8EB~1.EXE	106

C:\Users\Admin\AppData\Local\Temp\ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
"C:\Users\Admin\AppData\Local\Temp\ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\3582-490\ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:760
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:1592
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4264
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1540
      - C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:32
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        13⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        14⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        18⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        19⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        20⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        23⤵
        Executes dropped EXE
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        25⤵
        Executes dropped EXE
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        26⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        27⤵
        Executes dropped EXE
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        28⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:2956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        29⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2132
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        31⤵
        Executes dropped EXE
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        32⤵
        Executes dropped EXE
        
        PID:1536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        33⤵
        Executes dropped EXE
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3736
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        36⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        37⤵
        Executes dropped EXE
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        38⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3276
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        41⤵
        Executes dropped EXE
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        43⤵
        Executes dropped EXE
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        44⤵
        Executes dropped EXE
        
        PID:3716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        45⤵
        Executes dropped EXE
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        47⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        49⤵
        Executes dropped EXE
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        50⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4348
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        51⤵
        Executes dropped EXE
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        52⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        53⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        54⤵
        Executes dropped EXE
        
        PID:3896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        55⤵
        Executes dropped EXE
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        56⤵
        Executes dropped EXE
        
        PID:2328
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        57⤵
        Executes dropped EXE
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        59⤵
        Executes dropped EXE
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        60⤵
        Executes dropped EXE
        
        PID:3800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        61⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        63⤵
        Executes dropped EXE
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        64⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        66⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2132
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        67⤵
        Drops file in Windows directory
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        68⤵
        Modifies registry class
        
        PID:1584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        69⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        70⤵
        Checks computer location settings
        
        PID:3256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        71⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        72⤵
        Modifies registry class
        
        PID:3272
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        73⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        74⤵
        
        PID:684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        77⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        78⤵
        
        PID:3728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        79⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        80⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        81⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        82⤵
        
        PID:4508
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        84⤵
        Modifies registry class
        
        PID:836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        86⤵
        
        PID:1496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        87⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        88⤵
        Modifies registry class
        
        PID:3368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        89⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        90⤵
        Drops file in Windows directory
        
        PID:2988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        91⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        92⤵
        
        PID:1684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        93⤵
        Drops file in Windows directory
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        94⤵
        Modifies registry class
        
        PID:636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        95⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        96⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        97⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        98⤵
        
        PID:5036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        99⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        100⤵
        Checks computer location settings
        
        PID:4160
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        101⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        102⤵
        
        PID:1572
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        103⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        104⤵
        
        PID:3440
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        105⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        106⤵
        
        PID:3084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        107⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        108⤵
        Checks computer location settings
        Modifies registry class
        
        PID:380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        109⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        110⤵
        
        PID:1884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        111⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        112⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        113⤵
        Drops file in Windows directory
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        114⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:4508
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        115⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        116⤵
        
        PID:2348
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        117⤵
        Drops file in Windows directory
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        118⤵
        Checks computer location settings
        
        PID:2692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        119⤵
        Drops file in Windows directory
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        120⤵
        
        PID:1984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        121⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        122⤵
        
        PID:2988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        123⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        124⤵
        
        PID:3308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        126⤵
        
        PID:636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        127⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        128⤵
        Checks computer location settings
        
        PID:4368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        129⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        130⤵
        Modifies registry class
        
        PID:3544
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        131⤵
        Drops file in Windows directory
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        132⤵
        Drops file in Windows directory
        
        PID:4460
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        133⤵
        Drops file in Windows directory
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        134⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        135⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        136⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4364
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        137⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        138⤵
        
        PID:2084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        139⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        140⤵
        Modifies registry class
        
        PID:3716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        141⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        142⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        143⤵
        Drops file in Windows directory
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        144⤵
        
        PID:5112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        146⤵
        Checks computer location settings
        
        PID:3844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        147⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        148⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        149⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        150⤵
        
        PID:652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        151⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        152⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        154⤵
        
        PID:4376
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        155⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        156⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        157⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        158⤵
        Modifies registry class
        
        PID:1428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        159⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        160⤵
        
        PID:5052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        162⤵
        Modifies registry class
        
        PID:1856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        163⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        164⤵
        Modifies registry class
        
        PID:2300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        165⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        166⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        167⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        168⤵
        
        PID:1080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        169⤵
        Drops file in Windows directory
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        170⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        171⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        172⤵
        Checks computer location settings
        
        PID:1964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        173⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        174⤵
        
        PID:3716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        175⤵
        System Location Discovery: System Language Discovery
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        176⤵
        Checks computer location settings
        
        PID:60
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        177⤵
        Drops file in Windows directory
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        178⤵
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        179⤵
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        180⤵
        Modifies registry class
        
        PID:4540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        181⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        182⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:3568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        184⤵
        Checks computer location settings
        
        PID:1008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        185⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        186⤵
        
        PID:2984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        187⤵
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        188⤵
        
        PID:4624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        189⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        190⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        191⤵
        Drops file in Windows directory
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        192⤵
        
        PID:1540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        193⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        194⤵
        Checks computer location settings
        
        PID:5092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        195⤵
        System Location Discovery: System Language Discovery
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        196⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        197⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        198⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        199⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        200⤵
        Checks computer location settings
        
        PID:4616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        201⤵
        Drops file in Windows directory
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        202⤵
        Checks computer location settings
        
        PID:2084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        203⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        204⤵
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        205⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        206⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        207⤵
        Drops file in Windows directory
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        208⤵
        
        PID:2340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        209⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        210⤵
        System Location Discovery: System Language Discovery
        
        PID:5064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        211⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        212⤵
        Checks computer location settings
        Modifies registry class
        
        PID:5080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        213⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        214⤵
        Checks computer location settings
        
        PID:2788
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        215⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        216⤵
        Modifies registry class
        
        PID:3104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        217⤵
        Drops file in Windows directory
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        218⤵
        
        PID:2988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        219⤵
        System Location Discovery: System Language Discovery
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        220⤵
        
        PID:3228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        221⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        222⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        223⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        224⤵
        Checks computer location settings
        
        PID:3456
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        225⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        226⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3360
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        227⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        228⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        229⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        230⤵
        Modifies registry class
        
        PID:2804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        231⤵
        System Location Discovery: System Language Discovery
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        232⤵
        
        PID:2008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        233⤵
        Drops file in Windows directory
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        234⤵
        
        PID:3320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        235⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        236⤵
        
        PID:1004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        237⤵
        System Location Discovery: System Language Discovery
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        238⤵
        Modifies registry class
        
        PID:3028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        239⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        240⤵
        Drops file in Windows directory
        
        PID:2912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        241⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        242⤵
        Modifies registry class
        
        PID:2916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        243⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        244⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2280
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        245⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        246⤵
        Drops file in Windows directory
        
        PID:4668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        247⤵
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        248⤵
        Checks computer location settings
        
        PID:1684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        249⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        250⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        251⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        252⤵
        Modifies registry class
        
        PID:3432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        253⤵
        System Location Discovery: System Language Discovery
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        254⤵
        
        PID:3192
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        255⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        256⤵
        Checks computer location settings
        
        PID:1616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        257⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        258⤵
        
        PID:2476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        259⤵
        System Location Discovery: System Language Discovery
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        260⤵
        Checks computer location settings
        
        PID:4336
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        261⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        262⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:5068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        263⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        264⤵
        
        PID:3624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        265⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        266⤵
        Checks computer location settings
        
        PID:3564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        267⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        268⤵
        
        PID:1052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        269⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        270⤵
        Drops file in Windows directory
        
        PID:1764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        271⤵
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        272⤵
        Drops file in Windows directory
        
        PID:2960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        273⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        274⤵
        
        PID:4788
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        275⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        276⤵
        
        PID:2348
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        277⤵
        System Location Discovery: System Language Discovery
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        278⤵
        System Location Discovery: System Language Discovery
        
        PID:3496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        279⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        280⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        281⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        282⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        283⤵
        
        PID:528
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        284⤵
        Checks computer location settings
        
        PID:4864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        285⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        286⤵
        System Location Discovery: System Language Discovery
        
        PID:4924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        287⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        288⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        289⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        290⤵
        Checks computer location settings
        
        PID:4292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        291⤵
        Drops file in Windows directory
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        292⤵
        
        PID:2020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        293⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        294⤵
        
        PID:1080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        295⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        296⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        297⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        298⤵
        
        PID:2904
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        299⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        300⤵
        Modifies registry class
        
        PID:2716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        301⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        302⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        303⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        304⤵
        Checks computer location settings
        
        PID:4348
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        305⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        306⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        307⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        308⤵
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        309⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        310⤵
        Modifies registry class
        
        PID:1092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        311⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        312⤵
        Modifies registry class
        
        PID:3668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        313⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        314⤵
        
        PID:3596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        315⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        316⤵
        Checks computer location settings
        
        PID:1684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        317⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        318⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        319⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        320⤵
        Checks computer location settings
        
        PID:3432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        321⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        322⤵
        
        PID:684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        323⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        324⤵
        Checks computer location settings
        
        PID:1616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        325⤵
        Drops file in Windows directory
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        326⤵
        Checks computer location settings
        
        PID:2712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        327⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        328⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:2476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        329⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        330⤵
        Checks computer location settings
        
        PID:3984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        331⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        332⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        333⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        334⤵
        
        PID:8
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        335⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        336⤵
        System Location Discovery: System Language Discovery
        
        PID:4420
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        337⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        338⤵
        
        PID:2696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        339⤵
        
        PID:336
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        340⤵
        
        PID:3760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        341⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        342⤵
        
        PID:4304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        343⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        344⤵
        
        PID:3368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        345⤵
        Drops file in Windows directory
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        346⤵
        Checks computer location settings
        
        PID:4704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        347⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        348⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        349⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        350⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        351⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        352⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:2172
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        353⤵
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        354⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        355⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        356⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        357⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        358⤵
        Checks computer location settings
        
        PID:3428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        359⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        360⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        361⤵
        System Location Discovery: System Language Discovery
        
        PID:32
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        362⤵
        Modifies registry class
        
        PID:2344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        363⤵
        Drops file in Windows directory
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        364⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:3440
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        365⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        366⤵
        Modifies registry class
        
        PID:1752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        367⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        368⤵
        System Location Discovery: System Language Discovery
        
        PID:4600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE"
        369⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FFE8EB~1.EXE
        370⤵
        
        PID:2596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        371⤵
        
        PID:4552

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2780

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:1536

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv qu/j20JjzkeyCaYKwFvaxA.0.2
1⤵
PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

Filesize
368KB

MD5
eeb875c0b3c567ce160b6065fa9955c0

SHA1
ee0e1efba40d38746a54bc285f0bd38198550564

SHA256
995bd211c7e3bb5e6ed86064d2c648537b2c5c058f3ca81ab9307cdb0ac2530a

SHA512
416bece422edd84337b789bdbd1e3f888d67dfe1dabbd114ebf07b968d68b848cc10880c2ad439413b47cf1191c273125130399bcc9c4a2ed5719553c51c3ad6

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
86KB

MD5
ef63e5ccbea2788d900f1c70a6159c68

SHA1
4ac2e144f9dd97a0cd061b76be89f7850887c166

SHA256
a46d1ffbe9114015050b2a778859c26248f8bab22d5d1a302b59373bc20c6b45

SHA512
913371abb54e0adc94aa08372a20f07ced9f9fdc170f9e468cd39c7387c7e30c1ae238148ccf355d5c8b88b7fd63f914bb108c6cafca9a791d02d8b36468bfac

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe

Filesize
9.4MB

MD5
124147ede15f97b47224628152110ce2

SHA1
4530fee9b1199777693073414b82420a7c88a042

SHA256
3e815d583236b9cecd912fcc949a301d1e51b609cbb53a2285d08feea305edcd

SHA512
f4c2825380d1bb9ca889d5c5684f13aa0cacb0d6511f6409ca0972a7191195a0175e00c995407848bf09ea03cff05c7395952bf2ffd2af2015b8939f75a8e627

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

Filesize
2.4MB

MD5
d9e8a1fa55faebd36ed2342fedefbedd

SHA1
c25cc7f0035488de9c5df0121a09b5100e1c28e9

SHA256
bd7696911d75a9a35dfd125b24cb95003f1e9598592df47fa23a2568986a4a9a

SHA512
134644c68bd04536e9ea0a5da6e334d36b1ce8012a061fa6dabd31f85c16a1ac9eee8c40fee3d55f25c4d4edf0672de8ce204e344c800361cbcff092c09d7a33

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE

Filesize
183KB

MD5
4ab023aa6def7b300dec4fc7ef55dbe7

SHA1
aa30491eb799fa5bdf79691f8fe5e087467463f1

SHA256
8ca27077312716f79f39309156c905719a908e8ded4bf88c2ba6fa821e574673

SHA512
000e33cc2399efa9dc56c06a42f91eb64b94f30b78cf260469f45f3b876f518d2d2b62e33d8f697660ae560d595e5bd5b7a5f847c316d5f97adeb3d8f9248ab5

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

Filesize
131KB

MD5
514972e16cdda8b53012ad8a14a26e60

SHA1
aa082c2fbe0b3dd5c47952f9a285636412203559

SHA256
49091e1e41980b39d8de055fe6c6a1dc69398f17817960d64743e7efb740efc4

SHA512
98bbd6f06e3ff3e94aee3620f20f89e254dde157bc8129a64cf78fefe5cf9b13c7902128c2acbd54b3def527e09a039bd1f66ba64efb85f3f0404d894cabbee4

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE

Filesize
254KB

MD5
c4a918069757a263adb9fbc9f5c9e00d

SHA1
66d749fc566763b6170080a40f54f4cda4644af4

SHA256
129a2bfe25ceabb871b65b645ef98f6799d7d273fc5ddfd33c1cb78f5b76fa3b

SHA512
4ecf32fa2c8f53ff7a08555ec5d37739dc1358352621d038669f608edf18b0dcc6dca168a2b602359c9ee098052e546e5c02603f83aad44a114192138de7b7b9

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE

Filesize
386KB

MD5
2e989da204d9c4c3e375a32edf4d16e7

SHA1
e8a0bf8b4ae4f26e2af5c1748de6055ba4308129

SHA256
cae320401aa01a3cef836c191c2edbd7a96bfcce9efad1a21880626a64cc4dec

SHA512
3ebf71578bef909d9411c131d0ccd38ead68cba01a8e0f845d08faa012ca2136476fe09a2859ed846641f80b7a2d9b78d49c709065a52c6b9ee149edf84c8c4f

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe

Filesize
125KB

MD5
66a77a65eea771304e524dd844c9846a

SHA1
f7e3b403439b5f63927e8681a64f62caafe9a360

SHA256
9a7391267ab83b45a47d9fcf1e0f76002ed6640ed6a574ba51373410b94812f6

SHA512
3643ad1036075305d76dfd753b1ed29ae611b4b9f397b2520f95b1487e85155a111adc83578db8ca5d0fd1e9fe146d018e22f572c187ef468eab8d11d48fc7f4

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE

Filesize
142KB

MD5
3ccfc6967bcfea597926999974eb0cf9

SHA1
6736e7886e848d41de098cd00b8279c9bc94d501

SHA256
a89d3e2109a8e35e263da363d3551258ea320a99bfb84a4b13ad563008eda8d9

SHA512
f550af4e053d89eff45c0fb00bb32e8d212645a155727d3536a3f12bb0b5550bed25516516334245b912fa4fc2e4e7c267e80da4f06d22ea128f20eb56ab4351

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe

Filesize
325KB

MD5
62976c65ded41b4f31c7f379c548e05c

SHA1
3827c414ad15cd67ea8635400002c4c79704250e

SHA256
80de06ea5d221e21f765a96750f821aaaf8eee23bfd9d8cde265a8da11041c66

SHA512
ddf74814c7a54a258b7200310bd644547f3a831e373c8392dddedd08b3c1ca60e864fbe2007e68fabdcfe1e923d9207039bde42a09e0ec07d69694263057fcd7

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe

Filesize
366KB

MD5
62083653c62d19831081c55fe9594413

SHA1
01f8575efeed7b011d44f049d3baf86c1201a938

SHA256
1d17cbacdd2d2d94f090aeab25cdc6f1a85ffc8589f2e3b44017ea62634f7775

SHA512
f391c79e048a35cceb5f3cfd4cba516301b3996e0a91538f10fc9345f78c9bb39e76e25e79f8a17daf73ff73edb5304571e9b38185805dfccc0c995275aa44b4

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe

Filesize
505KB

MD5
7aac73055860fcd079d9407cab08276d

SHA1
482b9f337d60270c95950353f9ca8929d8926b1d

SHA256
97508a81b805937e1ca57711a51d2e8d715a2748e2f9d27d39dfecc28f3fb9e5

SHA512
f183a10eb13c083c7cd8e785a7978eee4998c33d1eb104a0ab0e54146e10651f68612249e668baa08919a5840f6f929b5452c93f71a232b30aab9e2857109fb5

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE

Filesize
198KB

MD5
2424d589d7997df1356c160a9a82088c

SHA1
ca9b479043636434f32c74c2299210ef9f933b98

SHA256
9d6982a566148cf69cb6aec417baddca680e647931315736a6c19f2ba91c4d60

SHA512
4dd0a69c1dfb0e88fc6b24c97e14dd0ad1ac0226dd372d09123b6a2ec3c107fc94a810764d16e111d1cf7e81a23b70b84d36cbfbf1e32986d00de3cd9e315c2b

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE

Filesize
433KB

MD5
b6283a7eb554d995d9a7c72dcfca14b5

SHA1
67d64907800c611bbcefd31d2494da12962f5022

SHA256
099da4830adbab785d86ca4680c041458acfe798ed8b301b2bb6bd47891ed881

SHA512
a6d96a13b8672d0f1d50ac22ba95b715527050ce91bb67dc261732e0a114ef2902e3380577546ff34860f65723a143153cea47ae31e12bb27dd3f4f5ee2245f3

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE

Filesize
1.1MB

MD5
24eeb998cb16869438b95642d49ac3dd

SHA1
b45aa87f45250aa3482c29b24fa4aa3d57ae4c71

SHA256
a2cfd55902b1750070e9154a90e29a10b9e6fa0c03bc82d8f198678e9bc46cd0

SHA512
2ac6de5c3e52b31355300ff4e846ed0627d8d4af02c4c07c0886694a09237ef2ee76e004883fae76a959bef0b60bd4138a9c88ad22139c6b859786c8e37bb358

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE

Filesize
1.1MB

MD5
a31628879099ba1efd1b63e81771f6c7

SHA1
42d9de49d0465c907be8ee1ef1ccf3926b8825fe

SHA256
031b0b0de72eba9350a1234eba7489bc04f94823501fc6a200266fa94b8c51dc

SHA512
0e86020f61fd08578507c3cd37385ffa2ffd964407a689b4c3d532fe4dc826eea58391f938840d18ecfa6bae79c6ece31b8f63b50366c2fa4d6ecf5194475759

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE

Filesize
2.8MB

MD5
032ee4d65b62d87cf809438556d30429

SHA1
34458fcefe3c67f19c3d2c94389fc99e54e74801

SHA256
0099c710e406e0423bb0b11eb4c113508c67f84a0972a2d14c038687cac1753b

SHA512
6b912d51e93f1e4756ecc5321ec08a6eb5e15413a9d9cf568bd14ce2a5199d064f6dd5c7d9d5155296d1a4ab5852c81a8fc138565fb788e7402c09b61281a5cd

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE

Filesize
1.3MB

MD5
b8bffe8467716db4da9d94061dc33d07

SHA1
db4bac1757b1b60b26e2fef0fc88ce708efad352

SHA256
b03986224aa28f1e1850bd2fcd1a5f5f2fea34c2c0815d8e6943f0a98b754af2

SHA512
5d6f6363c9c87c61d2be785280d420725fe7cc4b68908e78fc82dc480260a400500a84f1c9247b34437cd520d702ef5fc4546024fed891231630514d1418592c

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE

Filesize
1.1MB

MD5
ecda5b4161dbf34af2cd3bd4b4ca92a6

SHA1
a76347d21e3bfc8d9a528097318e4b037d7b1351

SHA256
98e7a35dd61a5eeea32ca5ff0f195b7e5931429e2e4b12d1e75ca09ddab3278f

SHA512
3cd3d64e7670ab824d36a792faa5d16a61f080d52345e07b0ef8396b2a1481876a3b30fc702bf0018a1b02c7788c3c7f1b016590c5b31485a90e3a375f11dade

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe

Filesize
3.2MB

MD5
6b7a2ce420e8dd7484ca4fa4460894ae

SHA1
df07e4a085fc29168ae9ec4781b88002077f7594

SHA256
dec51011b3bd2d82c42d13f043fac935b52adeaa17427ce4e21e34fcbd2231e4

SHA512
7d2cd278ee45ec0e14145f2be26b8cdbe3312b300aa216532c41e839ba61c12ae379025568c85634f0ec3bc95cc481bb17f99ab30c711986651569f0f1f81beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\ffe8ebf1900570d1cb65f2c871374bb29510d7aa0538dc99c275c6ac1b25d3f5.exe

Filesize
293KB

MD5
951ff419093c67a230e04a1befe2a879

SHA1
e1a22515108a20276995d287321ea4437b8f6bf4

SHA256
a3338bbf32b2c707091e382e26e3ebdcecae8be341de2ab175b2bcd8ee1413c5

SHA512
68b47e5f23f6765cf2cd9dbd7d5c04460a7ba4f9b9413cb3695b9e58dfc4ae45e01cce07810b176ea5a3546697547a5508c4a4ff59bfe5a6bc16095fd6dfa4cb

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
7ec2df8eed735807665e080b1e126758

SHA1
645801588981cd22f692dfde9e011d50df16605a

SHA256
968a4d30bfaa55895362054e5077539d659866e80e4e0734e8cbd4a9cf6ad458

SHA512
cba30ae65d9667ed014d35b7755353563913d15c80fcd565f2900f0cb83486eb00ae3f8b43b041621045cebbd1923ad023aeb749dde84d3fe95a87b26de54235

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
memory/32-75-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/60-126-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/696-290-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1084-40-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1316-394-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1428-250-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1480-396-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1488-314-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1536-281-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1540-29-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1592-17-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1684-378-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1884-322-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1968-337-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2028-41-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2132-415-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2132-268-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2328-377-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2748-64-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2780-77-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2852-346-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2868-89-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2880-330-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2956-260-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2956-404-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2988-370-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3092-65-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3092-306-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3124-354-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3192-410-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3228-402-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3276-300-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3288-53-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3344-380-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3368-362-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3496-386-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3596-237-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3716-329-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3736-284-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3800-393-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3840-292-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3896-369-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3980-282-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4044-244-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4084-88-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4216-158-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4264-21-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4292-45-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4304-225-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4348-353-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4368-258-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4404-321-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4432-137-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4500-298-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4508-338-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4564-234-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4576-169-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4652-308-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4776-345-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4844-109-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4860-361-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5036-266-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5048-274-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5052-257-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads