neshta | eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbd

Analysis

max time kernel
91s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2024 03:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
Size

265KB
MD5

929bc96cc8deb8a5637e2a8bfa1e30f0
SHA1

7f2a6af568cc7b067554444e1708c5081a8fc664
SHA256

eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbd
SHA512

17e2e116d9d0724756322673818338ad4f5fece1c03c8e79174b3ce4aa987b8d436e858022f94c9d6d6110b3e0e7ba57f017f55bfb1ffe73d260dab77f3eafd1
SSDEEP

3072:sr85CVLpp4bVWWwokzaLS+z9R4DJQPk4VsLwJ1JkxMqXyryr85Cxr85C:k9JOw/OLSvY9sLwfTqXj9N9

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 64 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b37-4.dat	family_neshta
behavioral2/files/0x000a000000023b38-10.dat	family_neshta
behavioral2/memory/316-16-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/648-27-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/844-28-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4592-38-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3712-40-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4484-44-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4716-52-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2604-56-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x0004000000020348-65.dat	family_neshta
behavioral2/files/0x0006000000020223-72.dat	family_neshta
behavioral2/files/0x000600000002021b-71.dat	family_neshta
behavioral2/files/0x0007000000020283-69.dat	family_neshta
behavioral2/files/0x000400000002033b-79.dat	family_neshta
behavioral2/memory/4564-86-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/940-96-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2988-98-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/116-110-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x0001000000021534-115.dat	family_neshta
behavioral2/files/0x0002000000020312-114.dat	family_neshta
behavioral2/files/0x00010000000214e1-123.dat	family_neshta
behavioral2/files/0x00010000000214e0-120.dat	family_neshta
behavioral2/files/0x0001000000022f41-126.dat	family_neshta
behavioral2/files/0x0001000000022f80-134.dat	family_neshta
behavioral2/files/0x00010000000214df-119.dat	family_neshta
behavioral2/files/0x000100000001dbca-151.dat	family_neshta
behavioral2/files/0x0001000000022e7a-164.dat	family_neshta
behavioral2/files/0x0001000000016912-162.dat	family_neshta
behavioral2/files/0x000200000000072b-168.dat	family_neshta
behavioral2/memory/4544-182-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5104-195-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2736-199-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4692-203-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x000e00000001f3b9-217.dat	family_neshta
behavioral2/files/0x000300000001e8bb-224.dat	family_neshta
behavioral2/files/0x000300000001e86a-223.dat	family_neshta
behavioral2/memory/3124-225-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5088-232-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x000b00000001e7fa-221.dat	family_neshta
behavioral2/files/0x000b00000001edf9-220.dat	family_neshta
behavioral2/files/0x000500000001e8b4-219.dat	family_neshta
behavioral2/files/0x000b00000001e610-218.dat	family_neshta
behavioral2/files/0x000500000001e6a9-216.dat	family_neshta
behavioral2/files/0x000600000001db5f-213.dat	family_neshta
behavioral2/files/0x00020000000215d2-212.dat	family_neshta
behavioral2/memory/3272-233-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4572-240-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4788-241-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4800-243-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3636-249-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4072-256-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3928-257-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4328-259-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4932-265-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1032-267-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1164-273-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1976-280-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3388-281-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3120-283-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4520-289-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2228-296-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4808-297-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2712-304-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EB1C2C~1.EXE

Executes dropped EXE 64 IoCs

pid	Process
4684	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
316	svchost.com
648	EB1C2C~1.EXE
844	svchost.com
4592	EB1C2C~1.EXE
3712	svchost.com
4484	EB1C2C~1.EXE
4716	svchost.com
2604	EB1C2C~1.EXE
4564	svchost.com
940	EB1C2C~1.EXE
2988	svchost.com
116	EB1C2C~1.EXE
4544	svchost.com
5104	EB1C2C~1.EXE
2736	svchost.com
4692	EB1C2C~1.EXE
3124	svchost.com
5088	EB1C2C~1.EXE
3272	svchost.com
4572	EB1C2C~1.EXE
4788	svchost.com
4800	EB1C2C~1.EXE
3636	svchost.com
4072	EB1C2C~1.EXE
3928	svchost.com
4328	EB1C2C~1.EXE
4932	svchost.com
1032	EB1C2C~1.EXE
1164	svchost.com
1976	EB1C2C~1.EXE
3388	svchost.com
3120	EB1C2C~1.EXE
4520	svchost.com
2228	EB1C2C~1.EXE
4808	svchost.com
2712	EB1C2C~1.EXE
2260	svchost.com
2604	EB1C2C~1.EXE
4004	svchost.com
4896	EB1C2C~1.EXE
2160	svchost.com
3772	EB1C2C~1.EXE
3036	svchost.com
3424	EB1C2C~1.EXE
3672	svchost.com
2752	EB1C2C~1.EXE
2016	svchost.com
2184	EB1C2C~1.EXE
524	svchost.com
1524	EB1C2C~1.EXE
1696	svchost.com
1340	EB1C2C~1.EXE
1560	svchost.com
1228	EB1C2C~1.EXE
2696	svchost.com
2632	EB1C2C~1.EXE
2740	svchost.com
2640	EB1C2C~1.EXE
4184	svchost.com
4080	EB1C2C~1.EXE
1688	svchost.com
2372	EB1C2C~1.EXE
4728	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	EB1C2C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	EB1C2C~1.EXE
File opened for modification	C:\Windows\svchost.com	EB1C2C~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	EB1C2C~1.EXE
File opened for modification	C:\Windows\svchost.com	EB1C2C~1.EXE
File opened for modification	C:\Windows\svchost.com	EB1C2C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	EB1C2C~1.EXE
File opened for modification	C:\Windows\svchost.com	EB1C2C~1.EXE
File opened for modification	C:\Windows\svchost.com	EB1C2C~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	EB1C2C~1.EXE
File opened for modification	C:\Windows\svchost.com	EB1C2C~1.EXE
File opened for modification	C:\Windows\directx.sys	EB1C2C~1.EXE
File opened for modification	C:\Windows\directx.sys	EB1C2C~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	EB1C2C~1.EXE
File opened for modification	C:\Windows\svchost.com	EB1C2C~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	EB1C2C~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	EB1C2C~1.EXE
File opened for modification	C:\Windows\directx.sys	EB1C2C~1.EXE
File opened for modification	C:\Windows\svchost.com	EB1C2C~1.EXE
File opened for modification	C:\Windows\svchost.com	EB1C2C~1.EXE
File opened for modification	C:\Windows\directx.sys	EB1C2C~1.EXE
File opened for modification	C:\Windows\svchost.com	EB1C2C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	EB1C2C~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	EB1C2C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	EB1C2C~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	EB1C2C~1.EXE
File opened for modification	C:\Windows\svchost.com	EB1C2C~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	EB1C2C~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	EB1C2C~1.EXE
File opened for modification	C:\Windows\directx.sys	EB1C2C~1.EXE
File opened for modification	C:\Windows\directx.sys	EB1C2C~1.EXE
File opened for modification	C:\Windows\svchost.com	EB1C2C~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	EB1C2C~1.EXE
File opened for modification	C:\Windows\directx.sys	EB1C2C~1.EXE
File opened for modification	C:\Windows\directx.sys	EB1C2C~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	EB1C2C~1.EXE
File opened for modification	C:\Windows\svchost.com	EB1C2C~1.EXE
File opened for modification	C:\Windows\svchost.com	EB1C2C~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB1C2C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB1C2C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB1C2C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB1C2C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB1C2C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB1C2C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB1C2C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB1C2C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB1C2C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB1C2C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB1C2C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB1C2C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB1C2C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB1C2C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB1C2C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB1C2C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB1C2C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB1C2C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB1C2C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB1C2C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB1C2C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB1C2C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB1C2C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB1C2C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB1C2C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB1C2C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB1C2C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB1C2C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB1C2C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB1C2C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB1C2C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB1C2C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB1C2C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB1C2C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB1C2C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB1C2C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB1C2C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB1C2C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB1C2C~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB1C2C~1.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	EB1C2C~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3668 wrote to memory of 4684	3668	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe	81
PID 3668 wrote to memory of 4684	3668	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe	81
PID 3668 wrote to memory of 4684	3668	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe	81
PID 4684 wrote to memory of 316	4684	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe	82
PID 4684 wrote to memory of 316	4684	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe	82
PID 4684 wrote to memory of 316	4684	eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe	82
PID 316 wrote to memory of 648	316	svchost.com	83
PID 316 wrote to memory of 648	316	svchost.com	83
PID 316 wrote to memory of 648	316	svchost.com	83
PID 648 wrote to memory of 844	648	EB1C2C~1.EXE	84
PID 648 wrote to memory of 844	648	EB1C2C~1.EXE	84
PID 648 wrote to memory of 844	648	EB1C2C~1.EXE	84
PID 844 wrote to memory of 4592	844	svchost.com	85
PID 844 wrote to memory of 4592	844	svchost.com	85
PID 844 wrote to memory of 4592	844	svchost.com	85
PID 4592 wrote to memory of 3712	4592	EB1C2C~1.EXE	86
PID 4592 wrote to memory of 3712	4592	EB1C2C~1.EXE	86
PID 4592 wrote to memory of 3712	4592	EB1C2C~1.EXE	86
PID 3712 wrote to memory of 4484	3712	svchost.com	87
PID 3712 wrote to memory of 4484	3712	svchost.com	87
PID 3712 wrote to memory of 4484	3712	svchost.com	87
PID 4484 wrote to memory of 4716	4484	EB1C2C~1.EXE	88
PID 4484 wrote to memory of 4716	4484	EB1C2C~1.EXE	88
PID 4484 wrote to memory of 4716	4484	EB1C2C~1.EXE	88
PID 4716 wrote to memory of 2604	4716	svchost.com	119
PID 4716 wrote to memory of 2604	4716	svchost.com	119
PID 4716 wrote to memory of 2604	4716	svchost.com	119
PID 2604 wrote to memory of 4564	2604	EB1C2C~1.EXE	90
PID 2604 wrote to memory of 4564	2604	EB1C2C~1.EXE	90
PID 2604 wrote to memory of 4564	2604	EB1C2C~1.EXE	90
PID 4564 wrote to memory of 940	4564	svchost.com	91
PID 4564 wrote to memory of 940	4564	svchost.com	91
PID 4564 wrote to memory of 940	4564	svchost.com	91
PID 940 wrote to memory of 2988	940	EB1C2C~1.EXE	92
PID 940 wrote to memory of 2988	940	EB1C2C~1.EXE	92
PID 940 wrote to memory of 2988	940	EB1C2C~1.EXE	92
PID 2988 wrote to memory of 116	2988	svchost.com	93
PID 2988 wrote to memory of 116	2988	svchost.com	93
PID 2988 wrote to memory of 116	2988	svchost.com	93
PID 116 wrote to memory of 4544	116	EB1C2C~1.EXE	94
PID 116 wrote to memory of 4544	116	EB1C2C~1.EXE	94
PID 116 wrote to memory of 4544	116	EB1C2C~1.EXE	94
PID 4544 wrote to memory of 5104	4544	svchost.com	95
PID 4544 wrote to memory of 5104	4544	svchost.com	95
PID 4544 wrote to memory of 5104	4544	svchost.com	95
PID 5104 wrote to memory of 2736	5104	EB1C2C~1.EXE	96
PID 5104 wrote to memory of 2736	5104	EB1C2C~1.EXE	96
PID 5104 wrote to memory of 2736	5104	EB1C2C~1.EXE	96
PID 2736 wrote to memory of 4692	2736	svchost.com	97
PID 2736 wrote to memory of 4692	2736	svchost.com	97
PID 2736 wrote to memory of 4692	2736	svchost.com	97
PID 4692 wrote to memory of 3124	4692	EB1C2C~1.EXE	98
PID 4692 wrote to memory of 3124	4692	EB1C2C~1.EXE	98
PID 4692 wrote to memory of 3124	4692	EB1C2C~1.EXE	98
PID 3124 wrote to memory of 5088	3124	svchost.com	99
PID 3124 wrote to memory of 5088	3124	svchost.com	99
PID 3124 wrote to memory of 5088	3124	svchost.com	99
PID 5088 wrote to memory of 3272	5088	EB1C2C~1.EXE	100
PID 5088 wrote to memory of 3272	5088	EB1C2C~1.EXE	100
PID 5088 wrote to memory of 3272	5088	EB1C2C~1.EXE	100
PID 3272 wrote to memory of 4572	3272	svchost.com	101
PID 3272 wrote to memory of 4572	3272	svchost.com	101
PID 3272 wrote to memory of 4572	3272	svchost.com	101
PID 4572 wrote to memory of 4788	4572	EB1C2C~1.EXE	102

C:\Users\Admin\AppData\Local\Temp\eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
"C:\Users\Admin\AppData\Local\Temp\eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3668
- C:\Users\Admin\AppData\Local\Temp\3582-490\eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4684
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:316
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:648
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:844
      - C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        18⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        21⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        24⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        25⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4328
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        29⤵
        Executes dropped EXE
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        30⤵
        Executes dropped EXE
        
        PID:1032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        31⤵
        Executes dropped EXE
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        32⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        33⤵
        Executes dropped EXE
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        34⤵
        Executes dropped EXE
        
        PID:3120
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        35⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        36⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        38⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        39⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        40⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:2604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        41⤵
        Executes dropped EXE
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        42⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        43⤵
        Executes dropped EXE
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        45⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        47⤵
        Executes dropped EXE
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        49⤵
        Executes dropped EXE
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        50⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2184
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        51⤵
        Executes dropped EXE
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        52⤵
        Executes dropped EXE
        
        PID:1524
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        53⤵
        Executes dropped EXE
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        55⤵
        Executes dropped EXE
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        56⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        57⤵
        Executes dropped EXE
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        58⤵
        Executes dropped EXE
        
        PID:2632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        59⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        61⤵
        Executes dropped EXE
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        63⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        64⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:2372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        66⤵
        Checks computer location settings
        
        PID:4764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        67⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        68⤵
        
        PID:1280
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        69⤵
        Drops file in Windows directory
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        70⤵
        
        PID:3364
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        71⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        72⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        73⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        74⤵
        Modifies registry class
        
        PID:4264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        75⤵
        Drops file in Windows directory
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        76⤵
        
        PID:2324
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        77⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        78⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        79⤵
        Drops file in Windows directory
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        80⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2260
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        81⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        82⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:4004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        83⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        84⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        85⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        86⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        87⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        88⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        89⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        90⤵
        Checks computer location settings
        
        PID:2820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        92⤵
        Modifies registry class
        
        PID:1896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        93⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        94⤵
        Modifies registry class
        
        PID:2612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        95⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        96⤵
        Checks computer location settings
        
        PID:4076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        97⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        98⤵
        
        PID:4528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        99⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        100⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:2432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        101⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        102⤵
        Modifies registry class
        
        PID:4692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        104⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        105⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        106⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:4756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        108⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        109⤵
        Drops file in Windows directory
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        110⤵
        Drops file in Windows directory
        
        PID:4728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        112⤵
        
        PID:3392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        113⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        114⤵
        
        PID:960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        115⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        116⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:3768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        118⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        120⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        121⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        122⤵
        
        PID:1628
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        123⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        124⤵
        Checks computer location settings
        
        PID:1016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        125⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        126⤵
        Drops file in Windows directory
        
        PID:384
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        127⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        128⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1532
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        129⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        130⤵
        
        PID:3592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        131⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        133⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        134⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        135⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        136⤵
        Modifies registry class
        
        PID:3476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        137⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        138⤵
        
        PID:1868
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        139⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        140⤵
        Checks computer location settings
        
        PID:2492
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        141⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        142⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        143⤵
        Drops file in Windows directory
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        144⤵
        Checks computer location settings
        
        PID:1116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:1332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        147⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        148⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        149⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        150⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        151⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        152⤵
        Drops file in Windows directory
        
        PID:3508
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        153⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        154⤵
        Checks computer location settings
        
        PID:4828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        156⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        157⤵
        Drops file in Windows directory
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        158⤵
        Modifies registry class
        
        PID:2012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        160⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:3672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        161⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        162⤵
        Modifies registry class
        
        PID:3688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        163⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        164⤵
        Checks computer location settings
        
        PID:4996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        165⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        166⤵
        Modifies registry class
        
        PID:2720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        167⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        168⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        169⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        170⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        171⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        172⤵
        
        PID:1192
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        173⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        174⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3048
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        175⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        176⤵
        Drops file in Windows directory
        
        PID:1688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        177⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        178⤵
        
        PID:4596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        179⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        180⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3524
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        181⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        182⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        183⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:3996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        185⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        186⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        187⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        188⤵
        
        PID:2552
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        189⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        190⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2260
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        191⤵
        Drops file in Windows directory
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        192⤵
        Drops file in Windows directory
        
        PID:2624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        193⤵
        Drops file in Windows directory
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        194⤵
        
        PID:2096
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        195⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        196⤵
        
        PID:2820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        197⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        198⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2192
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        199⤵
        Drops file in Windows directory
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        200⤵
        Drops file in Windows directory
        
        PID:2644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        201⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        202⤵
        Modifies registry class
        
        PID:1964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        203⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        204⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        205⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        206⤵
        
        PID:2508
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        207⤵
        Drops file in Windows directory
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        208⤵
        
        PID:2240
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        209⤵
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        210⤵
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        211⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        212⤵
        Checks computer location settings
        
        PID:2076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        213⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        214⤵
        
        PID:780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        215⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        216⤵
        Drops file in Windows directory
        
        PID:4428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        217⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        218⤵
        
        PID:4492
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        219⤵
        Drops file in Windows directory
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        220⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        221⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        222⤵
        
        PID:4316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        223⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        224⤵
        Modifies registry class
        
        PID:3608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        225⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        226⤵
        Checks computer location settings
        
        PID:2712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        227⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        228⤵
        Checks computer location settings
        
        PID:1504
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        229⤵
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        230⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1176
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        231⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        232⤵
        Checks computer location settings
        
        PID:1872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        233⤵
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        234⤵
        
        PID:1620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        235⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        236⤵
        Checks computer location settings
        
        PID:4320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        237⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        238⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4124
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        239⤵
        Drops file in Windows directory
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        240⤵
        
        PID:3228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        241⤵
        System Location Discovery: System Language Discovery
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        242⤵
        Checks computer location settings
        
        PID:2812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        243⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        244⤵
        Modifies registry class
        
        PID:2300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        245⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        246⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:5088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        247⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        248⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        249⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        250⤵
        
        PID:2408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        251⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        252⤵
        Modifies registry class
        
        PID:540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        253⤵
        Drops file in Windows directory
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        254⤵
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        255⤵
        
        PID:420
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        256⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        257⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        258⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        259⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        260⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        261⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        262⤵
        Checks computer location settings
        
        PID:1648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        263⤵
        Drops file in Windows directory
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        264⤵
        Checks computer location settings
        
        PID:3972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        265⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        266⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4152
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        267⤵
        Drops file in Windows directory
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        268⤵
        System Location Discovery: System Language Discovery
        
        PID:3492
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        269⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        270⤵
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        271⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        272⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        273⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        274⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:3424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        275⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        276⤵
        Checks computer location settings
        
        PID:1020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        277⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        278⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        279⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        280⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        281⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        282⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        283⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        284⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:1764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        285⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        286⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        287⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        288⤵
        
        PID:1232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        289⤵
        Drops file in Windows directory
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        290⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        291⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        292⤵
        Checks computer location settings
        
        PID:3636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        293⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        294⤵
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        295⤵
        System Location Discovery: System Language Discovery
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        296⤵
        Checks computer location settings
        
        PID:4324
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        297⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        298⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        299⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        300⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        301⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        302⤵
        Checks computer location settings
        
        PID:1468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        303⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        304⤵
        
        PID:4316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        305⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        306⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE"
        307⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\EB1C2C~1.EXE
        308⤵
        
        PID:4196
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        309⤵
        
        PID:2012

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4808

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

Filesize
368KB

MD5
a344438de9e499ca3d9038688440f406

SHA1
c961917349de7e9d269f6f4a5593b6b9d3fcd4d2

SHA256
715f6420c423ae4068b25a703d5575f7c147b26e388f0fff1ae20c6abe821557

SHA512
8bf3c621725fddafa6326b057fee9beee95966e43c5fbab40ebaa4a1a64d17acca97a19d0ece10c3574e13e194ff191316871d1d46d4d74ffc0ac3efb403bca9

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
86KB

MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe

Filesize
9.4MB

MD5
322302633e36360a24252f6291cdfc91

SHA1
238ed62353776c646957efefc0174c545c2afa3d

SHA256
31da9632f5d25806b77b617d48da52a14afc574bbe1653120f97705284ea566c

SHA512
5a1f7c44ce7f5036bffc18ebac39e2bf70e6f35fa252617d665b26448f4c4473adfa115467b7e2d9b7068823e448f74410cdcdfef1ac1c09021e051921787373

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

Filesize
2.4MB

MD5
8ffc3bdf4a1903d9e28b99d1643fc9c7

SHA1
919ba8594db0ae245a8abd80f9f3698826fc6fe5

SHA256
8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6

SHA512
0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

Filesize
131KB

MD5
5791075058b526842f4601c46abd59f5

SHA1
b2748f7542e2eebcd0353c3720d92bbffad8678f

SHA256
5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394

SHA512
83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE

Filesize
454KB

MD5
bcd0f32f28d3c2ba8f53d1052d05252d

SHA1
c29b4591df930dabc1a4bd0fa2c0ad91500eafb2

SHA256
bb07d817b8b1b6b4c25e62b6120e51dec10118557d7b6b696ad084a5ba5bfdeb

SHA512
79f407735853f82f46870c52058ceee4d91857a89db14868ee1169abd5c0fd2e3fa1ed230ab90b5f479a9581b88998643d69b0df498defea29e73b0d487f3b10

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe

Filesize
555KB

MD5
ce82862ca68d666d7aa47acc514c3e3d

SHA1
f458c7f43372dbcdac8257b1639e0fe51f592e28

SHA256
c5a99f42100834599e4995d0a178b32b772a6e774a4050a6bb00438af0a6a1f3

SHA512
bca7afd6589c3215c92fdaca552ad3380f53d3db8c4b69329a1fa81528dd952a14bf012321de92ad1d20e5c1888eab3dd512b1ac80a406baccc37ee6ff4a90dc

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe

Filesize
325KB

MD5
9a8d683f9f884ddd9160a5912ca06995

SHA1
98dc8682a0c44727ee039298665f5d95b057c854

SHA256
5e2e22ead49ce9cc11141dbeebbe5b93a530c966695d8efc2083f00e6be53423

SHA512
6aecf8c5cb5796d6879f8643e20c653f58bad70820896b0019c39623604d5b3c8a4420562ab051c6685edce60aa068d9c2dbb4413a7b16c6d01a9ac10dc22c12

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe

Filesize
325KB

MD5
892cf4fc5398e07bf652c50ef2aa3b88

SHA1
c399e55756b23938057a0ecae597bd9dbe481866

SHA256
e2262c798729169f697e6c30e5211cde604fd8b14769311ff4ea81abba8c2781

SHA512
f16a9e4b1150098c5936ec6107c36d47246dafd5a43e9f4ad9a31ecab69cc789c768691fa23a1440fae7f6e93e8e62566b5c86f7ed6bb4cfe26368149ea8c167

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe

Filesize
546KB

MD5
10748253009c18f4695b7043dcf36fdc

SHA1
22d24c7b4cd0b280f09a76534545cfdc1d66a256

SHA256
3bee29dd355e50cdf24736a2a53d8fffd9cd93e702109f20d65a7e2e2fcfd9f1

SHA512
477462d114a9aac7aead3483a5a038f1fc4484514c2aa0a4c6d6aab30075056ad439592b1f9a72cf4c4499eefa8aeb744e0c2dad439ef8efae795611df352080

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE

Filesize
146KB

MD5
d9a290f7aec8aff3591c189b3cf8610a

SHA1
7558d29fb32018897c25e0ac1c86084116f1956c

SHA256
41bed95cb1101181a97460e2395efebb0594849e6f48b80a2b7c376ddf5ce0ea

SHA512
b55ab687a75c11ba99c64be42ad8471576aa2df10ce1bb61e902e98827e3a38cd922e365751bd485cac089c2bd8bccf939a578da7238506b77fe02a3eb7994c6

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE

Filesize
433KB

MD5
674eddc440664b8b854bc397e67ee338

SHA1
af9d74243ee3ea5f88638172f592ed89bbbd7e0d

SHA256
20bbf92426732ff7269b4f2f89d404d5fee0fa6a20944004d2eeb3cc2d1fa457

SHA512
5aced0e2235f113e323d6b28be74da5e4da4dc881629461df4644a52bccd717dc6d2632c40ed8190b3ad060b8b62c347757a0bbe82680d892114c1f0529146b7

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe

Filesize
250KB

MD5
5d656c152b22ddd4f875306ca928243a

SHA1
177ff847aa898afa1b786077ae87b5ae0c7687c7

SHA256
4d87b0eb331443b473c90650d31b893d00373ff88dcbcb3747f494407799af69

SHA512
d5e50ee909ea06e69fc0d9999c6d142f9154e6f63462312b4e950cf6e26a7d395dbb50c8e2a8c4f4e1cfb7b2c6ae8ad19e3b7c204c20e7557daa1a0deb454160

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe

Filesize
3.2MB

MD5
5119e350591269f44f732b470024bb7c

SHA1
4ccd48e4c6ba6e162d1520760ee3063e93e2c014

SHA256
2b3aa9642b291932ba7f9f3d85221402a9d27078f56ef0e9c6bca633616e3873

SHA512
599b4ec673169d42a348d1117737b4ad4d7539574153df5a5c7689130c9ac5ff5cd00f3c8ec39adf32ff2b56be074081efcabb6456272c649703c3ea6cdaded4

Download Submit
C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE

Filesize
274KB

MD5
d84f63a0bf5eff0c8c491f69b81d1a36

SHA1
17c7d7ae90e571e99f1b1685872f91c04ee76e85

SHA256
06d363997722b0e3c4787f72ca61cb2a8ad59ea7ba8a9d14eafa8a8a550687a2

SHA512
865aab84cfe40604ffd013d8517a538eb1322b90372d236821c0e39e285a20bdad755ddff8d59d8af47a9b10b6c77947abc9148761e75892c617db8503b0ef6e

Download Submit
C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe

Filesize
534KB

MD5
051978153bcd2b1cf032fa1bf5a82020

SHA1
ec6d1d42905a1c92ccee5f4980898d7a1d72aa23

SHA256
88e90f04db57a472acacf1f4e7616d05a488fc7a1b41a468b357ac4419489940

SHA512
68dec8a12b2c10a9ff83907705c68c77284928d9349a8ba93808d09123752b84944505208d7d71540e340dcbb06e74c79fa24748098308eeecab5f80ab4e8d15

Download Submit
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE

Filesize
6.7MB

MD5
63dc05e27a0b43bf25f151751b481b8c

SHA1
b20321483dac62bce0aa0cef1d193d247747e189

SHA256
7d607fb69c69a72a5bf4305599279f46318312ce1082b6a34ac9100b8c7762ce

SHA512
374d705704d456cc5f9f79b7f465f6ec7c775dc43001c840e9d6efbbdef20926ed1fa97f8a9b1e73161e17f72520b96c05fa58ac86b3945208b405f9166e7ba3

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE

Filesize
485KB

MD5
86749cd13537a694795be5d87ef7106d

SHA1
538030845680a8be8219618daee29e368dc1e06c

SHA256
8c35dcc975a5c7c687686a3970306452476d17a89787bc5bd3bf21b9de0d36a5

SHA512
7b6ae20515fb6b13701df422cbb0844d26c8a98087b2758427781f0bf11eb9ec5da029096e42960bf99ddd3d4f817db6e29ac172039110df6ea92547d331db4c

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE

Filesize
674KB

MD5
97510a7d9bf0811a6ea89fad85a9f3f3

SHA1
2ac0c49b66a92789be65580a38ae9798237711db

SHA256
c48abbc29405559e68cc9f8fc6d218aa317a9d0023839c7846ca509c1f563fea

SHA512
2a93e2a3bd187fdde160f87ef777ccd1d1c398d547b7c869e6b64469b9418ad04d887cdfe94af7407476377bf2d009f576de3935c025b7aefbab26fbcd8f90fb

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE

Filesize
674KB

MD5
9c10a5ec52c145d340df7eafdb69c478

SHA1
57f3d99e41d123ad5f185fc21454367a7285db42

SHA256
ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36

SHA512
2704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE

Filesize
495KB

MD5
9597098cfbc45fae685d9480d135ed13

SHA1
84401f03a7942a7e4fcd26e4414b227edd9b0f09

SHA256
45966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c

SHA512
16afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{63880~1\WINDOW~1.EXE

Filesize
650KB

MD5
558fdb0b9f097118b0c928bb6062370a

SHA1
ad971a9a4cac3112a494a167e1b7736dcd6718b3

SHA256
90cee4a89cc1401ac464818226b7df69aa930804cefce56758d4e2ea0009d924

SHA512
5d08d5428e82fb3dad55c19e2c029de8f16e121faac87575b97f468b0ec312b3e0696225546cba91addaaf8f2451d44ae6386b4e4f7f621ce45055f3be797d7c

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE

Filesize
485KB

MD5
87f15006aea3b4433e226882a56f188d

SHA1
e3ad6beb8229af62b0824151dbf546c0506d4f65

SHA256
8d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919

SHA512
b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{D87AE~1\WINDOW~1.EXE

Filesize
650KB

MD5
2f826daacb184077b67aad3fe30e3413

SHA1
981d415fe70414aaac3a11024e65ae2e949aced8

SHA256
a6180f0aa9c56c32e71fe8dc150131177e4036a5a2111d0f3ec3c341fd813222

SHA512
2a6d9bdf4b7be9b766008e522cbb2c21921ba55d84dfde653ca977f70639e342a9d5548768de29ae2a85031c11dac2ae4b3c76b9136c020a6e7c9a9a5879caeb

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF5AF~1\WINDOW~1.EXE

Filesize
650KB

MD5
72d0addae57f28c993b319bfafa190ac

SHA1
8082ad7a004a399f0edbf447425f6a0f6c772ff3

SHA256
671be498af4e13872784eeae4bae2e462dfac62d51d7057b2b3bebff511b7d18

SHA512
98bcde1133edbff713aa43b944dceb5dae20a9cbdf8009f5b758da20ccfbcdf6d617f609a7094aa52a514373f6695b0fd43c3d601538483816cd08832edd15ab

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE

Filesize
536KB

MD5
3e8de969e12cd5e6292489a12a9834b6

SHA1
285b89585a09ead4affa32ecaaa842bc51d53ad5

SHA256
7a25fc3b1ce0f1d06a84dd344c8f5a6c4604732f7d13a8aaad504c4376b305cf

SHA512
b14a5936181a1d8c0f966d969a049254238bf1eacdb1da952c2dc084d5d6dcd5d611d2d058d4c00d6384c20046deef5e74ea865c0062bb0761a391a1eaf1640e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\eb1c2cd4e28ee72651f2c9d76cdf18dc4c3e55efa97d921b36909b89df1f1cbdN.exe

Filesize
224KB

MD5
950a0c9fbe2335d05dabcf498d38fb10

SHA1
38fc7b0897922747448ed53dce45d0d35a6c21fb

SHA256
bc4fc4fe56722174ef79348db69d4cd4f2566ea18991691874c4af30c51ebf00

SHA512
526baf20ee8def27bd45438da476def278a02a758c47acd5ddace5a15216fee974d6f7d9ce207ea972283d0a325db12a733ab2c813d29edc2ae17004cb75df5d

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
ea0df5a5e619ffd6836ff5fdc01dc452

SHA1
ca0a9679d7b5f0d3aae28b3e47ba18c2a0dc4aeb

SHA256
2ca3e1cfe9bade0f7341b1e590e7409fd195056f3acba6bc3a6dd2b9f30889b0

SHA512
149ace930f545568bf940c0688b1065e276976e4c415fdf2bb567d3ad9d1fe015e44ccfa4ee7de13dbad092395aafb8540bafb9a50d78c3b00da48ba195d11ab

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
memory/116-110-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/316-16-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/524-353-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/648-27-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/844-28-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/940-96-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1032-267-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1164-273-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1228-376-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1340-368-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1524-355-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1560-369-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1688-403-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1696-361-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1976-280-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2016-345-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2160-321-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2184-347-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2228-296-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2260-305-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2372-410-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2604-307-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2604-56-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2632-379-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2640-394-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2696-377-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2712-304-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2736-199-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2740-387-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2752-339-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2988-98-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3036-329-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3120-283-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3124-225-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3272-233-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3388-281-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3424-331-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3636-249-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3668-385-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3672-337-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3712-40-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3772-323-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3928-257-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4004-313-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4072-256-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4080-397-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4184-395-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4328-259-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4484-44-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4520-289-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4544-182-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4564-86-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4572-240-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4592-38-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4684-386-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4692-203-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4716-52-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4788-241-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4800-243-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4808-297-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4896-320-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4932-265-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5088-232-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5104-195-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads