neshta | fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
Size

383KB
MD5

22f70db1f27b3553a4942d1b3cbe7275
SHA1

3c6aba77ef2c4f9355a66154cacc8ea514c16c06
SHA256

fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec
SHA512

3adb4c03d1dd124f6de7716490733df250397dd59d950d777ca300e8424dcb4d7cecba71e585c1d72780ed9446d0a769bcfd741bfc1052086d9d43e61fc5ba09
SSDEEP

3072:zr8WDrCjXrtbl44nwb+E/UeH+QyJen3nt3fJaiakiO8sd8rKzXetLYruD5fDeFru:PujXM4nntUNfJzeOxXeyro5uu

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FD662C~1.EXE

Executes dropped EXE 64 IoCs

pid	Process
4476	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
3996	svchost.com
4820	FD662C~1.EXE
3028	svchost.com
1792	FD662C~1.EXE
3912	svchost.com
1832	FD662C~1.EXE
4384	svchost.com
2224	FD662C~1.EXE
2984	svchost.com
312	FD662C~1.EXE
100	svchost.com
2112	FD662C~1.EXE
2880	svchost.com
760	FD662C~1.EXE
2752	svchost.com
3176	FD662C~1.EXE
3416	svchost.com
3692	FD662C~1.EXE
4004	svchost.com
3568	FD662C~1.EXE
2632	svchost.com
2084	FD662C~1.EXE
4692	svchost.com
4744	FD662C~1.EXE
4932	svchost.com
4696	FD662C~1.EXE
4656	svchost.com
5008	FD662C~1.EXE
3996	svchost.com
4824	FD662C~1.EXE
3940	svchost.com
3724	FD662C~1.EXE
4236	svchost.com
1848	FD662C~1.EXE
4600	svchost.com
2932	FD662C~1.EXE
1360	svchost.com
3640	FD662C~1.EXE
5028	svchost.com
3808	FD662C~1.EXE
2184	svchost.com
2012	FD662C~1.EXE
3356	svchost.com
4364	FD662C~1.EXE
456	svchost.com
2380	FD662C~1.EXE
5024	svchost.com
1052	FD662C~1.EXE
1548	svchost.com
1060	FD662C~1.EXE
3988	svchost.com
1260	FD662C~1.EXE
8	svchost.com
3744	FD662C~1.EXE
3296	svchost.com
3628	FD662C~1.EXE
3904	svchost.com
3620	FD662C~1.EXE
3352	svchost.com
1712	FD662C~1.EXE
4108	svchost.com
924	FD662C~1.EXE
1328	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE
File opened for modification	C:\Windows\svchost.com	FD662C~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	FD662C~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FD662C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	FD662C~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 4476	4928	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe	82
PID 4928 wrote to memory of 4476	4928	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe	82
PID 4928 wrote to memory of 4476	4928	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe	82
PID 4476 wrote to memory of 3996	4476	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe	83
PID 4476 wrote to memory of 3996	4476	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe	83
PID 4476 wrote to memory of 3996	4476	fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe	83
PID 3996 wrote to memory of 4820	3996	svchost.com	84
PID 3996 wrote to memory of 4820	3996	svchost.com	84
PID 3996 wrote to memory of 4820	3996	svchost.com	84
PID 4820 wrote to memory of 3028	4820	FD662C~1.EXE	85
PID 4820 wrote to memory of 3028	4820	FD662C~1.EXE	85
PID 4820 wrote to memory of 3028	4820	FD662C~1.EXE	85
PID 3028 wrote to memory of 1792	3028	svchost.com	86
PID 3028 wrote to memory of 1792	3028	svchost.com	86
PID 3028 wrote to memory of 1792	3028	svchost.com	86
PID 1792 wrote to memory of 3912	1792	FD662C~1.EXE	87
PID 1792 wrote to memory of 3912	1792	FD662C~1.EXE	87
PID 1792 wrote to memory of 3912	1792	FD662C~1.EXE	87
PID 3912 wrote to memory of 1832	3912	svchost.com	88
PID 3912 wrote to memory of 1832	3912	svchost.com	88
PID 3912 wrote to memory of 1832	3912	svchost.com	88
PID 1832 wrote to memory of 4384	1832	FD662C~1.EXE	89
PID 1832 wrote to memory of 4384	1832	FD662C~1.EXE	89
PID 1832 wrote to memory of 4384	1832	FD662C~1.EXE	89
PID 4384 wrote to memory of 2224	4384	svchost.com	90
PID 4384 wrote to memory of 2224	4384	svchost.com	90
PID 4384 wrote to memory of 2224	4384	svchost.com	90
PID 2224 wrote to memory of 2984	2224	FD662C~1.EXE	91
PID 2224 wrote to memory of 2984	2224	FD662C~1.EXE	91
PID 2224 wrote to memory of 2984	2224	FD662C~1.EXE	91
PID 2984 wrote to memory of 312	2984	svchost.com	92
PID 2984 wrote to memory of 312	2984	svchost.com	92
PID 2984 wrote to memory of 312	2984	svchost.com	92
PID 312 wrote to memory of 100	312	FD662C~1.EXE	93
PID 312 wrote to memory of 100	312	FD662C~1.EXE	93
PID 312 wrote to memory of 100	312	FD662C~1.EXE	93
PID 100 wrote to memory of 2112	100	svchost.com	94
PID 100 wrote to memory of 2112	100	svchost.com	94
PID 100 wrote to memory of 2112	100	svchost.com	94
PID 2112 wrote to memory of 2880	2112	FD662C~1.EXE	95
PID 2112 wrote to memory of 2880	2112	FD662C~1.EXE	95
PID 2112 wrote to memory of 2880	2112	FD662C~1.EXE	95
PID 2880 wrote to memory of 760	2880	svchost.com	96
PID 2880 wrote to memory of 760	2880	svchost.com	96
PID 2880 wrote to memory of 760	2880	svchost.com	96
PID 760 wrote to memory of 2752	760	FD662C~1.EXE	97
PID 760 wrote to memory of 2752	760	FD662C~1.EXE	97
PID 760 wrote to memory of 2752	760	FD662C~1.EXE	97
PID 2752 wrote to memory of 3176	2752	svchost.com	98
PID 2752 wrote to memory of 3176	2752	svchost.com	98
PID 2752 wrote to memory of 3176	2752	svchost.com	98
PID 3176 wrote to memory of 3416	3176	FD662C~1.EXE	99
PID 3176 wrote to memory of 3416	3176	FD662C~1.EXE	99
PID 3176 wrote to memory of 3416	3176	FD662C~1.EXE	99
PID 3416 wrote to memory of 3692	3416	svchost.com	100
PID 3416 wrote to memory of 3692	3416	svchost.com	100
PID 3416 wrote to memory of 3692	3416	svchost.com	100
PID 3692 wrote to memory of 4004	3692	FD662C~1.EXE	101
PID 3692 wrote to memory of 4004	3692	FD662C~1.EXE	101
PID 3692 wrote to memory of 4004	3692	FD662C~1.EXE	101
PID 4004 wrote to memory of 3568	4004	svchost.com	102
PID 4004 wrote to memory of 3568	4004	svchost.com	102
PID 4004 wrote to memory of 3568	4004	svchost.com	102
PID 3568 wrote to memory of 2632	3568	FD662C~1.EXE	103

C:\Users\Admin\AppData\Local\Temp\fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
"C:\Users\Admin\AppData\Local\Temp\fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Users\Admin\AppData\Local\Temp\3582-490\fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3996
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4820
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3028
      - C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:312
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:100
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        23⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        25⤵
        Executes dropped EXE
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        26⤵
        Executes dropped EXE
        
        PID:4744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        27⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        28⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:4696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        29⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        31⤵
        Executes dropped EXE
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        33⤵
        Executes dropped EXE
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        34⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        36⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        37⤵
        Executes dropped EXE
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        38⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        40⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        41⤵
        Executes dropped EXE
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        42⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:3808
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        43⤵
        Executes dropped EXE
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        44⤵
        Executes dropped EXE
        
        PID:2012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        45⤵
        Executes dropped EXE
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4364
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        47⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        49⤵
        Executes dropped EXE
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        50⤵
        Executes dropped EXE
        
        PID:1052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        51⤵
        Executes dropped EXE
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:1060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        53⤵
        Executes dropped EXE
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1260
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        55⤵
        Executes dropped EXE
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        57⤵
        Executes dropped EXE
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3628
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        60⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        61⤵
        Executes dropped EXE
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:1712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        63⤵
        Executes dropped EXE
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        64⤵
        Executes dropped EXE
        
        PID:924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        65⤵
        Executes dropped EXE
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        66⤵
        
        PID:2848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        67⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        68⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4656
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        69⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        70⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        72⤵
        Drops file in Windows directory
        
        PID:4236
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        73⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        74⤵
        Checks computer location settings
        
        PID:1948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        75⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        76⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1360
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        77⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        78⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        80⤵
        
        PID:100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        81⤵
        Drops file in Windows directory
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        82⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1492
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        83⤵
        Drops file in Windows directory
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        84⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:456
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        85⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        86⤵
        Checks computer location settings
        
        PID:1136
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        87⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        88⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:4244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        89⤵
        Drops file in Windows directory
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        90⤵
        Checks computer location settings
        
        PID:4028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        91⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        92⤵
        Checks computer location settings
        Modifies registry class
        
        PID:412
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        93⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        94⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1248
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        96⤵
        Checks computer location settings
        
        PID:1500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        98⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        100⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        101⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        102⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        103⤵
        Drops file in Windows directory
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        104⤵
        
        PID:4652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        105⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        106⤵
        
        PID:540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        107⤵
        Drops file in Windows directory
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        108⤵
        Drops file in Windows directory
        
        PID:4404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        109⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        112⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3384
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        113⤵
        Drops file in Windows directory
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        114⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3944
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        115⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        116⤵
        Checks computer location settings
        
        PID:3264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        117⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        118⤵
        Modifies registry class
        
        PID:4676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        119⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        120⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        121⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        122⤵
        Drops file in Windows directory
        
        PID:3844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        123⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        124⤵
        Modifies registry class
        
        PID:468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        125⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        126⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        128⤵
        
        PID:1392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        129⤵
        Drops file in Windows directory
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        130⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        131⤵
        Drops file in Windows directory
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        132⤵
        Checks computer location settings
        
        PID:1716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        136⤵
        Modifies registry class
        
        PID:2956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        138⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3508
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        139⤵
        Drops file in Windows directory
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        140⤵
        Checks computer location settings
        
        PID:1236
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        141⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        142⤵
        Checks computer location settings
        
        PID:3580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        143⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        144⤵
        Modifies registry class
        
        PID:4984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        146⤵
        Modifies registry class
        
        PID:116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        147⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        148⤵
        
        PID:876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        150⤵
        
        PID:4780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        151⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        152⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        153⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        154⤵
        Checks computer location settings
        
        PID:2220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        155⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        157⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        158⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1048
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        160⤵
        Checks computer location settings
        
        PID:2252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        161⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        162⤵
        Modifies registry class
        
        PID:3596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        163⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        164⤵
        
        PID:1368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        165⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        166⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        167⤵
        Drops file in Windows directory
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        168⤵
        
        PID:2532
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        169⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        170⤵
        Modifies registry class
        
        PID:4776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        171⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        172⤵
        
        PID:512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        173⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        174⤵
        System Location Discovery: System Language Discovery
        
        PID:1372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        175⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        176⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        177⤵
        Drops file in Windows directory
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        178⤵
        Modifies registry class
        
        PID:1972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        179⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        180⤵
        Checks computer location settings
        
        PID:4404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        181⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        182⤵
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        183⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        184⤵
        Checks computer location settings
        
        PID:2980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        185⤵
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        186⤵
        Modifies registry class
        
        PID:1332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        187⤵
        System Location Discovery: System Language Discovery
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        188⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        189⤵
        Drops file in Windows directory
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        190⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        191⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        192⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        193⤵
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        194⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        195⤵
        System Location Discovery: System Language Discovery
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        196⤵
        
        PID:3004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        197⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        198⤵
        
        PID:1952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        199⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        200⤵
        Modifies registry class
        
        PID:1556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        201⤵
        Drops file in Windows directory
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        202⤵
        Checks computer location settings
        
        PID:1248
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        203⤵
        System Location Discovery: System Language Discovery
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        204⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4944
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        205⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        206⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4488
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        207⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        208⤵
        
        PID:224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        209⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        210⤵
        Drops file in Windows directory
        
        PID:2280
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        211⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        212⤵
        Checks computer location settings
        
        PID:1792
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        213⤵
        Drops file in Windows directory
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        214⤵
        Checks computer location settings
        
        PID:1552
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        215⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        216⤵
        Modifies registry class
        
        PID:3076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        217⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        218⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        219⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        220⤵
        
        PID:1332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        221⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        222⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:4496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        223⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        224⤵
        
        PID:64
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        225⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        226⤵
        
        PID:4676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        227⤵
        Drops file in Windows directory
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        228⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        229⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        230⤵
        
        PID:1048
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        231⤵
        System Location Discovery: System Language Discovery
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        232⤵
        
        PID:4004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        233⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        234⤵
        Checks computer location settings
        Modifies registry class
        
        PID:536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        235⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        236⤵
        
        PID:3728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        237⤵
        Drops file in Windows directory
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        238⤵
        Drops file in Windows directory
        
        PID:4668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        239⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        240⤵
        
        PID:3436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        241⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        242⤵
        Modifies registry class
        
        PID:3996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        243⤵
        Drops file in Windows directory
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        244⤵
        Checks computer location settings
        
        PID:2956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        245⤵
        System Location Discovery: System Language Discovery
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        246⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1200
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        247⤵
        Drops file in Windows directory
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        248⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:2744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        249⤵
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        250⤵
        Modifies registry class
        
        PID:1948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        251⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        252⤵
        Checks computer location settings
        
        PID:2184
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        253⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        254⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        255⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        256⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1272
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        257⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        258⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:4252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        259⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        260⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        261⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        262⤵
        Modifies registry class
        
        PID:4708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        263⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        264⤵
        Checks computer location settings
        
        PID:4028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        265⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        266⤵
        Modifies registry class
        
        PID:2660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        267⤵
        System Location Discovery: System Language Discovery
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        268⤵
        
        PID:2824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        269⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        270⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:2632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        271⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        272⤵
        Checks computer location settings
        
        PID:1512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        273⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        274⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        275⤵
        Drops file in Windows directory
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        276⤵
        
        PID:4652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        277⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        278⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:4844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        279⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        280⤵
        
        PID:2684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        281⤵
        System Location Discovery: System Language Discovery
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        282⤵
        Modifies registry class
        
        PID:1872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        283⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        284⤵
        Checks computer location settings
        
        PID:3676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        285⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        286⤵
        Checks computer location settings
        Modifies registry class
        
        PID:116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        287⤵
        System Location Discovery: System Language Discovery
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        288⤵
        Modifies registry class
        
        PID:2740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        289⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        290⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2260
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        291⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        292⤵
        Modifies registry class
        
        PID:3924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        293⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        294⤵
        Modifies registry class
        
        PID:4676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        295⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        296⤵
        Checks computer location settings
        Modifies registry class
        
        PID:60
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        297⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        298⤵
        
        PID:3904
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        299⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        300⤵
        Modifies registry class
        
        PID:2388
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE"
        301⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FD662C~1.EXE
        302⤵
        
        PID:4792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        303⤵
        
        PID:1392

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
86KB

MD5
ef63e5ccbea2788d900f1c70a6159c68

SHA1
4ac2e144f9dd97a0cd061b76be89f7850887c166

SHA256
a46d1ffbe9114015050b2a778859c26248f8bab22d5d1a302b59373bc20c6b45

SHA512
913371abb54e0adc94aa08372a20f07ced9f9fdc170f9e468cd39c7387c7e30c1ae238148ccf355d5c8b88b7fd63f914bb108c6cafca9a791d02d8b36468bfac

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe

Filesize
175KB

MD5
3da833f022988fbc093129595cc8591c

SHA1
fdde5a7fb7a60169d2967ff88c6aba8273f12e36

SHA256
1ad4c736829dbcb0fcc620fd897fe0941b9c01e14ccba5d18085b3ca0416ab66

SHA512
1299d63337c958e8072d6aaa057904cbbaa51c2eec4457269ead6b72c4eb2a10882e4a5dc7afcdcab5a6910d2105c2e5ee706850074e0425ae7f87d9ea1e5537

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

Filesize
2.4MB

MD5
d9e8a1fa55faebd36ed2342fedefbedd

SHA1
c25cc7f0035488de9c5df0121a09b5100e1c28e9

SHA256
bd7696911d75a9a35dfd125b24cb95003f1e9598592df47fa23a2568986a4a9a

SHA512
134644c68bd04536e9ea0a5da6e334d36b1ce8012a061fa6dabd31f85c16a1ac9eee8c40fee3d55f25c4d4edf0672de8ce204e344c800361cbcff092c09d7a33

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

Filesize
131KB

MD5
514972e16cdda8b53012ad8a14a26e60

SHA1
aa082c2fbe0b3dd5c47952f9a285636412203559

SHA256
49091e1e41980b39d8de055fe6c6a1dc69398f17817960d64743e7efb740efc4

SHA512
98bbd6f06e3ff3e94aee3620f20f89e254dde157bc8129a64cf78fefe5cf9b13c7902128c2acbd54b3def527e09a039bd1f66ba64efb85f3f0404d894cabbee4

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE

Filesize
254KB

MD5
c4a918069757a263adb9fbc9f5c9e00d

SHA1
66d749fc566763b6170080a40f54f4cda4644af4

SHA256
129a2bfe25ceabb871b65b645ef98f6799d7d273fc5ddfd33c1cb78f5b76fa3b

SHA512
4ecf32fa2c8f53ff7a08555ec5d37739dc1358352621d038669f608edf18b0dcc6dca168a2b602359c9ee098052e546e5c02603f83aad44a114192138de7b7b9

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE

Filesize
121KB

MD5
6b27dd3f7c6898e7d1bcff73d6e29858

SHA1
55102c244643d43aeaf625145c6475e78dfbe9de

SHA256
53e47df12f0ce2005f4a2a773d194c9431b325b64c205dfa4cfba45c973b65f3

SHA512
52b7a596b07935f15f008c2de38c5dfd85df18b49e5083e363b90fb321d4f1bf588627dcbe94fa6434c460243b254c5ca1dbcf2c956e49baa92e13e104500f2f

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe

Filesize
325KB

MD5
62976c65ded41b4f31c7f379c548e05c

SHA1
3827c414ad15cd67ea8635400002c4c79704250e

SHA256
80de06ea5d221e21f765a96750f821aaaf8eee23bfd9d8cde265a8da11041c66

SHA512
ddf74814c7a54a258b7200310bd644547f3a831e373c8392dddedd08b3c1ca60e864fbe2007e68fabdcfe1e923d9207039bde42a09e0ec07d69694263057fcd7

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe

Filesize
325KB

MD5
de9e6086062f01926b48c2d80508d12b

SHA1
13610cca5e38925e22b6a79067df0dd9eca49fe3

SHA256
d2f956514bc885fed054dec3ad4c0e89e59a6a38390fa8432abd15eb201468b4

SHA512
60478e55b6a3d49686ed8e95e939a2384fb1440950d710e7beedb9eda24be0e6996c931d0703d6cc0065fbe5a85eff463b9e9eaadf14746593abe723636137c3

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe

Filesize
505KB

MD5
7aac73055860fcd079d9407cab08276d

SHA1
482b9f337d60270c95950353f9ca8929d8926b1d

SHA256
97508a81b805937e1ca57711a51d2e8d715a2748e2f9d27d39dfecc28f3fb9e5

SHA512
f183a10eb13c083c7cd8e785a7978eee4998c33d1eb104a0ab0e54146e10651f68612249e668baa08919a5840f6f929b5452c93f71a232b30aab9e2857109fb5

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE

Filesize
146KB

MD5
001760b2a66fb4fff1e2c42bc39e5421

SHA1
1980cafc246e5a31b6e78bcd5eec1726c9789046

SHA256
1ae63f874694d576e6b6c2f409a71e49cf607e62b2a7a646322294009c7b813a

SHA512
a37e499451abc2b9399eafe8d866210bdaac2c73a4f1dbe16c272fa56a8b5bcb1efe41e198effb9c84a77de269cbb5b81871d88eb726f95c3d3b4067bfc0c7df

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE

Filesize
335KB

MD5
48628eeb152032e8dc9af97aaaeba7cf

SHA1
e826f32c423627ef625a6618e7250f7dbc4d2501

SHA256
f271af83d96b1d536e1a1788ec0baa0c3c583ddfe61faceccaeec1470c5676ca

SHA512
18a2a247177d04d5b1b56d126d72e29b02c8378e8aa4c89bdbaefe14bcd577d7aa054b05a5db37d142a37cf869f3bc03fe9a5bba4886a52d6c2ede5052dfcc7d

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE

Filesize
433KB

MD5
b6283a7eb554d995d9a7c72dcfca14b5

SHA1
67d64907800c611bbcefd31d2494da12962f5022

SHA256
099da4830adbab785d86ca4680c041458acfe798ed8b301b2bb6bd47891ed881

SHA512
a6d96a13b8672d0f1d50ac22ba95b715527050ce91bb67dc261732e0a114ef2902e3380577546ff34860f65723a143153cea47ae31e12bb27dd3f4f5ee2245f3

Download Submit
C:\PROGRA~2\Google\Update\DISABL~1.EXE

Filesize
198KB

MD5
2424d589d7997df1356c160a9a82088c

SHA1
ca9b479043636434f32c74c2299210ef9f933b98

SHA256
9d6982a566148cf69cb6aec417baddca680e647931315736a6c19f2ba91c4d60

SHA512
4dd0a69c1dfb0e88fc6b24c97e14dd0ad1ac0226dd372d09123b6a2ec3c107fc94a810764d16e111d1cf7e81a23b70b84d36cbfbf1e32986d00de3cd9e315c2b

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe

Filesize
250KB

MD5
cd4af683704c71887125716ca891e18c

SHA1
64d02bac29cfeeed31978438d572230f316d61df

SHA256
1e6a087180f0e5a8e738718de2d4d99c1a4b6d89bd2a84ad19ab45f7dd9225c5

SHA512
dda5661f1e95e1a6dc0ce62a5b476aa335ddde431d47fb6cabffe36947376f6c583f83560dc43da4bc4432052a95ed61f0553ade59308582510c25a5f828921a

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE

Filesize
509KB

MD5
fdad5d6d8cf37e8c446dcd6c56c718c3

SHA1
412883fd3bb56f2b850d2c29ee666d9b75636faf

SHA256
2ed31146dc94132acafc7e759086f18c83560693a813b1d842a30908f50faf7c

SHA512
9866ddd370e7ab75aea143c5ede3ee96700ed662aab7fb3e989f9beedb2800b488f985a8069a61025cc8201bbc42e23d744717988587c2a8a66f2e91ea7cbbbc

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE

Filesize
138KB

MD5
b84ae39dd0420080bd9e6b9557eea65b

SHA1
5326a058a3bcc4eb0530028e17d391e356210603

SHA256
92439a773781fc1b4e45de7fad393bb9ccd05af99dc1a1bb2246a4befb1f5924

SHA512
860ae09c5806622420147af1073cecc065786968737547276641af710b4caccd16b787bdf7212dd1d8ab16e257dd5c5cd20790bf000d75d82410cbd5bf7af388

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE

Filesize
1.6MB

MD5
ae390fa093b459a84c27b6c266888a7e

SHA1
ad88709a7f286fc7d65559e9aee3812be6baf4b2

SHA256
738b7b5da8ca4798043672d2a32913e0f64268c7861eecc9fcc4c7f9d440d8cd

SHA512
096b5190efefe4c5272637e0721dcd339883f551c5e0cce568ed0bd63b31fb9acef6b09d310966482dbc7a944cc7a5878b0ad6bd68c30d1871254865a1660851

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE

Filesize
1.1MB

MD5
24eeb998cb16869438b95642d49ac3dd

SHA1
b45aa87f45250aa3482c29b24fa4aa3d57ae4c71

SHA256
a2cfd55902b1750070e9154a90e29a10b9e6fa0c03bc82d8f198678e9bc46cd0

SHA512
2ac6de5c3e52b31355300ff4e846ed0627d8d4af02c4c07c0886694a09237ef2ee76e004883fae76a959bef0b60bd4138a9c88ad22139c6b859786c8e37bb358

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe

Filesize
3.2MB

MD5
6b7a2ce420e8dd7484ca4fa4460894ae

SHA1
df07e4a085fc29168ae9ec4781b88002077f7594

SHA256
dec51011b3bd2d82c42d13f043fac935b52adeaa17427ce4e21e34fcbd2231e4

SHA512
7d2cd278ee45ec0e14145f2be26b8cdbe3312b300aa216532c41e839ba61c12ae379025568c85634f0ec3bc95cc481bb17f99ab30c711986651569f0f1f81beb

Download Submit
C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE

Filesize
274KB

MD5
7fbf415b935535d546d5f9203964ed7e

SHA1
ce6a5d5117940e7435f4a0ff412741f40a5cbafb

SHA256
ea24198d33ecd695b9892068d4d155435318e41531d7ca5379b45b344a086a28

SHA512
5e613b6f43f16f298ae67ff1928354e7f40adfc574bec5996dbdef99c8c053f1c32c677f18093c7ff78ec2f883e6d377af8515c76380823264633dd8c78cd2ec

Download Submit
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\181510~1.001\FILESY~1.EXE

Filesize
293KB

MD5
a83fbfc111801fbf211c6aa21b2ccbd1

SHA1
477b9b7e51106becd5e35b63cfb294037b9b786e

SHA256
71accfc55dec05872125751ea5bdf23f57494e71ee747b8106ad23602fcb532f

SHA512
943ffe9c693407704dd317867fe237cf53278edb7d6dd8ddac6fdc567624eb6fd3bca2e238619a30188ee4c0ab464f0a493c5b31bfb7b99d8ea8635a30ed8309

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\fd662cb0b8064f5d34bf8b319cc7d8eedba7db34d1e133b9ecc9d999acac1bec.exe

Filesize
342KB

MD5
7ef0e707c6eeb711aad73ee0889d53e9

SHA1
e64c3e990891817e0d8bc9cfa1af375d7715baf7

SHA256
dca0b776d9de5f91c2e66450fc6f37e31039d646fd249102cb4f6027917f2b44

SHA512
72f19a17d51e50996f61a96bbd5c7fdc5873129722fa4b07f4ca821260e0786355b183583fda1dccd1dd7370b45f1eb9062e831e81558a846504682b9ca6d46e

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
837625c937c93f660ebea9a810fe8f45

SHA1
f6446f892333ca2ebb8ece4fbbb150ed97c54e74

SHA256
b4ed11330c4889e37122a9eda274badc2f11c80ace26d11ecf29e60da51e36c3

SHA512
235a610d3931b7b62199d9058b804636faa93d2e75e3c4a2383ca753e370185eed2db3f6acd0907f3fddc0c0717be1d3b4457b058f0c0ae22e74d260e5de5fe7

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
memory/8-380-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/100-77-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/312-76-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/456-348-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/760-115-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/924-414-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1052-358-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1060-366-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1260-379-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1328-420-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1360-316-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1548-364-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1712-406-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1792-33-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1832-45-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1848-302-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2012-334-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2084-249-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2112-81-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2184-332-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2224-57-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2380-350-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2632-242-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2752-123-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2848-422-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2880-110-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2932-310-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2984-65-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3028-29-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3176-134-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3296-388-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3352-404-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3356-340-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3416-146-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3568-234-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3620-398-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3628-390-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3640-323-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3692-180-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3724-299-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3744-382-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3808-331-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3904-396-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3912-41-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3940-292-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3988-372-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3996-284-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3996-17-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4004-228-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4108-412-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4236-300-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4364-342-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4384-53-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4600-308-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4656-276-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4692-260-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4696-270-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4744-262-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4820-21-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4824-286-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4932-268-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5008-278-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5024-356-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5028-324-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads