neshta | a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112

Analysis

max time kernel
38s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 23:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
Size

356KB
MD5

5cd3caf696a3dbe90c77067537f37380
SHA1

51ee9003fa2f40ba67df5bcd49805578d487456a
SHA256

a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112
SHA512

8dd455b64548ff541a70c6b11767de254336d8f0552547e2af296006d536df41dc1d4fba40b864a8f0d786c2594c64c5c8d61643140fa13e964dc791294b08d2
SSDEEP

6144:k9NPDAWKklwXx39oBLohizkvxhlDqJd+9:SsWPlwX2Lov5Hq

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 64 IoCs

resource	yara_rule
behavioral2/files/0x000d000000023b49-4.dat	family_neshta
behavioral2/files/0x0008000000023be3-10.dat	family_neshta
behavioral2/memory/2320-16-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2524-26-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1748-28-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3592-32-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5044-40-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1380-44-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2576-52-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3468-56-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2408-64-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3444-74-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1268-76-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1448-80-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2360-88-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x0004000000020343-93.dat	family_neshta
behavioral2/files/0x000600000002021e-106.dat	family_neshta
behavioral2/memory/4708-100-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x0004000000020335-112.dat	family_neshta
behavioral2/files/0x000100000002028f-122.dat	family_neshta
behavioral2/files/0x0004000000020348-121.dat	family_neshta
behavioral2/files/0x00010000000202a7-120.dat	family_neshta
behavioral2/files/0x0004000000020336-119.dat	family_neshta
behavioral2/memory/3804-125-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2892-136-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3420-137-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4964-148-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x00010000000214d8-157.dat	family_neshta
behavioral2/files/0x00010000000214da-165.dat	family_neshta
behavioral2/memory/1140-176-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x00010000000214d9-163.dat	family_neshta
behavioral2/memory/4152-160-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x0001000000022f2d-178.dat	family_neshta
behavioral2/files/0x0001000000022f2e-181.dat	family_neshta
behavioral2/files/0x0001000000022f2f-186.dat	family_neshta
behavioral2/files/0x0001000000022f6b-191.dat	family_neshta
behavioral2/files/0x00010000000167af-195.dat	family_neshta
behavioral2/files/0x0001000000016801-193.dat	family_neshta
behavioral2/files/0x0001000000016804-203.dat	family_neshta
behavioral2/files/0x00010000000167e8-206.dat	family_neshta
behavioral2/files/0x000100000001dbd1-212.dat	family_neshta
behavioral2/memory/3556-240-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5008-247-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4536-253-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1344-260-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4328-261-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3120-275-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1508-276-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4228-278-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3424-284-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1236-286-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3392-292-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1260-294-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1620-300-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1380-302-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2576-308-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1052-315-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2424-316-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1152-318-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/868-324-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4560-331-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5032-332-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2360-334-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4324-340-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A02857~1.EXE

Executes dropped EXE 64 IoCs

pid	Process
1856	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
2320	svchost.com
2524	A02857~1.EXE
1748	svchost.com
3592	A02857~1.EXE
5044	svchost.com
1380	A02857~1.EXE
2576	svchost.com
3468	A02857~1.EXE
2408	svchost.com
3444	A02857~1.EXE
1268	svchost.com
1448	A02857~1.EXE
2360	svchost.com
4708	A02857~1.EXE
3804	svchost.com
2892	A02857~1.EXE
3420	svchost.com
4964	A02857~1.EXE
4152	svchost.com
1140	A02857~1.EXE
3556	svchost.com
5008	A02857~1.EXE
4536	svchost.com
1344	A02857~1.EXE
4328	svchost.com
3120	A02857~1.EXE
1508	svchost.com
4228	A02857~1.EXE
3424	svchost.com
1236	A02857~1.EXE
3392	svchost.com
1260	A02857~1.EXE
1620	svchost.com
1380	A02857~1.EXE
2576	svchost.com
1052	A02857~1.EXE
2424	svchost.com
1152	A02857~1.EXE
868	svchost.com
4560	A02857~1.EXE
5032	svchost.com
2360	A02857~1.EXE
4324	svchost.com
4432	A02857~1.EXE
456	svchost.com
1452	A02857~1.EXE
4024	svchost.com
2580	A02857~1.EXE
3952	svchost.com
3092	A02857~1.EXE
4964	svchost.com
1492	A02857~1.EXE
5068	svchost.com
1140	A02857~1.EXE
1716	svchost.com
1248	A02857~1.EXE
3620	svchost.com
4540	A02857~1.EXE
3112	svchost.com
412	A02857~1.EXE
4760	svchost.com
4448	A02857~1.EXE
2268	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	A02857~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	A02857~1.EXE
File opened for modification	C:\Windows\svchost.com	A02857~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	A02857~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	A02857~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	A02857~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	A02857~1.EXE
File opened for modification	C:\Windows\svchost.com	A02857~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	A02857~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	A02857~1.EXE
File opened for modification	C:\Windows\directx.sys	A02857~1.EXE
File opened for modification	C:\Windows\directx.sys	A02857~1.EXE
File opened for modification	C:\Windows\svchost.com	A02857~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	A02857~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	A02857~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	A02857~1.EXE
File opened for modification	C:\Windows\svchost.com	A02857~1.EXE
File opened for modification	C:\Windows\directx.sys	A02857~1.EXE
File opened for modification	C:\Windows\directx.sys	A02857~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	A02857~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	A02857~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	A02857~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	A02857~1.EXE
File opened for modification	C:\Windows\directx.sys	A02857~1.EXE
File opened for modification	C:\Windows\directx.sys	A02857~1.EXE
File opened for modification	C:\Windows\svchost.com	A02857~1.EXE
File opened for modification	C:\Windows\directx.sys	A02857~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	A02857~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A02857~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A02857~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A02857~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A02857~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A02857~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A02857~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A02857~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A02857~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A02857~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A02857~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A02857~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A02857~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A02857~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A02857~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A02857~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A02857~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A02857~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A02857~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A02857~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A02857~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A02857~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A02857~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A02857~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A02857~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A02857~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A02857~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	A02857~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3236 wrote to memory of 1856	3236	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe	83
PID 3236 wrote to memory of 1856	3236	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe	83
PID 3236 wrote to memory of 1856	3236	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe	83
PID 1856 wrote to memory of 2320	1856	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe	84
PID 1856 wrote to memory of 2320	1856	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe	84
PID 1856 wrote to memory of 2320	1856	a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe	84
PID 2320 wrote to memory of 2524	2320	svchost.com	85
PID 2320 wrote to memory of 2524	2320	svchost.com	85
PID 2320 wrote to memory of 2524	2320	svchost.com	85
PID 2524 wrote to memory of 1748	2524	A02857~1.EXE	86
PID 2524 wrote to memory of 1748	2524	A02857~1.EXE	86
PID 2524 wrote to memory of 1748	2524	A02857~1.EXE	86
PID 1748 wrote to memory of 3592	1748	svchost.com	87
PID 1748 wrote to memory of 3592	1748	svchost.com	87
PID 1748 wrote to memory of 3592	1748	svchost.com	87
PID 3592 wrote to memory of 5044	3592	A02857~1.EXE	88
PID 3592 wrote to memory of 5044	3592	A02857~1.EXE	88
PID 3592 wrote to memory of 5044	3592	A02857~1.EXE	88
PID 5044 wrote to memory of 1380	5044	svchost.com	117
PID 5044 wrote to memory of 1380	5044	svchost.com	117
PID 5044 wrote to memory of 1380	5044	svchost.com	117
PID 1380 wrote to memory of 2576	1380	A02857~1.EXE	118
PID 1380 wrote to memory of 2576	1380	A02857~1.EXE	118
PID 1380 wrote to memory of 2576	1380	A02857~1.EXE	118
PID 2576 wrote to memory of 3468	2576	svchost.com	91
PID 2576 wrote to memory of 3468	2576	svchost.com	91
PID 2576 wrote to memory of 3468	2576	svchost.com	91
PID 3468 wrote to memory of 2408	3468	A02857~1.EXE	92
PID 3468 wrote to memory of 2408	3468	A02857~1.EXE	92
PID 3468 wrote to memory of 2408	3468	A02857~1.EXE	92
PID 2408 wrote to memory of 3444	2408	svchost.com	93
PID 2408 wrote to memory of 3444	2408	svchost.com	93
PID 2408 wrote to memory of 3444	2408	svchost.com	93
PID 3444 wrote to memory of 1268	3444	A02857~1.EXE	94
PID 3444 wrote to memory of 1268	3444	A02857~1.EXE	94
PID 3444 wrote to memory of 1268	3444	A02857~1.EXE	94
PID 1268 wrote to memory of 1448	1268	svchost.com	95
PID 1268 wrote to memory of 1448	1268	svchost.com	95
PID 1268 wrote to memory of 1448	1268	svchost.com	95
PID 1448 wrote to memory of 2360	1448	A02857~1.EXE	166
PID 1448 wrote to memory of 2360	1448	A02857~1.EXE	166
PID 1448 wrote to memory of 2360	1448	A02857~1.EXE	166
PID 2360 wrote to memory of 4708	2360	svchost.com	97
PID 2360 wrote to memory of 4708	2360	svchost.com	97
PID 2360 wrote to memory of 4708	2360	svchost.com	97
PID 4708 wrote to memory of 3804	4708	A02857~1.EXE	98
PID 4708 wrote to memory of 3804	4708	A02857~1.EXE	98
PID 4708 wrote to memory of 3804	4708	A02857~1.EXE	98
PID 3804 wrote to memory of 2892	3804	svchost.com	171
PID 3804 wrote to memory of 2892	3804	svchost.com	171
PID 3804 wrote to memory of 2892	3804	svchost.com	171
PID 2892 wrote to memory of 3420	2892	A02857~1.EXE	100
PID 2892 wrote to memory of 3420	2892	A02857~1.EXE	100
PID 2892 wrote to memory of 3420	2892	A02857~1.EXE	100
PID 3420 wrote to memory of 4964	3420	svchost.com	134
PID 3420 wrote to memory of 4964	3420	svchost.com	134
PID 3420 wrote to memory of 4964	3420	svchost.com	134
PID 4964 wrote to memory of 4152	4964	A02857~1.EXE	102
PID 4964 wrote to memory of 4152	4964	A02857~1.EXE	102
PID 4964 wrote to memory of 4152	4964	A02857~1.EXE	102
PID 4152 wrote to memory of 1140	4152	svchost.com	137
PID 4152 wrote to memory of 1140	4152	svchost.com	137
PID 4152 wrote to memory of 1140	4152	svchost.com	137
PID 1140 wrote to memory of 3556	1140	A02857~1.EXE	104

C:\Users\Admin\AppData\Local\Temp\a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
"C:\Users\Admin\AppData\Local\Temp\a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3236
- C:\Users\Admin\AppData\Local\Temp\3582-490\a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2524
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1748
      - C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        12⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        22⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        23⤵
        Executes dropped EXE
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        25⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        26⤵
        Executes dropped EXE
        
        PID:1344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        27⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3120
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        29⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        31⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1236
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        33⤵
        Executes dropped EXE
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        34⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1260
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        35⤵
        Executes dropped EXE
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        37⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        39⤵
        Executes dropped EXE
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        40⤵
        Executes dropped EXE
        
        PID:1152
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        41⤵
        Executes dropped EXE
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        43⤵
        Executes dropped EXE
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        44⤵
        Executes dropped EXE
        
        PID:2360
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        45⤵
        Executes dropped EXE
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        46⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        49⤵
        Executes dropped EXE
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        50⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        51⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        52⤵
        Executes dropped EXE
        
        PID:3092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        54⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1492
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        55⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1140
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        58⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1248
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        59⤵
        Executes dropped EXE
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        61⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:412
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        65⤵
        Executes dropped EXE
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        66⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:1852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        68⤵
        
        PID:452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        70⤵
        Drops file in Windows directory
        
        PID:2720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        72⤵
        
        PID:3744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        73⤵
        Drops file in Windows directory
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        74⤵
        Drops file in Windows directory
        
        PID:2044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        75⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        76⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        77⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        78⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3048
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        79⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        81⤵
        Drops file in Windows directory
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:4240
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        83⤵
        Drops file in Windows directory
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        85⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        86⤵
        Checks computer location settings
        
        PID:624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        87⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        88⤵
        Drops file in Windows directory
        
        PID:3220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        89⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        90⤵
        
        PID:2892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        91⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        92⤵
        
        PID:3828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        93⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        94⤵
        Modifies registry class
        
        PID:4084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        95⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        96⤵
        Drops file in Windows directory
        
        PID:4016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        98⤵
        
        PID:1720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        99⤵
        Drops file in Windows directory
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        100⤵
        
        PID:2132
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        101⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        102⤵
        
        PID:4464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        104⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        105⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        106⤵
        Checks computer location settings
        
        PID:3936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        107⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        108⤵
        Checks computer location settings
        
        PID:1868
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        109⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        110⤵
        
        PID:4456
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        111⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        112⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:384
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        113⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        114⤵
        Modifies registry class
        
        PID:2876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        115⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        116⤵
        Modifies registry class
        
        PID:404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        117⤵
        Drops file in Windows directory
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        118⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        119⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        120⤵
        Checks computer location settings
        
        PID:5052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        121⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        122⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        123⤵
        Drops file in Windows directory
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        124⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        125⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        126⤵
        Checks computer location settings
        
        PID:2732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        127⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        128⤵
        
        PID:1200
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        130⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        131⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        132⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        133⤵
        Drops file in Windows directory
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        134⤵
        Checks computer location settings
        
        PID:532
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        135⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        136⤵
        Modifies registry class
        
        PID:544
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        138⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        140⤵
        Checks computer location settings
        
        PID:2168
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        141⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:3856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        144⤵
        Checks computer location settings
        
        PID:4400
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        145⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        146⤵
        
        PID:716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        147⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        148⤵
        
        PID:3984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        149⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        150⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:4816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        151⤵
        Drops file in Windows directory
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        152⤵
        
        PID:2092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        154⤵
        
        PID:2688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        155⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        156⤵
        Checks computer location settings
        
        PID:1848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        157⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        158⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4808
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        159⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        160⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        162⤵
        
        PID:3444
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        163⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        164⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        165⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        166⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1160
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        167⤵
        Drops file in Windows directory
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        168⤵
        
        PID:2304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        169⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        170⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        171⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        172⤵
        Modifies registry class
        
        PID:752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        173⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        174⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        175⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        176⤵
        Drops file in Windows directory
        
        PID:2536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        177⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        178⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2192
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        179⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        180⤵
        System Location Discovery: System Language Discovery
        
        PID:1036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        181⤵
        Drops file in Windows directory
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        182⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4356
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        183⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:4680
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        185⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        186⤵
        Modifies registry class
        
        PID:2156
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        187⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        188⤵
        Checks computer location settings
        
        PID:5096
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        189⤵
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        190⤵
        Modifies registry class
        
        PID:920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        191⤵
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        192⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        193⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        194⤵
        Drops file in Windows directory
        
        PID:3684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        195⤵
        System Location Discovery: System Language Discovery
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        196⤵
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        197⤵
        System Location Discovery: System Language Discovery
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        198⤵
        Checks computer location settings
        
        PID:3356
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        199⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        200⤵
        Modifies registry class
        
        PID:1676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        201⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        202⤵
        Checks computer location settings
        
        PID:2304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        203⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        204⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        205⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        206⤵
        
        PID:3748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        207⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        208⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2400
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        209⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        210⤵
        
        PID:1400
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        211⤵
        System Location Discovery: System Language Discovery
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        212⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        213⤵
        Drops file in Windows directory
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        214⤵
        Checks computer location settings
        
        PID:4448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        215⤵
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        216⤵
        Checks computer location settings
        
        PID:4372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        217⤵
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        218⤵
        Modifies registry class
        
        PID:1064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        219⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        220⤵
        
        PID:4340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        221⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        222⤵
        Checks computer location settings
        
        PID:4864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        223⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        224⤵
        Modifies registry class
        
        PID:3028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        225⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        226⤵
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        227⤵
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        228⤵
        
        PID:2604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        229⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        230⤵
        
        PID:1592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        231⤵
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        232⤵
        Modifies registry class
        
        PID:164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        233⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        234⤵
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        235⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        236⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        237⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        238⤵
        
        PID:3748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        239⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        240⤵
        
        PID:2400
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        241⤵
        Drops file in Windows directory
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        242⤵
        Drops file in Windows directory
        
        PID:548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        243⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        244⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:4816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        245⤵
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        246⤵
        Modifies registry class
        
        PID:2272
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        247⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        248⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        249⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        250⤵
        Modifies registry class
        
        PID:1064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        251⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        252⤵
        Checks computer location settings
        Modifies registry class
        
        PID:920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        253⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        254⤵
        
        PID:4864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        255⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        256⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        257⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        258⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        259⤵
        Drops file in Windows directory
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        260⤵
        System Location Discovery: System Language Discovery
        
        PID:396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        261⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        262⤵
        Modifies registry class
        
        PID:4432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        263⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        264⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        265⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        266⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        267⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        268⤵
        Modifies registry class
        
        PID:1032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        269⤵
        Drops file in Windows directory
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        270⤵
        Modifies registry class
        
        PID:2068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        271⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        272⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:412
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        273⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        274⤵
        Checks computer location settings
        
        PID:2320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        275⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        276⤵
        
        PID:8
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        277⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        278⤵
        
        PID:1984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        279⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        280⤵
        Checks computer location settings
        
        PID:1252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        281⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        282⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:1220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        283⤵
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        284⤵
        Checks computer location settings
        
        PID:3636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        285⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        286⤵
        Checks computer location settings
        
        PID:3928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        287⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        288⤵
        Checks computer location settings
        
        PID:4484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        289⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        290⤵
        
        PID:3804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        291⤵
        Drops file in Windows directory
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        292⤵
        Checks computer location settings
        
        PID:752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        293⤵
        Drops file in Windows directory
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        294⤵
        Modifies registry class
        
        PID:3624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        295⤵
        Drops file in Windows directory
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        296⤵
        Modifies registry class
        
        PID:1744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        297⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        298⤵
        Modifies registry class
        
        PID:4996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        299⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        300⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        301⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        302⤵
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        303⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        304⤵
        Modifies registry class
        
        PID:4464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        305⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        306⤵
        Checks computer location settings
        
        PID:4344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        307⤵
        Drops file in Windows directory
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        308⤵
        
        PID:1132
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        309⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        310⤵
        
        PID:1848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        311⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        312⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:2716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        313⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        314⤵
        
        PID:720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        315⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        316⤵
        Checks computer location settings
        
        PID:4308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        317⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        318⤵
        Checks computer location settings
        
        PID:2360
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        319⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        320⤵
        Modifies registry class
        
        PID:396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        321⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        322⤵
        
        PID:2072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        323⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        324⤵
        
        PID:3172
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        325⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        326⤵
        
        PID:1280
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        327⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        328⤵
        
        PID:716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        329⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        330⤵
        
        PID:2084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        331⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        332⤵
        
        PID:2132
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        333⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        334⤵
        
        PID:3352
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        335⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        336⤵
        
        PID:3044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        337⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        338⤵
        
        PID:2768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        339⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        340⤵
        
        PID:1888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE"
        341⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\A02857~1.EXE
        342⤵
        
        PID:2524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4048

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3048

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:544

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv SZDH1IBSbUqp3NEs9Z4Afg.0.2
1⤵
PID:4520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

Filesize
368KB

MD5
a344438de9e499ca3d9038688440f406

SHA1
c961917349de7e9d269f6f4a5593b6b9d3fcd4d2

SHA256
715f6420c423ae4068b25a703d5575f7c147b26e388f0fff1ae20c6abe821557

SHA512
8bf3c621725fddafa6326b057fee9beee95966e43c5fbab40ebaa4a1a64d17acca97a19d0ece10c3574e13e194ff191316871d1d46d4d74ffc0ac3efb403bca9

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
127KB

MD5
02c064bea2cf9da44904c9a1ecb61c48

SHA1
75b874030dc2300f6663ba70e3bb5b4475e4b89c

SHA256
3ed504ee3804fdd067bf02599ae9d41ef0f795f9f6f5ae1038e25578d0230f0a

SHA512
fb8aa2bba96efa28fd56ccf5bb0d2505c13d4b98740ad3f5c1b8b0ea131ebd4f9e9822d259e9c96ec595c5843f908f12b51880a8d4c366721591e89c830a5ce8

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE

Filesize
5.7MB

MD5
09acdc5bbec5a47e8ae47f4a348541e2

SHA1
658f64967b2a9372c1c0bdd59c6fb2a18301d891

SHA256
1b5c715d71384f043843ea1785a6873a9f39d2daae112ccdeffcd88b10a3a403

SHA512
3867bf98e1a0e253114a98b78b047b0d8282b5abf4aaf836f31cc0e26224e2a1b802c65df9d90dc7696a6dbcb9a8e4b900f1d1299e1b11e36f095ebaf8a2e5b8

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

Filesize
131KB

MD5
5791075058b526842f4601c46abd59f5

SHA1
b2748f7542e2eebcd0353c3720d92bbffad8678f

SHA256
5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394

SHA512
83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE

Filesize
254KB

MD5
4ddc609ae13a777493f3eeda70a81d40

SHA1
8957c390f9b2c136d37190e32bccae3ae671c80a

SHA256
16d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950

SHA512
9d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE

Filesize
386KB

MD5
8c753d6448183dea5269445738486e01

SHA1
ebbbdc0022ca7487cd6294714cd3fbcb70923af9

SHA256
473eb551101caeaf2d18f811342e21de323c8dd19ed21011997716871defe997

SHA512
4f6fddefc42455540448eac0b693a4847e21b68467486376a4186776bfe137337733d3075b7b87ed7dac532478dc9afc63883607ec8205df3f155fee64c7a9be

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE

Filesize
142KB

MD5
92dc0a5b61c98ac6ca3c9e09711e0a5d

SHA1
f809f50cfdfbc469561bced921d0bad343a0d7b4

SHA256
3e9da97a7106122245e77f13f3f3cc96c055d732ab841eb848d03ac25401c1bc

SHA512
d9eefb19f82e0786d9be0dbe5e339d25473fb3a09682f40c6d190d4c320cca5556abb72b5d97c6b0da4f8faefdc6d39ac9d0415fdf94ebcc90ecdf2e513c6a31

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe

Filesize
366KB

MD5
fbbde1cc9128fff8bdffd792e6ea8cce

SHA1
480368754e21ff97ded1f55f736c1427bb388ca3

SHA256
c26681e4c77fac521ec4ba461e34bbe17bdf566af7c004c96e30b8fc785af73c

SHA512
2ecb93ddb1f58e0f3b845e80c76b706b0adc4ab30220eda837cdf13723a730f725e97f81d2f76ef8e0148703ba8e0d4dd57a03f303d09fee78bed0bd5a0ff274

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe

Filesize
546KB

MD5
10748253009c18f4695b7043dcf36fdc

SHA1
22d24c7b4cd0b280f09a76534545cfdc1d66a256

SHA256
3bee29dd355e50cdf24736a2a53d8fffd9cd93e702109f20d65a7e2e2fcfd9f1

SHA512
477462d114a9aac7aead3483a5a038f1fc4484514c2aa0a4c6d6aab30075056ad439592b1f9a72cf4c4499eefa8aeb744e0c2dad439ef8efae795611df352080

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe

Filesize
325KB

MD5
9a8d683f9f884ddd9160a5912ca06995

SHA1
98dc8682a0c44727ee039298665f5d95b057c854

SHA256
5e2e22ead49ce9cc11141dbeebbe5b93a530c966695d8efc2083f00e6be53423

SHA512
6aecf8c5cb5796d6879f8643e20c653f58bad70820896b0019c39623604d5b3c8a4420562ab051c6685edce60aa068d9c2dbb4413a7b16c6d01a9ac10dc22c12

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE

Filesize
221KB

MD5
87bb2253f977fc3576a01e5cbb61f423

SHA1
5129844b3d8af03e8570a3afcdc5816964ed8ba4

SHA256
3fc32edf3f9ab889c2cdf225a446da1e12a7168a7a56165efe5e9744d172d604

SHA512
7cfd38ceb52b986054a68a781e01c3f99e92227f884a4401eb9fbc72f4c140fd32a552b4a102bedf9576e6a0da216bc10ce29241f1418acb39aeb2503cb8d703

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE

Filesize
375KB

MD5
8a886cfbf7159ccfc6d5e002fa385108

SHA1
5487e2af62a48f0dcce641a87d064ac775a10439

SHA256
160b109658aa3f2e5cd44bad223718d0fc8ada50e866beff39a6fb0c9df9eec5

SHA512
0560171e65f41e60b3cd008b8026b085736457488f7a6f7ecb6110c36161abd689cf169ca473c83fadd338edf4bd0fbe961fca1f3d33c3e68f1061ba672161dc

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE

Filesize
433KB

MD5
674eddc440664b8b854bc397e67ee338

SHA1
af9d74243ee3ea5f88638172f592ed89bbbd7e0d

SHA256
20bbf92426732ff7269b4f2f89d404d5fee0fa6a20944004d2eeb3cc2d1fa457

SHA512
5aced0e2235f113e323d6b28be74da5e4da4dc881629461df4644a52bccd717dc6d2632c40ed8190b3ad060b8b62c347757a0bbe82680d892114c1f0529146b7

Download Submit
C:\PROGRA~2\Google\Update\DISABL~1.EXE

Filesize
198KB

MD5
7429ce42ac211cd3aa986faad186cedd

SHA1
b61a57f0f99cfd702be0fbafcb77e9f911223fac

SHA256
d608c05409ac4bd05d8e0702fcf66dfae5f4f38cbae13406842fa5504f4d616f

SHA512
ee4456877d6d881d9904013aabecb9f2daf6fc0ec7a7c9251e77396b66a7f5a577fe8544e64e2bb7464db429db56a3fe47c183a81d40cc869d01be573ab5e4c1

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE

Filesize
509KB

MD5
7c73e01bd682dc67ef2fbb679be99866

SHA1
ad3834bd9f95f8bf64eb5be0a610427940407117

SHA256
da333c92fdfd2e8092f5b56686b94f713f8fa27ef8f333e7222259ad1eb08f5d

SHA512
b2f3398e486cde482cb6bea18f4e5312fa2db7382ca25cea17bcba5ab1ff0e891d59328bc567641a9da05caca4d7c61dc102289d46e7135f947ce6155e295711

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE

Filesize
178KB

MD5
dade08ddaac4b11179c9e93e082c7f6c

SHA1
43f696aa351b7acd936183be1ceac422ff38c5c7

SHA256
b73d3eb495ccd1fa156b8ff202a7386033f6ee235e186197f9731ff506345076

SHA512
6a86ab50fa5ae38723819be8a435af47570a793e3b8c9c9d7908ceeef4d33ecf040b633cb9d4425c2197234027a8789b99827d75f07c427276c8c602b0a41b3e

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE

Filesize
2.8MB

MD5
eb008f1890fed6dc7d13a25ff9c35724

SHA1
751d3b944f160b1f77c1c8852af25b65ae9d649c

SHA256
a9b7b9155af49d651b092bb1665447059f7a1d0061f88fa320d4f956b9723090

SHA512
9cfe3480f24bf8970ad5773cb9df51d132ee90ada35cbf8ec1222e09a60ae46b2ff4b96862fea19085b1c32f93c47c69f604589fa3f4af17e5d67bef893b6bf1

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE

Filesize
1.3MB

MD5
27a0c0f5b19f7dc4f16322ca348154b3

SHA1
8980e9b8c8aa364fd74bf79c6bb2589783f4f167

SHA256
e93259c202dce2b28acf2b48db70ef2b8d7a6cb4628e37c3c92523956359c3a1

SHA512
3cc3ef1501d0190648cd56e8b81bf39abdbb2dc68f80653f785b9f45141598124a1925bdcaf94a5302ef53f01a9e239e52daa867d2f6917a757ca6db8e6d661d

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe

Filesize
3.2MB

MD5
5119e350591269f44f732b470024bb7c

SHA1
4ccd48e4c6ba6e162d1520760ee3063e93e2c014

SHA256
2b3aa9642b291932ba7f9f3d85221402a9d27078f56ef0e9c6bca633616e3873

SHA512
599b4ec673169d42a348d1117737b4ad4d7539574153df5a5c7689130c9ac5ff5cd00f3c8ec39adf32ff2b56be074081efcabb6456272c649703c3ea6cdaded4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\a02857c9e35f9e22c687999c820398c12fbff61dbfc0a60061b31f9453743112N.exe

Filesize
316KB

MD5
899e5adb7c97b7b30ed5cf19715bcebb

SHA1
9d42fc606a6950673c4a450c1bc6f89163ed2652

SHA256
847c20abf53db2e89536bb6fac48178ce22787959a772853446ad73ead39e3e8

SHA512
248a24ee317706c2b82a7876e6cf0b170123dd9f4664dec138d4c64e74c80539b2074b80f7f8edb6b5ffdc9e6733fc85f95f805849a0528a22f6af2f4a80896e

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
05ba43ee3b4389f21dfc2c8b9396b05f

SHA1
c841388805f596e92b289aeb82f9c105bb258bda

SHA256
43cab9fb8eee3de5a5163a86802fb28cc754236a6845d35c9eae4400170a82a0

SHA512
92ff8e55c4618115a6847692dd3f688be20a082cddcfc000f9bf9dcb780b9d3423f4cfcca39fe0a62ce4e53fb040e58367a05066697f0174782a8237d2031bf8

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
memory/412-411-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/456-348-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/868-324-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1052-315-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1140-176-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1140-387-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1152-318-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1236-286-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1248-395-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1260-294-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1268-76-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1344-260-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1380-302-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1380-44-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1448-80-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1452-350-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1492-374-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1508-276-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1620-300-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1716-388-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1748-28-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1852-427-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2268-420-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2320-16-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2360-88-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2360-334-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2408-64-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2424-316-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2524-26-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2576-308-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2576-52-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2580-363-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2892-136-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3092-366-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3112-404-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3120-275-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3392-292-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3420-137-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3424-284-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3444-74-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3468-56-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3556-240-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3592-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3620-396-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3804-125-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3952-364-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4024-356-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4152-160-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4228-278-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4324-340-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4328-261-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4432-342-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4448-414-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4536-253-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4540-398-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4560-331-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4708-100-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4760-412-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4964-148-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4964-372-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5008-247-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5032-332-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5044-40-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5068-380-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads