neshta | caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2024 07:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
Size

365KB
MD5

28336bd7b647d1ab5915ed0da4fd9c90
SHA1

508e3c7f53d7f32dbad9e29b16ad91289164f190
SHA256

caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1
SHA512

e2753338f61e34a981807b02e436b91b7df7decad2e898f006ab6f82389b76c6fc96cd9e8643e96cf4f646d40209c1e13ff00bb5b03a0a80445ff5e26e237611
SSDEEP

6144:k9niwHv5AjJLo2I3p9ojRxAOZSu7dBEJTl1YMsJTl1YM19:y9HujJLYp9Y2OdBo7y7

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 64 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b95-4.dat	family_neshta
behavioral2/files/0x000a000000023b96-10.dat	family_neshta
behavioral2/memory/4808-16-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2116-26-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4212-28-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4160-32-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4172-40-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4408-44-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2892-52-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4356-63-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x0004000000020378-69.dat	family_neshta
behavioral2/files/0x000600000002024b-74.dat	family_neshta
behavioral2/files/0x000400000002033e-87.dat	family_neshta
behavioral2/files/0x00010000000202c9-79.dat	family_neshta
behavioral2/files/0x000100000002025a-78.dat	family_neshta
behavioral2/memory/4540-93-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4240-104-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x000400000002036a-77.dat	family_neshta
behavioral2/memory/3324-115-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1068-107-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x0006000000020247-76.dat	family_neshta
behavioral2/files/0x0006000000020253-75.dat	family_neshta
behavioral2/files/0x00070000000202b3-73.dat	family_neshta
behavioral2/memory/1784-117-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1140-121-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x000600000002026a-129.dat	family_neshta
behavioral2/files/0x0001000000021564-135.dat	family_neshta
behavioral2/files/0x0001000000021511-140.dat	family_neshta
behavioral2/files/0x0001000000022f6e-150.dat	family_neshta
behavioral2/files/0x0001000000022f6c-159.dat	family_neshta
behavioral2/files/0x0001000000022fab-161.dat	family_neshta
behavioral2/memory/1416-170-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x000100000001dbea-185.dat	family_neshta
behavioral2/files/0x000100000001691e-199.dat	family_neshta
behavioral2/memory/1896-205-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x000100000001dbe8-184.dat	family_neshta
behavioral2/files/0x000100000001dbde-183.dat	family_neshta
behavioral2/files/0x00010000000167f0-181.dat	family_neshta
behavioral2/files/0x00010000000167d2-166.dat	family_neshta
behavioral2/memory/868-219-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x00010000000167b7-165.dat	family_neshta
behavioral2/files/0x0001000000022fad-160.dat	family_neshta
behavioral2/files/0x0001000000022f6f-158.dat	family_neshta
behavioral2/files/0x0001000000022f6d-149.dat	family_neshta
behavioral2/files/0x0001000000021510-143.dat	family_neshta
behavioral2/files/0x000100000002150f-142.dat	family_neshta
behavioral2/memory/1472-230-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4380-231-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2556-239-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2984-243-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2316-245-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1204-251-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/392-253-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3544-259-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4680-266-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2356-267-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4980-274-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4412-275-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1948-277-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3916-283-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3196-285-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4540-291-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4496-293-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3628-299-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CAF802~1.EXE

Executes dropped EXE 64 IoCs

pid	Process
2532	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
4808	svchost.com
2116	CAF802~1.EXE
4212	svchost.com
4160	CAF802~1.EXE
4172	svchost.com
4408	CAF802~1.EXE
2892	svchost.com
4356	CAF802~1.EXE
4540	svchost.com
4240	CAF802~1.EXE
1068	svchost.com
3324	CAF802~1.EXE
1784	svchost.com
1140	CAF802~1.EXE
1416	svchost.com
1896	CAF802~1.EXE
868	svchost.com
1472	CAF802~1.EXE
4380	svchost.com
2556	CAF802~1.EXE
2984	svchost.com
2316	CAF802~1.EXE
1204	svchost.com
392	CAF802~1.EXE
3544	svchost.com
4680	CAF802~1.EXE
2356	svchost.com
4980	CAF802~1.EXE
4412	svchost.com
1948	CAF802~1.EXE
3916	svchost.com
3196	CAF802~1.EXE
4540	svchost.com
4496	CAF802~1.EXE
3628	svchost.com
1068	CAF802~1.EXE
2456	svchost.com
3576	CAF802~1.EXE
3640	svchost.com
1424	CAF802~1.EXE
3160	svchost.com
4224	CAF802~1.EXE
4884	svchost.com
1040	CAF802~1.EXE
4432	svchost.com
4660	CAF802~1.EXE
1632	svchost.com
1896	CAF802~1.EXE
3008	svchost.com
1684	CAF802~1.EXE
1456	svchost.com
2520	CAF802~1.EXE
3616	svchost.com
1828	CAF802~1.EXE
4856	svchost.com
1188	CAF802~1.EXE
2264	svchost.com
3696	CAF802~1.EXE
3284	svchost.com
3460	CAF802~1.EXE
1968	svchost.com
4212	CAF802~1.EXE
532	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	CAF802~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	CAF802~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	CAF802~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	CAF802~1.EXE
File opened for modification	C:\Windows\directx.sys	CAF802~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	CAF802~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	CAF802~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	CAF802~1.EXE
File opened for modification	C:\Windows\directx.sys	CAF802~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	CAF802~1.EXE
File opened for modification	C:\Windows\svchost.com	CAF802~1.EXE
File opened for modification	C:\Windows\directx.sys	CAF802~1.EXE
File opened for modification	C:\Windows\directx.sys	CAF802~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	CAF802~1.EXE
File opened for modification	C:\Windows\svchost.com	CAF802~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	CAF802~1.EXE
File opened for modification	C:\Windows\directx.sys	CAF802~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	CAF802~1.EXE
File opened for modification	C:\Windows\svchost.com	CAF802~1.EXE
File opened for modification	C:\Windows\svchost.com	CAF802~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	CAF802~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	CAF802~1.EXE
File opened for modification	C:\Windows\svchost.com	CAF802~1.EXE
File opened for modification	C:\Windows\directx.sys	CAF802~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	CAF802~1.EXE
File opened for modification	C:\Windows\directx.sys	CAF802~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	CAF802~1.EXE
File opened for modification	C:\Windows\directx.sys	CAF802~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	CAF802~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	CAF802~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CAF802~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CAF802~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CAF802~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CAF802~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CAF802~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CAF802~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CAF802~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CAF802~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CAF802~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CAF802~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CAF802~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CAF802~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CAF802~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CAF802~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CAF802~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CAF802~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CAF802~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CAF802~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CAF802~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CAF802~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CAF802~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CAF802~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CAF802~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CAF802~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CAF802~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CAF802~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CAF802~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CAF802~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CAF802~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CAF802~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CAF802~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CAF802~1.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CAF802~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3220 wrote to memory of 2532	3220	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe	83
PID 3220 wrote to memory of 2532	3220	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe	83
PID 3220 wrote to memory of 2532	3220	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe	83
PID 2532 wrote to memory of 4808	2532	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe	84
PID 2532 wrote to memory of 4808	2532	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe	84
PID 2532 wrote to memory of 4808	2532	caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe	84
PID 4808 wrote to memory of 2116	4808	svchost.com	85
PID 4808 wrote to memory of 2116	4808	svchost.com	85
PID 4808 wrote to memory of 2116	4808	svchost.com	85
PID 2116 wrote to memory of 4212	2116	CAF802~1.EXE	86
PID 2116 wrote to memory of 4212	2116	CAF802~1.EXE	86
PID 2116 wrote to memory of 4212	2116	CAF802~1.EXE	86
PID 4212 wrote to memory of 4160	4212	svchost.com	87
PID 4212 wrote to memory of 4160	4212	svchost.com	87
PID 4212 wrote to memory of 4160	4212	svchost.com	87
PID 4160 wrote to memory of 4172	4160	CAF802~1.EXE	88
PID 4160 wrote to memory of 4172	4160	CAF802~1.EXE	88
PID 4160 wrote to memory of 4172	4160	CAF802~1.EXE	88
PID 4172 wrote to memory of 4408	4172	svchost.com	89
PID 4172 wrote to memory of 4408	4172	svchost.com	89
PID 4172 wrote to memory of 4408	4172	svchost.com	89
PID 4408 wrote to memory of 2892	4408	CAF802~1.EXE	90
PID 4408 wrote to memory of 2892	4408	CAF802~1.EXE	90
PID 4408 wrote to memory of 2892	4408	CAF802~1.EXE	90
PID 2892 wrote to memory of 4356	2892	svchost.com	91
PID 2892 wrote to memory of 4356	2892	svchost.com	91
PID 2892 wrote to memory of 4356	2892	svchost.com	91
PID 4356 wrote to memory of 4540	4356	CAF802~1.EXE	116
PID 4356 wrote to memory of 4540	4356	CAF802~1.EXE	116
PID 4356 wrote to memory of 4540	4356	CAF802~1.EXE	116
PID 4540 wrote to memory of 4240	4540	svchost.com	93
PID 4540 wrote to memory of 4240	4540	svchost.com	93
PID 4540 wrote to memory of 4240	4540	svchost.com	93
PID 4240 wrote to memory of 1068	4240	CAF802~1.EXE	119
PID 4240 wrote to memory of 1068	4240	CAF802~1.EXE	119
PID 4240 wrote to memory of 1068	4240	CAF802~1.EXE	119
PID 1068 wrote to memory of 3324	1068	svchost.com	95
PID 1068 wrote to memory of 3324	1068	svchost.com	95
PID 1068 wrote to memory of 3324	1068	svchost.com	95
PID 3324 wrote to memory of 1784	3324	CAF802~1.EXE	96
PID 3324 wrote to memory of 1784	3324	CAF802~1.EXE	96
PID 3324 wrote to memory of 1784	3324	CAF802~1.EXE	96
PID 1784 wrote to memory of 1140	1784	svchost.com	97
PID 1784 wrote to memory of 1140	1784	svchost.com	97
PID 1784 wrote to memory of 1140	1784	svchost.com	97
PID 1140 wrote to memory of 1416	1140	CAF802~1.EXE	98
PID 1140 wrote to memory of 1416	1140	CAF802~1.EXE	98
PID 1140 wrote to memory of 1416	1140	CAF802~1.EXE	98
PID 1416 wrote to memory of 1896	1416	svchost.com	131
PID 1416 wrote to memory of 1896	1416	svchost.com	131
PID 1416 wrote to memory of 1896	1416	svchost.com	131
PID 1896 wrote to memory of 868	1896	CAF802~1.EXE	100
PID 1896 wrote to memory of 868	1896	CAF802~1.EXE	100
PID 1896 wrote to memory of 868	1896	CAF802~1.EXE	100
PID 868 wrote to memory of 1472	868	svchost.com	101
PID 868 wrote to memory of 1472	868	svchost.com	101
PID 868 wrote to memory of 1472	868	svchost.com	101
PID 1472 wrote to memory of 4380	1472	CAF802~1.EXE	102
PID 1472 wrote to memory of 4380	1472	CAF802~1.EXE	102
PID 1472 wrote to memory of 4380	1472	CAF802~1.EXE	102
PID 4380 wrote to memory of 2556	4380	svchost.com	222
PID 4380 wrote to memory of 2556	4380	svchost.com	222
PID 4380 wrote to memory of 2556	4380	svchost.com	222
PID 2556 wrote to memory of 2984	2556	CAF802~1.EXE	104

C:\Users\Admin\AppData\Local\Temp\caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
"C:\Users\Admin\AppData\Local\Temp\caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3220
- C:\Users\Admin\AppData\Local\Temp\3582-490\caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4808
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2116
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4212
      - C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        9⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        15⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        16⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        23⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        24⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        25⤵
        Executes dropped EXE
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        27⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        28⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:4680
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        29⤵
        Executes dropped EXE
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        31⤵
        Executes dropped EXE
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        33⤵
        Executes dropped EXE
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        34⤵
        Executes dropped EXE
        
        PID:3196
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        38⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        39⤵
        Executes dropped EXE
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        40⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        41⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        43⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        45⤵
        Executes dropped EXE
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        46⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        47⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        50⤵
        Executes dropped EXE
        
        PID:1896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        52⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        53⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        54⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        55⤵
        Executes dropped EXE
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        56⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:1828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        57⤵
        Executes dropped EXE
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        58⤵
        Executes dropped EXE
        
        PID:1188
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        59⤵
        Executes dropped EXE
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        61⤵
        Executes dropped EXE
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3460
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        64⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4212
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        65⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        66⤵
        Checks computer location settings
        
        PID:4860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        67⤵
        Drops file in Windows directory
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        68⤵
        
        PID:4800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        69⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        70⤵
        
        PID:1736
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        71⤵
        Drops file in Windows directory
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        72⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        73⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        74⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        76⤵
        Checks computer location settings
        
        PID:2320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        77⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        78⤵
        Checks computer location settings
        
        PID:4032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        79⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        80⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        81⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        82⤵
        Drops file in Windows directory
        
        PID:3180
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        83⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        84⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:1852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        85⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        87⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        88⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        89⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        90⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        91⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        92⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1120
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        93⤵
        Drops file in Windows directory
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        94⤵
        
        PID:1684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        96⤵
        
        PID:1844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        97⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        98⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        99⤵
        Drops file in Windows directory
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        100⤵
        
        PID:3116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        101⤵
        Drops file in Windows directory
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        102⤵
        
        PID:2264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        103⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        104⤵
        Checks computer location settings
        
        PID:1652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        105⤵
        Drops file in Windows directory
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        106⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        107⤵
        Drops file in Windows directory
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        108⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        109⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        110⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3188
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        111⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        112⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        113⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        114⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        115⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        116⤵
        Modifies registry class
        
        PID:384
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        118⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        119⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        120⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        121⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        122⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        124⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        125⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        126⤵
        Modifies registry class
        
        PID:4116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        128⤵
        
        PID:2904
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        129⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        130⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        132⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        134⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:1844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        135⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        136⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        137⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        138⤵
        Checks computer location settings
        
        PID:4952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        139⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        140⤵
        
        PID:2116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        142⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        144⤵
        Checks computer location settings
        
        PID:436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        146⤵
        Checks computer location settings
        Modifies registry class
        
        PID:216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        147⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        148⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4628
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        150⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        151⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        152⤵
        Modifies registry class
        
        PID:1744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        153⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        154⤵
        Modifies registry class
        
        PID:2320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        155⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        156⤵
        
        PID:1696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        157⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        158⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:1424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        160⤵
        Checks computer location settings
        
        PID:668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        161⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        162⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        163⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        164⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:2412
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        165⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        166⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        167⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        168⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        169⤵
        Drops file in Windows directory
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        170⤵
        Modifies registry class
        
        PID:4104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        171⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        172⤵
        Checks computer location settings
        
        PID:3760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        173⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        174⤵
        
        PID:920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        175⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        176⤵
        Modifies registry class
        
        PID:692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        177⤵
        System Location Discovery: System Language Discovery
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        178⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        179⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        180⤵
        
        PID:2672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        182⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        183⤵
        Drops file in Windows directory
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        184⤵
        Checks computer location settings
        Modifies registry class
        
        PID:812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        185⤵
        Drops file in Windows directory
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        186⤵
        
        PID:2224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        187⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        188⤵
        Checks computer location settings
        
        PID:2380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        189⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        190⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        191⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        192⤵
        System Location Discovery: System Language Discovery
        
        PID:464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        193⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        194⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        195⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        196⤵
        Modifies registry class
        
        PID:1060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        197⤵
        System Location Discovery: System Language Discovery
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        198⤵
        
        PID:1652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        199⤵
        Drops file in Windows directory
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        200⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        201⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        202⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:508
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        203⤵
        Drops file in Windows directory
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        204⤵
        Checks computer location settings
        
        PID:116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        205⤵
        Drops file in Windows directory
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        206⤵
        Modifies registry class
        
        PID:2052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        207⤵
        Drops file in Windows directory
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        208⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4356
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        209⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        210⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        211⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        212⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        213⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        214⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        215⤵
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        216⤵
        
        PID:5056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        217⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        218⤵
        Modifies registry class
        
        PID:2308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        219⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        220⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:3200
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        221⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        222⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        223⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        224⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        225⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        226⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        227⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        228⤵
        Modifies registry class
        
        PID:2120
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        229⤵
        Drops file in Windows directory
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        230⤵
        Drops file in Windows directory
        
        PID:1036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        231⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        232⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        233⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        234⤵
        
        PID:4516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        235⤵
        System Location Discovery: System Language Discovery
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        236⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        237⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        238⤵
        Checks computer location settings
        
        PID:4992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        239⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        240⤵
        Checks computer location settings
        Modifies registry class
        
        PID:5044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        241⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        242⤵
        
        PID:3740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        243⤵
        Drops file in Windows directory
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        244⤵
        
        PID:2224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        245⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        246⤵
        Checks computer location settings
        
        PID:1896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        247⤵
        Drops file in Windows directory
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        248⤵
        Modifies registry class
        
        PID:1632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        249⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        250⤵
        Checks computer location settings
        
        PID:2436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        251⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        252⤵
        
        PID:3780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        253⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        254⤵
        
        PID:1196
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        255⤵
        System Location Discovery: System Language Discovery
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        256⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        257⤵
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        258⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        259⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        260⤵
        Checks computer location settings
        
        PID:3760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        261⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        262⤵
        Modifies registry class
        
        PID:3992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE"
        263⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CAF802~1.EXE
        264⤵
        
        PID:5084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        265⤵
        
        PID:4516

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

Filesize
368KB

MD5
a344438de9e499ca3d9038688440f406

SHA1
c961917349de7e9d269f6f4a5593b6b9d3fcd4d2

SHA256
715f6420c423ae4068b25a703d5575f7c147b26e388f0fff1ae20c6abe821557

SHA512
8bf3c621725fddafa6326b057fee9beee95966e43c5fbab40ebaa4a1a64d17acca97a19d0ece10c3574e13e194ff191316871d1d46d4d74ffc0ac3efb403bca9

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
86KB

MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE

Filesize
5.7MB

MD5
09acdc5bbec5a47e8ae47f4a348541e2

SHA1
658f64967b2a9372c1c0bdd59c6fb2a18301d891

SHA256
1b5c715d71384f043843ea1785a6873a9f39d2daae112ccdeffcd88b10a3a403

SHA512
3867bf98e1a0e253114a98b78b047b0d8282b5abf4aaf836f31cc0e26224e2a1b802c65df9d90dc7696a6dbcb9a8e4b900f1d1299e1b11e36f095ebaf8a2e5b8

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe

Filesize
175KB

MD5
576410de51e63c3b5442540c8fdacbee

SHA1
8de673b679e0fee6e460cbf4f21ab728e41e0973

SHA256
3f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe

SHA512
f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe

Filesize
9.4MB

MD5
322302633e36360a24252f6291cdfc91

SHA1
238ed62353776c646957efefc0174c545c2afa3d

SHA256
31da9632f5d25806b77b617d48da52a14afc574bbe1653120f97705284ea566c

SHA512
5a1f7c44ce7f5036bffc18ebac39e2bf70e6f35fa252617d665b26448f4c4473adfa115467b7e2d9b7068823e448f74410cdcdfef1ac1c09021e051921787373

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

Filesize
2.4MB

MD5
8ffc3bdf4a1903d9e28b99d1643fc9c7

SHA1
919ba8594db0ae245a8abd80f9f3698826fc6fe5

SHA256
8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6

SHA512
0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE

Filesize
224KB

MD5
f89440ce4ff5c1295c1799339a530303

SHA1
b3cdd4410c3b3315713a24cd547664a220e7ec0d

SHA256
5fac23766b327e314ff6ccfefa8c5db37aafa58814277a0e16ab1b78dad3beb2

SHA512
8b8c3181b591e40d6e3802a65dd47ffd00e4d59950ec29433db5f484e71ef3a91fd22d5e372b08f4f3ab27a6cc7045e11e181fb112b27d8daa6d260a506d5beb

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE

Filesize
147KB

MD5
3b35b268659965ab93b6ee42f8193395

SHA1
8faefc346e99c9b2488f2414234c9e4740b96d88

SHA256
750824b5f75c91a6c2eeb8c5e60ae28d7a81e323d3762c8652255bfea5cba0bb

SHA512
035259a7598584ddb770db3da4e066b64dc65638501cdd8ff9f8e2646f23b76e3dfffa1fb5ed57c9bd15bb4efa3f7dd33fdc2e769e5cc195c25de0e340eb89ab

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe

Filesize
125KB

MD5
cce8964848413b49f18a44da9cb0a79b

SHA1
0b7452100d400acebb1c1887542f322a92cbd7ae

SHA256
fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5

SHA512
bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE

Filesize
318KB

MD5
f7ae513c4b49b132eaaca8c6439f6fd9

SHA1
5d895f3ea091a13bfd4621383c354a195b5d9582

SHA256
28383114ddb138b10a7658bd4b0709fd6e496335cef5d5da827f2687077e5add

SHA512
6c2fff3aeb43cb30a0248e361eed013a4f44e02a6bf2e17f34159e7ad00fa265b9f30038697a82ede6261a23a478b9e6c4f6c84e54576eb188c4756667ff2598

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe

Filesize
555KB

MD5
ce82862ca68d666d7aa47acc514c3e3d

SHA1
f458c7f43372dbcdac8257b1639e0fe51f592e28

SHA256
c5a99f42100834599e4995d0a178b32b772a6e774a4050a6bb00438af0a6a1f3

SHA512
bca7afd6589c3215c92fdaca552ad3380f53d3db8c4b69329a1fa81528dd952a14bf012321de92ad1d20e5c1888eab3dd512b1ac80a406baccc37ee6ff4a90dc

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe

Filesize
366KB

MD5
5e635549ecc44d3e5923ff6452eb9bd4

SHA1
7884700d0a660b54e1d5e3fa4af3207cbaaa125b

SHA256
aa030c665b05e8d3d017ee6905a38388404d56df96d824071a3faf40f82a6e15

SHA512
0f7552eec8ece78ed1eaf91e2388fe5ddbc20310bced15cb69b2f9239b9f928489fa442a03b3d7e55d3736b46a6f9e87e0a9396993e1819c6c60e86bb2f561bc

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe

Filesize
325KB

MD5
892cf4fc5398e07bf652c50ef2aa3b88

SHA1
c399e55756b23938057a0ecae597bd9dbe481866

SHA256
e2262c798729169f697e6c30e5211cde604fd8b14769311ff4ea81abba8c2781

SHA512
f16a9e4b1150098c5936ec6107c36d47246dafd5a43e9f4ad9a31ecab69cc789c768691fa23a1440fae7f6e93e8e62566b5c86f7ed6bb4cfe26368149ea8c167

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe

Filesize
505KB

MD5
452c3ce70edba3c6e358fad9fb47eb4c

SHA1
d24ea3b642f385a666159ef4c39714bec2b08636

SHA256
da73b6e071788372702104b9c72b6697e84e7c75e248e964996700b77c6b6f1c

SHA512
fe8a0b9b1386d6931dc7b646d0dd99c3d1b44bd40698b33077e7eeba877b53e5cb39ff2aa0f6919ccab62953a674577bc1b2516d9cadc0c051009b2083a08085

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE

Filesize
221KB

MD5
87bb2253f977fc3576a01e5cbb61f423

SHA1
5129844b3d8af03e8570a3afcdc5816964ed8ba4

SHA256
3fc32edf3f9ab889c2cdf225a446da1e12a7168a7a56165efe5e9744d172d604

SHA512
7cfd38ceb52b986054a68a781e01c3f99e92227f884a4401eb9fbc72f4c140fd32a552b4a102bedf9576e6a0da216bc10ce29241f1418acb39aeb2503cb8d703

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE

Filesize
146KB

MD5
d9a290f7aec8aff3591c189b3cf8610a

SHA1
7558d29fb32018897c25e0ac1c86084116f1956c

SHA256
41bed95cb1101181a97460e2395efebb0594849e6f48b80a2b7c376ddf5ce0ea

SHA512
b55ab687a75c11ba99c64be42ad8471576aa2df10ce1bb61e902e98827e3a38cd922e365751bd485cac089c2bd8bccf939a578da7238506b77fe02a3eb7994c6

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE

Filesize
258KB

MD5
d9186b6dd347f1cf59349b6fc87f0a98

SHA1
6700d12be4bd504c4c2a67e17eea8568416edf93

SHA256
a892284c97c8888a589ea84f88852238b8cd97cc1f4af85b93b5c5264f5c40d4

SHA512
a29cc26028a68b0145cb20ec353a4406ec86962ff8c3630c96e0627639cf76e0ea1723b7b44592ea4f126c4a48d85d92f930294ae97f72ecc95e3a752a475087

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE

Filesize
335KB

MD5
e4351f1658eab89bbd70beb15598cf1c

SHA1
e18fbfaee18211fd9e58461145306f9bc4f459ea

SHA256
4c783822b873188a9ced8bd4888e1736e3d4f51f6b3b7a62675b0dc85277e0eb

SHA512
57dbc6418011bcac298e122990b14ed1461c53b5f41cb4986d1d3bbbb516c764a7c205fc4da3722399fdb9122f28e4ec98f39d2af80d4b6a64d7bd7944d1c218

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE

Filesize
433KB

MD5
674eddc440664b8b854bc397e67ee338

SHA1
af9d74243ee3ea5f88638172f592ed89bbbd7e0d

SHA256
20bbf92426732ff7269b4f2f89d404d5fee0fa6a20944004d2eeb3cc2d1fa457

SHA512
5aced0e2235f113e323d6b28be74da5e4da4dc881629461df4644a52bccd717dc6d2632c40ed8190b3ad060b8b62c347757a0bbe82680d892114c1f0529146b7

Download Submit
C:\PROGRA~2\Google\Update\DISABL~1.EXE

Filesize
198KB

MD5
7429ce42ac211cd3aa986faad186cedd

SHA1
b61a57f0f99cfd702be0fbafcb77e9f911223fac

SHA256
d608c05409ac4bd05d8e0702fcf66dfae5f4f38cbae13406842fa5504f4d616f

SHA512
ee4456877d6d881d9904013aabecb9f2daf6fc0ec7a7c9251e77396b66a7f5a577fe8544e64e2bb7464db429db56a3fe47c183a81d40cc869d01be573ab5e4c1

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE

Filesize
250KB

MD5
5d656c152b22ddd4f875306ca928243a

SHA1
177ff847aa898afa1b786077ae87b5ae0c7687c7

SHA256
4d87b0eb331443b473c90650d31b893d00373ff88dcbcb3747f494407799af69

SHA512
d5e50ee909ea06e69fc0d9999c6d142f9154e6f63462312b4e950cf6e26a7d395dbb50c8e2a8c4f4e1cfb7b2c6ae8ad19e3b7c204c20e7557daa1a0deb454160

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE

Filesize
138KB

MD5
5e08d87c074f0f8e3a8e8c76c5bf92ee

SHA1
f52a554a5029fb4749842b2213d4196c95d48561

SHA256
5d548c2cc25d542f2061ed9c8e38bd5ca72bddb37dd17654346cae8a19645714

SHA512
dd98d6fa7d943604914b2e3b27e1f21a95f1fe1feb942dd6956e864da658f4fbd9d1d0cf775e79ceaae6a025aafd4e633763389c37034134bd5245969bec383e

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE

Filesize
1.6MB

MD5
41b1e87b538616c6020369134cbce857

SHA1
a255c7fef7ba2fc1a7c45d992270d5af023c5f67

SHA256
08465cc139ee50a7497f8c842f74730d3a8f1a73c0b7caca95e9e6d37d3beed3

SHA512
3a354d3577b45f6736203d5a35a2d1d543da2d1e268cefeffe6bdb723ff63c720ceb2838701144f5fec611470d77649846e0fb4770d6439f321f6b819f03e4db

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE

Filesize
1.3MB

MD5
27543bab17420af611ccc3029db9465a

SHA1
f0f96fd53f9695737a3fa6145bc5a6ce58227966

SHA256
75530dc732f35cc796d19edd11ae6d6f6ef6499ddcf2e57307582b1c5299554c

SHA512
a62c2dd60e1df309ec1bb48ea85184914962ba83766f29d878569549ca20fca68f304f4494702d9e5f09adedc2166e48ee0bc1f4a5d9e245c5490daf15036bea

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE

Filesize
1.1MB

MD5
a5d9eaa7d52bffc494a5f58203c6c1b5

SHA1
97928ba7b61b46a1a77a38445679d040ffca7cc8

SHA256
34b8662d38e7d3d6394fa6c965d943d2c82ea06ba9d7a0af4f8e0571fb5a9c48

SHA512
b6fdc8389bb4d736d608600469be6a4b0452aa3ea082f9a0791022a14c02b8fb7dcd62df133b0518e91283094eaba2be9318316f72d2c4aae6286d3e8686e787

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE

Filesize
1.1MB

MD5
5c78384d8eb1f6cb8cb23d515cfe7c98

SHA1
b732ab6c3fbf2ded8a4d6c8962554d119f59082e

SHA256
9abd7f0aa942ee6b263cdc4b32a4110ddb95e43ad411190f0ea48c0064884564

SHA512
99324af5f8fb70a9d01f97d845a4c6999053d6567ba5b80830a843a1634b02eaf3c0c04ced924cf1b1be9b4d1dbbcb95538385f7f85ad84d3eaaa6dcdebcc8a6

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe

Filesize
3.2MB

MD5
5119e350591269f44f732b470024bb7c

SHA1
4ccd48e4c6ba6e162d1520760ee3063e93e2c014

SHA256
2b3aa9642b291932ba7f9f3d85221402a9d27078f56ef0e9c6bca633616e3873

SHA512
599b4ec673169d42a348d1117737b4ad4d7539574153df5a5c7689130c9ac5ff5cd00f3c8ec39adf32ff2b56be074081efcabb6456272c649703c3ea6cdaded4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\caf802e251fef0e10be1839d32c271be2abf687cdccfa1842baae6c1d51a6af1N.exe

Filesize
325KB

MD5
964fd995788a0fc60c550ed401c87ee4

SHA1
d485e5d1eb8875aa14676332277412422286f1b8

SHA256
e695d5e623a176f3923f0b0d3cf9b1b25e665c5c511ee39a5d01fb05bfc7c25d

SHA512
9821e3a5eaa2cd9958786eb55ba2d318b2ae043085b8081aed97f3bd9453cdf8c3b35fbc377fa695d31bffae623518bffc90cd054a543af8389309c2a3cdc1ff

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
91a0f74334f07b1ed427eafa2b5aba63

SHA1
834d965b6136a139f71732c1b607b4e93248bd00

SHA256
62bc928be7befb9ffb952c323e0d6773c73641077ecdc6279e6df2bb46890807

SHA512
557e0af972d29f8df75fb3e98bb0c796f4ac28cad14db5e31b2725c9ad21099533dc6c0518ccb6fe254ddf9430b92a58e8919636c918c79d27172c70877d1e38

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
memory/392-253-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/532-410-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/868-219-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1040-338-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1068-301-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1068-107-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1140-121-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1188-380-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1204-251-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1416-170-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1424-322-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1456-363-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1472-230-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1632-347-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1684-362-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1784-117-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1828-372-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1896-205-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1896-354-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1948-277-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1968-402-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2116-26-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2264-386-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2316-245-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2356-267-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2456-307-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2520-364-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2556-239-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2892-52-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2984-243-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3008-355-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3160-323-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3196-285-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3284-394-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3324-115-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3460-396-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3544-259-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3576-309-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3616-370-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3628-299-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3640-315-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3696-393-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3916-283-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4160-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4172-40-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4212-28-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4212-404-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4224-330-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4240-104-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4356-63-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4380-231-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4408-44-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4412-275-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4432-339-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4496-293-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4540-93-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4540-291-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4660-341-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4680-266-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4808-16-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4856-378-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4860-412-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4884-331-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4980-274-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads