neshta | ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2025 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe
Size

1.4MB
MD5

548c6df1a5d12caf303c5dc03d014ccf
SHA1

37d51126cd8d7c4ddc2a152cc58bd66d9be8d5fc
SHA256

ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da
SHA512

558cdb5379525fb1e03a9b66cdf733ffa5478981415b58225374a93e815cd3fdcb34cb88310e16fb8065c7d1fcb12444f28196ac6c33b18be38fe3448489f403
SSDEEP

24576:ZKzcVkyEq9DRho1jFP8ltPP01Ws7+wFPEl9ix4fpUzoQDt+egElxdqFWVCGCdJ:ZKzcCyEq9DRho/ctH01Ws74rA4RUBDHo

Score

10^/10

neshta discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Detect Neshta payload 64 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023b84-4.dat	family_neshta
behavioral2/files/0x000a000000023b88-11.dat	family_neshta
behavioral2/memory/3308-16-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4936-20-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4744-28-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3180-32-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4384-40-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3016-44-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2264-52-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1548-56-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3256-64-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3716-75-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1276-76-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4868-80-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/540-88-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5064-92-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1012-100-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3248-110-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x0004000000020343-113.dat	family_neshta
behavioral2/files/0x0006000000020216-118.dat	family_neshta
behavioral2/files/0x000700000002027e-116.dat	family_neshta
behavioral2/files/0x0004000000020336-126.dat	family_neshta
behavioral2/files/0x0004000000020309-131.dat	family_neshta
behavioral2/memory/2728-135-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2584-139-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3460-147-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x0006000000020235-159.dat	family_neshta
behavioral2/memory/5016-160-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x00010000000214da-175.dat	family_neshta
behavioral2/files/0x00010000000214d9-173.dat	family_neshta
behavioral2/files/0x00010000000214d8-171.dat	family_neshta
behavioral2/files/0x0001000000022f2b-183.dat	family_neshta
behavioral2/files/0x0001000000022f67-187.dat	family_neshta
behavioral2/files/0x0001000000022f2a-178.dat	family_neshta
behavioral2/files/0x0001000000016808-189.dat	family_neshta
behavioral2/files/0x000200000001dc0c-203.dat	family_neshta
behavioral2/files/0x000100000001691f-214.dat	family_neshta
behavioral2/files/0x0001000000022e64-217.dat	family_neshta
behavioral2/files/0x000100000001691c-213.dat	family_neshta
behavioral2/files/0x000200000000072d-220.dat	family_neshta
behavioral2/files/0x000300000001e877-223.dat	family_neshta
behavioral2/memory/3968-229-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3304-242-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4952-249-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4808-256-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/456-261-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3180-263-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3956-269-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2552-271-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2028-277-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/636-284-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4048-285-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3076-287-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4060-293-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3404-300-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2400-302-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1952-308-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2700-309-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/624-316-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3168-317-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4956-319-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3996-325-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3976-327-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/60-333-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe	GoogleUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe\DisableExceptionChainValidation = "0"	GoogleUpdate.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	GoogleUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CA57E9~1.EXE

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 64 IoCs

pid	Process
4920	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe
3308	svchost.com
4936	CA57E9~1.EXE
4744	svchost.com
3180	CA57E9~1.EXE
4384	svchost.com
3016	CA57E9~1.EXE
2264	svchost.com
1548	CA57E9~1.EXE
3256	svchost.com
3716	CA57E9~1.EXE
1276	svchost.com
4868	CA57E9~1.EXE
540	svchost.com
5064	CA57E9~1.EXE
1012	svchost.com
3248	CA57E9~1.EXE
2728	svchost.com
2584	CA57E9~1.EXE
3460	svchost.com
5016	CA57E9~1.EXE
3968	svchost.com
3304	CA57E9~1.EXE
4952	svchost.com
4808	CA57E9~1.EXE
456	svchost.com
3180	CA57E9~1.EXE
3956	svchost.com
2552	CA57E9~1.EXE
2028	svchost.com
636	CA57E9~1.EXE
4048	svchost.com
3076	CA57E9~1.EXE
4060	svchost.com
3404	CA57E9~1.EXE
2400	svchost.com
1952	CA57E9~1.EXE
2700	svchost.com
624	CA57E9~1.EXE
3168	svchost.com
4956	CA57E9~1.EXE
3996	svchost.com
3976	CA57E9~1.EXE
60	svchost.com
1140	CA57E9~1.EXE
4592	svchost.com
2404	CA57E9~1.EXE
4812	svchost.com
1936	CA57E9~1.EXE
5004	svchost.com
5060	CA57E9~1.EXE
4960	svchost.com
4252	CA57E9~1.EXE
1956	svchost.com
324	CA57E9~1.EXE
4488	svchost.com
4936	CA57E9~1.EXE
1084	svchost.com
4984	CA57E9~1.EXE
4684	svchost.com
3228	CA57E9~1.EXE
4168	svchost.com
4272	CA57E9~1.EXE
4736	svchost.com

Loads dropped DLL 10 IoCs

pid	Process
4376	GoogleUpdate.exe
4120	GoogleUpdate.exe
1136	GoogleUpdate.exe
3564	GoogleUpdateComRegisterShell64.exe
1136	GoogleUpdate.exe
3188	GoogleUpdateComRegisterShell64.exe
1136	GoogleUpdate.exe
4000	GoogleUpdateComRegisterShell64.exe
1136	GoogleUpdate.exe
2636	GoogleUpdate.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe
File created	C:\Program Files (x86)\Google\Temp\GUMEF91.tmp\goopdateres_ru.dll	CA57E9~1.EXE
File created	C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_et.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ta.dll	GoogleUpdate.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe
File created	C:\Program Files (x86)\Google\Temp\GUMEF91.tmp\goopdateres_hr.dll	CA57E9~1.EXE
File created	C:\Program Files (x86)\Google\Temp\GUMEF91.tmp\goopdateres_sr.dll	CA57E9~1.EXE
File created	C:\Program Files (x86)\Google\Temp\GUMEF91.tmp\goopdateres_de.dll	CA57E9~1.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe
File created	C:\Program Files (x86)\Google\Temp\GUMEF91.tmp\psmachine_64.dll	CA57E9~1.EXE
File created	C:\Program Files (x86)\Google\Temp\GUMEF91.tmp\goopdateres_da.dll	CA57E9~1.EXE
File created	C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_lt.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ur.dll	GoogleUpdate.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe
File created	C:\Program Files (x86)\Google\Temp\GUMEF91.tmp\goopdateres_lv.dll	CA57E9~1.EXE
File created	C:\Program Files (x86)\Google\Temp\GUMEF91.tmp\goopdateres_zh-TW.dll	CA57E9~1.EXE
File created	C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_it.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_th.dll	GoogleUpdate.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe
File created	C:\Program Files (x86)\Google\Temp\GUMEF91.tmp\goopdateres_fil.dll	CA57E9~1.EXE
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe
File created	C:\Program Files (x86)\Google\Temp\GUMEF91.tmp\goopdateres_en-GB.dll	CA57E9~1.EXE
File created	C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleCrashHandler.exe	GoogleUpdate.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe
File created	C:\Program Files (x86)\Google\Temp\GUMEF91.tmp\goopdateres_pl.dll	CA57E9~1.EXE
File created	C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_sr.dll	GoogleUpdate.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe
File created	C:\Program Files (x86)\Google\Temp\GUMEF91.tmp\goopdateres_en.dll	CA57E9~1.EXE
File created	C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_da.dll	GoogleUpdate.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_bn.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_ja.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUMEF91.tmp\goopdateres_th.dll	CA57E9~1.EXE
File created	C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_pt-BR.dll	GoogleUpdate.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe
File created	C:\Program Files (x86)\Google\Temp\GUMEF91.tmp\psmachine.dll	CA57E9~1.EXE
File created	C:\Program Files (x86)\Google\Temp\GUMEF91.tmp\GoogleUpdateSetup.exe	CA57E9~1.EXE
File created	C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_bg.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.372\goopdateres_en-GB.dll	GoogleUpdate.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\directx.sys	CA57E9~1.EXE
File opened for modification	C:\Windows\directx.sys	CA57E9~1.EXE
File opened for modification	C:\Windows\svchost.com	CA57E9~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	CA57E9~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	CA57E9~1.EXE
File opened for modification	C:\Windows\svchost.com	CA57E9~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	CA57E9~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	CA57E9~1.EXE
File opened for modification	C:\Windows\svchost.com	CA57E9~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	CA57E9~1.EXE
File opened for modification	C:\Windows\svchost.com	CA57E9~1.EXE
File opened for modification	C:\Windows\directx.sys	CA57E9~1.EXE
File opened for modification	C:\Windows\svchost.com	CA57E9~1.EXE
File opened for modification	C:\Windows\directx.sys	CA57E9~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	CA57E9~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	CA57E9~1.EXE
File opened for modification	C:\Windows\directx.sys	CA57E9~1.EXE
File opened for modification	C:\Windows\svchost.com	CA57E9~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	CA57E9~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	CA57E9~1.EXE
File opened for modification	C:\Windows\svchost.com	CA57E9~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	CA57E9~1.EXE
File opened for modification	C:\Windows\svchost.com	CA57E9~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	CA57E9~1.EXE
File opened for modification	C:\Windows\directx.sys	CA57E9~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	CA57E9~1.EXE
File opened for modification	C:\Windows\directx.sys	CA57E9~1.EXE
File opened for modification	C:\Windows\svchost.com	CA57E9~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	CA57E9~1.EXE
File opened for modification	C:\Windows\directx.sys	CA57E9~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	CA57E9~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	CA57E9~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	CA57E9~1.EXE
File opened for modification	C:\Windows\svchost.com	CA57E9~1.EXE
File opened for modification	C:\Windows\svchost.com	CA57E9~1.EXE
File opened for modification	C:\Windows\directx.sys	CA57E9~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CA57E9~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CA57E9~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CA57E9~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CA57E9~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CA57E9~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CA57E9~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CA57E9~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CA57E9~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CA57E9~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CA57E9~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CA57E9~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CA57E9~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CA57E9~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CA57E9~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CA57E9~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CA57E9~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CA57E9~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CA57E9~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CA57E9~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CA57E9~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CA57E9~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CA57E9~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CA57E9~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CA57E9~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CA57E9~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CA57E9~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CA57E9~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CA57E9~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CA57E9~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CA57E9~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CA57E9~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CA57E9~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CA57E9~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CA57E9~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CA57E9~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CA57E9~1.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2636	GoogleUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\ProxyStubClsid32\ = "{B50B3FA2-B519-4C16-A932-46E9FFD1D910}"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	CA57E9~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\ = "IPackage"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\NumMethods\ = "4"	GoogleUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4C0B6D8C-1ECE-47E8-8C92-4CD88C0274DA}	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ = "IAppBundleWeb"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	CA57E9~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4C0B6D8C-1ECE-47E8-8C92-4CD88C0274DA}\InprocHandler32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.372\\psmachine.dll"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32\ = "{B50B3FA2-B519-4C16-A932-46E9FFD1D910}"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADDF22CF-3E9B-4CD7-9139-8169EA6636E4}\ = "Google Update Policy Status Class"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\ProxyStubClsid32	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\NumMethods	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\ProxyStubClsid32\ = "{B50B3FA2-B519-4C16-A932-46E9FFD1D910}"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ProxyStubClsid32\ = "{B50B3FA2-B519-4C16-A932-46E9FFD1D910}"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\NumMethods\ = "6"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	CA57E9~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ProxyStubClsid32\ = "{B50B3FA2-B519-4C16-A932-46E9FFD1D910}"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\NumMethods\ = "16"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\LocalServer32	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\NumMethods\ = "4"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\NumMethods	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	CA57E9~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.PolicyStatusMachine\CurVer\ = "GoogleUpdate.PolicyStatusMachine.1.0"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ = "IProcessLauncher"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\NumMethods	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	CA57E9~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\ProxyStubClsid32\ = "{B50B3FA2-B519-4C16-A932-46E9FFD1D910}"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B50B3FA2-B519-4C16-A932-46E9FFD1D910}\InProcServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation\Enabled = "1"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B50B3FA2-B519-4C16-A932-46E9FFD1D910}\InProcServer32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\NumMethods\ = "43"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\LocalizedString = "@C:\\Program Files (x86)\\Google\\Update\\1.3.36.372\\goopdate.dll,-3000"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{521FDB42-7130-4806-822A-FC5163FAD983}\ProgID	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4C0B6D8C-1ECE-47E8-8C92-4CD88C0274DA}\InprocHandler32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	CA57E9~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ = "IAppCommandWeb"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\NumMethods	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32\ = "{B50B3FA2-B519-4C16-A932-46E9FFD1D910}"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\ProxyStubClsid32	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\NumMethods\ = "23"	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{521FDB42-7130-4806-822A-FC5163FAD983}\ELEVATION	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassMachineFallback.1.0\ = "Google Update Legacy On Demand"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\NumMethods\ = "5"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\NumMethods	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\NumMethods	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ProxyStubClsid32\ = "{B50B3FA2-B519-4C16-A932-46E9FFD1D910}"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ProxyStubClsid32	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\NumMethods\ = "4"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32\ = "{B50B3FA2-B519-4C16-A932-46E9FFD1D910}"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	CA57E9~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\NumMethods	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\ProxyStubClsid32	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassMachine\ = "Google Update Broker Class Factory"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32\ = "{B50B3FA2-B519-4C16-A932-46E9FFD1D910}"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADDF22CF-3E9B-4CD7-9139-8169EA6636E4}\LocalServer32\ = "\"C:\\Program Files (x86)\\Google\\Update\\1.3.36.372\\GoogleUpdateOnDemand.exe\""	GoogleUpdate.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4376	GoogleUpdate.exe
4376	GoogleUpdate.exe
4376	GoogleUpdate.exe
4376	GoogleUpdate.exe
4376	GoogleUpdate.exe
4376	GoogleUpdate.exe
4376	GoogleUpdate.exe
4376	GoogleUpdate.exe
4376	GoogleUpdate.exe
4376	GoogleUpdate.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4376	GoogleUpdate.exe
Token: SeDebugPrivilege	4376	GoogleUpdate.exe
Token: SeDebugPrivilege	4376	GoogleUpdate.exe
Token: SeDebugPrivilege	4376	GoogleUpdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 4920	2684	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe	83
PID 2684 wrote to memory of 4920	2684	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe	83
PID 2684 wrote to memory of 4920	2684	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe	83
PID 4920 wrote to memory of 3308	4920	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe	84
PID 4920 wrote to memory of 3308	4920	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe	84
PID 4920 wrote to memory of 3308	4920	ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe	84
PID 3308 wrote to memory of 4936	3308	svchost.com	85
PID 3308 wrote to memory of 4936	3308	svchost.com	85
PID 3308 wrote to memory of 4936	3308	svchost.com	85
PID 4936 wrote to memory of 4744	4936	CA57E9~1.EXE	86
PID 4936 wrote to memory of 4744	4936	CA57E9~1.EXE	86
PID 4936 wrote to memory of 4744	4936	CA57E9~1.EXE	86
PID 4744 wrote to memory of 3180	4744	svchost.com	109
PID 4744 wrote to memory of 3180	4744	svchost.com	109
PID 4744 wrote to memory of 3180	4744	svchost.com	109
PID 3180 wrote to memory of 4384	3180	CA57E9~1.EXE	88
PID 3180 wrote to memory of 4384	3180	CA57E9~1.EXE	88
PID 3180 wrote to memory of 4384	3180	CA57E9~1.EXE	88
PID 4384 wrote to memory of 3016	4384	svchost.com	89
PID 4384 wrote to memory of 3016	4384	svchost.com	89
PID 4384 wrote to memory of 3016	4384	svchost.com	89
PID 3016 wrote to memory of 2264	3016	CA57E9~1.EXE	90
PID 3016 wrote to memory of 2264	3016	CA57E9~1.EXE	90
PID 3016 wrote to memory of 2264	3016	CA57E9~1.EXE	90
PID 2264 wrote to memory of 1548	2264	svchost.com	91
PID 2264 wrote to memory of 1548	2264	svchost.com	91
PID 2264 wrote to memory of 1548	2264	svchost.com	91
PID 1548 wrote to memory of 3256	1548	CA57E9~1.EXE	92
PID 1548 wrote to memory of 3256	1548	CA57E9~1.EXE	92
PID 1548 wrote to memory of 3256	1548	CA57E9~1.EXE	92
PID 3256 wrote to memory of 3716	3256	svchost.com	93
PID 3256 wrote to memory of 3716	3256	svchost.com	93
PID 3256 wrote to memory of 3716	3256	svchost.com	93
PID 3716 wrote to memory of 1276	3716	CA57E9~1.EXE	94
PID 3716 wrote to memory of 1276	3716	CA57E9~1.EXE	94
PID 3716 wrote to memory of 1276	3716	CA57E9~1.EXE	94
PID 1276 wrote to memory of 4868	1276	svchost.com	95
PID 1276 wrote to memory of 4868	1276	svchost.com	95
PID 1276 wrote to memory of 4868	1276	svchost.com	95
PID 4868 wrote to memory of 540	4868	CA57E9~1.EXE	96
PID 4868 wrote to memory of 540	4868	CA57E9~1.EXE	96
PID 4868 wrote to memory of 540	4868	CA57E9~1.EXE	96
PID 540 wrote to memory of 5064	540	svchost.com	97
PID 540 wrote to memory of 5064	540	svchost.com	97
PID 540 wrote to memory of 5064	540	svchost.com	97
PID 5064 wrote to memory of 1012	5064	CA57E9~1.EXE	98
PID 5064 wrote to memory of 1012	5064	CA57E9~1.EXE	98
PID 5064 wrote to memory of 1012	5064	CA57E9~1.EXE	98
PID 1012 wrote to memory of 3248	1012	svchost.com	99
PID 1012 wrote to memory of 3248	1012	svchost.com	99
PID 1012 wrote to memory of 3248	1012	svchost.com	99
PID 3248 wrote to memory of 2728	3248	CA57E9~1.EXE	100
PID 3248 wrote to memory of 2728	3248	CA57E9~1.EXE	100
PID 3248 wrote to memory of 2728	3248	CA57E9~1.EXE	100
PID 2728 wrote to memory of 2584	2728	svchost.com	101
PID 2728 wrote to memory of 2584	2728	svchost.com	101
PID 2728 wrote to memory of 2584	2728	svchost.com	101
PID 2584 wrote to memory of 3460	2584	CA57E9~1.EXE	102
PID 2584 wrote to memory of 3460	2584	CA57E9~1.EXE	102
PID 2584 wrote to memory of 3460	2584	CA57E9~1.EXE	102
PID 3460 wrote to memory of 5016	3460	svchost.com	103
PID 3460 wrote to memory of 5016	3460	svchost.com	103
PID 3460 wrote to memory of 5016	3460	svchost.com	103
PID 5016 wrote to memory of 3968	5016	CA57E9~1.EXE	104

C:\Users\Admin\AppData\Local\Temp\ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe
"C:\Users\Admin\AppData\Local\Temp\ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Local\Temp\3582-490\ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3308
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4936
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4744
      - C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        9⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        20⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        23⤵
        Executes dropped EXE
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        24⤵
        Executes dropped EXE
        
        PID:3304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        25⤵
        Executes dropped EXE
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        26⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4808
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        27⤵
        Executes dropped EXE
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        28⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        29⤵
        Executes dropped EXE
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        31⤵
        Executes dropped EXE
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        32⤵
        Executes dropped EXE
        
        PID:636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        33⤵
        Executes dropped EXE
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        34⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        35⤵
        Executes dropped EXE
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        36⤵
        Executes dropped EXE
        
        PID:3404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        37⤵
        Executes dropped EXE
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        38⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        39⤵
        Executes dropped EXE
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        40⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        41⤵
        Executes dropped EXE
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        42⤵
        Executes dropped EXE
        
        PID:4956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        43⤵
        Executes dropped EXE
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        44⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        45⤵
        Executes dropped EXE
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        46⤵
        Executes dropped EXE
        
        PID:1140
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        47⤵
        Executes dropped EXE
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        48⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        49⤵
        Executes dropped EXE
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        50⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        51⤵
        Executes dropped EXE
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        53⤵
        Executes dropped EXE
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        55⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        56⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:324
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        58⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        60⤵
        Executes dropped EXE
        
        PID:4984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        61⤵
        Executes dropped EXE
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        62⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        63⤵
        Executes dropped EXE
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        64⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4272
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        65⤵
        Executes dropped EXE
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        66⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        67⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        69⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        70⤵
        
        PID:3364
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        71⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        72⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        74⤵
        
        PID:1612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        75⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        76⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        77⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        78⤵
        Checks computer location settings
        
        PID:4292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        79⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:4196
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        81⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        82⤵
        
        PID:4020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        85⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        86⤵
        Checks computer location settings
        
        PID:3036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        87⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        88⤵
        Drops file in Windows directory
        
        PID:4752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        89⤵
        Drops file in Windows directory
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        90⤵
        
        PID:3152
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        91⤵
        Drops file in Windows directory
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        92⤵
        
        PID:2636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        93⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        94⤵
        Checks computer location settings
        
        PID:5052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        95⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        96⤵
        Checks computer location settings
        
        PID:4808
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        97⤵
        Drops file in Windows directory
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        98⤵
        Drops file in Windows directory
        
        PID:2252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        99⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        100⤵
        
        PID:2264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        101⤵
        
        PID:32
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        103⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        104⤵
        
        PID:5068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        105⤵
        Drops file in Windows directory
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        106⤵
        
        PID:3552
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        107⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        108⤵
        
        PID:4188
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        109⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        110⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        111⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        112⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        113⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        114⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        115⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        116⤵
        
        PID:1012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        117⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        118⤵
        
        PID:3168
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        119⤵
        Drops file in Windows directory
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        120⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        121⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        122⤵
        Drops file in Windows directory
        
        PID:3916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        124⤵
        
        PID:732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        126⤵
        
        PID:1688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        128⤵
        Checks computer location settings
        
        PID:1780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        129⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        130⤵
        Checks computer location settings
        
        PID:2472
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        131⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        132⤵
        
        PID:1664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        134⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        135⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        136⤵
        
        PID:4252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        137⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        138⤵
        Drops file in Windows directory
        
        PID:116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        140⤵
        Checks computer location settings
        
        PID:4316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        141⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        142⤵
        Checks computer location settings
        
        PID:1084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        143⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        144⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        145⤵
        Drops file in Windows directory
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        146⤵
        Drops file in Windows directory
        
        PID:2960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        147⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        148⤵
        Checks computer location settings
        
        PID:4344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        149⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        150⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2168
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        151⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        152⤵
        
        PID:1104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        154⤵
        
        PID:400
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        155⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        156⤵
        
        PID:4748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        157⤵
        Drops file in Windows directory
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        158⤵
        Checks computer location settings
        
        PID:3464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        159⤵
        Drops file in Windows directory
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        160⤵
        
        PID:1552
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        161⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        162⤵
        System Location Discovery: System Language Discovery
        
        PID:60
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        163⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        164⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        165⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        166⤵
        Drops file in Windows directory
        
        PID:5036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        167⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        168⤵
        
        PID:1908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        169⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        170⤵
        
        PID:1080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        171⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        172⤵
        Checks computer location settings
        
        PID:1296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        173⤵
        System Location Discovery: System Language Discovery
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        174⤵
        Checks computer location settings
        
        PID:2144
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        175⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        176⤵
        Checks computer location settings
        
        PID:4664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        177⤵
        Drops file in Windows directory
        
        PID:324
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        178⤵
        
        PID:4692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        179⤵
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        180⤵
        Drops file in Windows directory
        
        PID:2316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        181⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        182⤵
        Checks computer location settings
        
        PID:4756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        183⤵
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        184⤵
        Checks computer location settings
        
        PID:4316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        185⤵
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        186⤵
        Drops file in Windows directory
        
        PID:3728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        187⤵
        Drops file in Windows directory
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        188⤵
        
        PID:1156
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        189⤵
        Drops file in Windows directory
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        190⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        191⤵
        Drops file in Windows directory
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        192⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        193⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        194⤵
        Drops file in Windows directory
        
        PID:1784
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        195⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        196⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3184
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        197⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        198⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        199⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        200⤵
        Checks computer location settings
        
        PID:2328
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        201⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        202⤵
        Drops file in Windows directory
        
        PID:3364
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        203⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        204⤵
        Checks computer location settings
        
        PID:3368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        205⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        206⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        207⤵
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        208⤵
        Drops file in Windows directory
        
        PID:3996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        209⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        210⤵
        
        PID:4068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        211⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        212⤵
        
        PID:4196
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        213⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        214⤵
        
        PID:4984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        215⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        216⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        217⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        218⤵
        Modifies registry class
        
        PID:1352
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        219⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        220⤵
        
        PID:4240
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        221⤵
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        222⤵
        
        PID:320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        223⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        224⤵
        
        PID:1936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        225⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        226⤵
        
        PID:4484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        227⤵
        Drops file in Windows directory
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        228⤵
        Drops file in Windows directory
        
        PID:5032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        229⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        230⤵
        
        PID:3304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        231⤵
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        232⤵
        
        PID:3536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        233⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        234⤵
        
        PID:4164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        235⤵
        System Location Discovery: System Language Discovery
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        236⤵
        Checks computer location settings
        
        PID:3724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        237⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        238⤵
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        239⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        240⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        241⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        242⤵
        System Location Discovery: System Language Discovery
        
        PID:3356
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        243⤵
        Drops file in Windows directory
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        244⤵
        
        PID:3208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        245⤵
        Drops file in Windows directory
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        246⤵
        Modifies registry class
        
        PID:3716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        247⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        248⤵
        
        PID:4848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        249⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        250⤵
        Checks computer location settings
        
        PID:2260
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        251⤵
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        252⤵
        
        PID:3956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        253⤵
        Drops file in Windows directory
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        254⤵
        
        PID:2700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        255⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        256⤵
        
        PID:4304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        257⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        258⤵
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        259⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        260⤵
        Checks computer location settings
        
        PID:1140
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        261⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        262⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        263⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        264⤵
        
        PID:1504
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        265⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        266⤵
        Drops file in Windows directory
        
        PID:2964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        267⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        268⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        269⤵
        Drops file in Windows directory
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        270⤵
        System Location Discovery: System Language Discovery
        
        PID:212
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        271⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        272⤵
        Drops file in Windows directory
        
        PID:3152
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        273⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        274⤵
        
        PID:2712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        275⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        276⤵
        
        PID:1284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        277⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        278⤵
        
        PID:2264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        279⤵
        Drops file in Windows directory
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        280⤵
        Drops file in Windows directory
        
        PID:4780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        281⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        282⤵
        Checks computer location settings
        
        PID:1224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        283⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        284⤵
        Drops file in Windows directory
        
        PID:3716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        285⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        286⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:412
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        287⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        288⤵
        Checks computer location settings
        
        PID:1348
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        289⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        290⤵
        
        PID:3320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        291⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        292⤵
        Drops file in Windows directory
        
        PID:2604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        293⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        294⤵
        
        PID:4984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        295⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        296⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        297⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        298⤵
        
        PID:1976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        299⤵
        System Location Discovery: System Language Discovery
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        300⤵
        Modifies registry class
        
        PID:2800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        301⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        302⤵
        
        PID:2144
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        303⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        304⤵
        
        PID:116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        305⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        306⤵
        
        PID:836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        307⤵
        System Location Discovery: System Language Discovery
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        308⤵
        
        PID:3676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        309⤵
        Drops file in Windows directory
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        310⤵
        Checks computer location settings
        
        PID:3312
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        311⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        312⤵
        
        PID:3356
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        313⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        314⤵
        Drops file in Windows directory
        
        PID:1516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        315⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        316⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        317⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        318⤵
        Checks computer location settings
        
        PID:2320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        319⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        320⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:628
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        321⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        322⤵
        
        PID:1752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        323⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        324⤵
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        325⤵
        Drops file in Windows directory
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        326⤵
        
        PID:1648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        327⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        328⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        329⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        330⤵
        Checks computer location settings
        
        PID:212
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        331⤵
        System Location Discovery: System Language Discovery
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        332⤵
        Checks computer location settings
        
        PID:2560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        333⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        334⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE"
        335⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\CA57E9~1.EXE
        336⤵
        Drops file in Program Files directory
        
        PID:32
        
        C:\Program Files (x86)\Google\Temp\GUMEF91.tmp\GoogleUpdate.exe
        
        "C:\Program Files (x86)\Google\Temp\GUMEF91.tmp\GoogleUpdate.exe" /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={2ECE7FC6-6575-8918-D8E4-264EFADBF24D}&lang=zh-CN&browser=2&usagestats=0&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty"
        337⤵
        Event Triggered Execution: Image File Execution Options Injection
        Checks computer location settings
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4376
        
        C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
        
        "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regsvc
        338⤵
        Loads dropped DLL
        
        PID:4120
        
        C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
        
        "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regserver
        338⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:1136
        
        C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateComRegisterShell64.exe"
        339⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:3564
        
        C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateComRegisterShell64.exe"
        339⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:3188
        
        C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateComRegisterShell64.exe"
        339⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:4000
        
        C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
        
        "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4zNzIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4zNzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RTgxRUQ2OUEtNjhCOC00RDZGLUFDMjctODJDMDI3NzZENDhBfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezcyOEFDQ0NFLURDNzctNDIzOS04NTQyLUZDMjI5NkVGMkM3RX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iOCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NDMwRkQ0RDAtQjcyOS00RjYxLUFBMzQtOTE1MjY0ODE3OTlEfSIgdmVyc2lvbj0iMS4zLjM2LjM3MSIgbmV4dHZlcnNpb249IjEuMy4zNi4zNzIiIGxhbmc9InpoLUNOIiBicmFuZD0iIiBjbGllbnQ9IiIgaWlkPSJ7MkVDRTdGQzYtNjU3NS04OTE4LUQ4RTQtMjY0RUZBREJGMjREfSI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgaW5zdGFsbF90aW1lX21zPSI2ODgiLz48L2FwcD48L3JlcXVlc3Q-
        338⤵
        Loads dropped DLL
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\PROGRA~2\Google\Update\GOOGLE~1.EXE" /handoff "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={2ECE7FC6-6575-8918-D8E4-264EFADBF24D}&lang=zh-CN&browser=2&usagestats=0&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty" /installsource taggedmi /sessionid "{E81ED69A-68B8-4D6F-AC27-82C02776D48A}"
        338⤵
        Drops file in Windows directory
        
        PID:4712
        
        C:\PROGRA~2\Google\Update\GOOGLE~1.EXE
        
        C:\PROGRA~2\Google\Update\GOOGLE~1.EXE /handoff appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={2ECE7FC6-6575-8918-D8E4-264EFADBF24D}&lang=zh-CN&browser=2&usagestats=0&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty /installsource taggedmi /sessionid {E81ED69A-68B8-4D6F-AC27-82C02776D48A}
        339⤵
        
        PID:4164

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:2168

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv aPKzn+CVSkOrrmNN4rsorg.0.2
1⤵
PID:5028

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4756

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

Filesize
368KB

MD5
a344438de9e499ca3d9038688440f406

SHA1
c961917349de7e9d269f6f4a5593b6b9d3fcd4d2

SHA256
715f6420c423ae4068b25a703d5575f7c147b26e388f0fff1ae20c6abe821557

SHA512
8bf3c621725fddafa6326b057fee9beee95966e43c5fbab40ebaa4a1a64d17acca97a19d0ece10c3574e13e194ff191316871d1d46d4d74ffc0ac3efb403bca9

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe

Filesize
9.4MB

MD5
322302633e36360a24252f6291cdfc91

SHA1
238ed62353776c646957efefc0174c545c2afa3d

SHA256
31da9632f5d25806b77b617d48da52a14afc574bbe1653120f97705284ea566c

SHA512
5a1f7c44ce7f5036bffc18ebac39e2bf70e6f35fa252617d665b26448f4c4473adfa115467b7e2d9b7068823e448f74410cdcdfef1ac1c09021e051921787373

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

Filesize
2.4MB

MD5
8ffc3bdf4a1903d9e28b99d1643fc9c7

SHA1
919ba8594db0ae245a8abd80f9f3698826fc6fe5

SHA256
8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6

SHA512
0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

Filesize
131KB

MD5
5791075058b526842f4601c46abd59f5

SHA1
b2748f7542e2eebcd0353c3720d92bbffad8678f

SHA256
5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394

SHA512
83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE

Filesize
147KB

MD5
3b35b268659965ab93b6ee42f8193395

SHA1
8faefc346e99c9b2488f2414234c9e4740b96d88

SHA256
750824b5f75c91a6c2eeb8c5e60ae28d7a81e323d3762c8652255bfea5cba0bb

SHA512
035259a7598584ddb770db3da4e066b64dc65638501cdd8ff9f8e2646f23b76e3dfffa1fb5ed57c9bd15bb4efa3f7dd33fdc2e769e5cc195c25de0e340eb89ab

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE

Filesize
318KB

MD5
f7ae513c4b49b132eaaca8c6439f6fd9

SHA1
5d895f3ea091a13bfd4621383c354a195b5d9582

SHA256
28383114ddb138b10a7658bd4b0709fd6e496335cef5d5da827f2687077e5add

SHA512
6c2fff3aeb43cb30a0248e361eed013a4f44e02a6bf2e17f34159e7ad00fa265b9f30038697a82ede6261a23a478b9e6c4f6c84e54576eb188c4756667ff2598

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe

Filesize
325KB

MD5
9a8d683f9f884ddd9160a5912ca06995

SHA1
98dc8682a0c44727ee039298665f5d95b057c854

SHA256
5e2e22ead49ce9cc11141dbeebbe5b93a530c966695d8efc2083f00e6be53423

SHA512
6aecf8c5cb5796d6879f8643e20c653f58bad70820896b0019c39623604d5b3c8a4420562ab051c6685edce60aa068d9c2dbb4413a7b16c6d01a9ac10dc22c12

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe

Filesize
325KB

MD5
892cf4fc5398e07bf652c50ef2aa3b88

SHA1
c399e55756b23938057a0ecae597bd9dbe481866

SHA256
e2262c798729169f697e6c30e5211cde604fd8b14769311ff4ea81abba8c2781

SHA512
f16a9e4b1150098c5936ec6107c36d47246dafd5a43e9f4ad9a31ecab69cc789c768691fa23a1440fae7f6e93e8e62566b5c86f7ed6bb4cfe26368149ea8c167

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe

Filesize
546KB

MD5
10748253009c18f4695b7043dcf36fdc

SHA1
22d24c7b4cd0b280f09a76534545cfdc1d66a256

SHA256
3bee29dd355e50cdf24736a2a53d8fffd9cd93e702109f20d65a7e2e2fcfd9f1

SHA512
477462d114a9aac7aead3483a5a038f1fc4484514c2aa0a4c6d6aab30075056ad439592b1f9a72cf4c4499eefa8aeb744e0c2dad439ef8efae795611df352080

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE

Filesize
221KB

MD5
87bb2253f977fc3576a01e5cbb61f423

SHA1
5129844b3d8af03e8570a3afcdc5816964ed8ba4

SHA256
3fc32edf3f9ab889c2cdf225a446da1e12a7168a7a56165efe5e9744d172d604

SHA512
7cfd38ceb52b986054a68a781e01c3f99e92227f884a4401eb9fbc72f4c140fd32a552b4a102bedf9576e6a0da216bc10ce29241f1418acb39aeb2503cb8d703

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE

Filesize
433KB

MD5
674eddc440664b8b854bc397e67ee338

SHA1
af9d74243ee3ea5f88638172f592ed89bbbd7e0d

SHA256
20bbf92426732ff7269b4f2f89d404d5fee0fa6a20944004d2eeb3cc2d1fa457

SHA512
5aced0e2235f113e323d6b28be74da5e4da4dc881629461df4644a52bccd717dc6d2632c40ed8190b3ad060b8b62c347757a0bbe82680d892114c1f0529146b7

Download Submit
C:\PROGRA~2\Google\Update\DISABL~1.EXE

Filesize
198KB

MD5
7429ce42ac211cd3aa986faad186cedd

SHA1
b61a57f0f99cfd702be0fbafcb77e9f911223fac

SHA256
d608c05409ac4bd05d8e0702fcf66dfae5f4f38cbae13406842fa5504f4d616f

SHA512
ee4456877d6d881d9904013aabecb9f2daf6fc0ec7a7c9251e77396b66a7f5a577fe8544e64e2bb7464db429db56a3fe47c183a81d40cc869d01be573ab5e4c1

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE

Filesize
139KB

MD5
1e09e65111ab34cb84f7855d3cddc680

SHA1
f9f852104b46d99cc7f57a6f40d5db2090be04c0

SHA256
8f5c7c8e0258a5caa37637b2fa36f3bd87569a97b5c1ecf40dab50e7255fcf9c

SHA512
003176cb9dd7668b1b40e4d60d86d57c1a9ec4d873382aab781b31c8c89f0e388f3d406963f159412e2828d0be9f6daea146a252d8ee47281dda01123c9e7ace

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe

Filesize
250KB

MD5
5d656c152b22ddd4f875306ca928243a

SHA1
177ff847aa898afa1b786077ae87b5ae0c7687c7

SHA256
4d87b0eb331443b473c90650d31b893d00373ff88dcbcb3747f494407799af69

SHA512
d5e50ee909ea06e69fc0d9999c6d142f9154e6f63462312b4e950cf6e26a7d395dbb50c8e2a8c4f4e1cfb7b2c6ae8ad19e3b7c204c20e7557daa1a0deb454160

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE

Filesize
509KB

MD5
7c73e01bd682dc67ef2fbb679be99866

SHA1
ad3834bd9f95f8bf64eb5be0a610427940407117

SHA256
da333c92fdfd2e8092f5b56686b94f713f8fa27ef8f333e7222259ad1eb08f5d

SHA512
b2f3398e486cde482cb6bea18f4e5312fa2db7382ca25cea17bcba5ab1ff0e891d59328bc567641a9da05caca4d7c61dc102289d46e7135f947ce6155e295711

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe

Filesize
3.2MB

MD5
5119e350591269f44f732b470024bb7c

SHA1
4ccd48e4c6ba6e162d1520760ee3063e93e2c014

SHA256
2b3aa9642b291932ba7f9f3d85221402a9d27078f56ef0e9c6bca633616e3873

SHA512
599b4ec673169d42a348d1117737b4ad4d7539574153df5a5c7689130c9ac5ff5cd00f3c8ec39adf32ff2b56be074081efcabb6456272c649703c3ea6cdaded4

Download Submit
C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE

Filesize
274KB

MD5
d84f63a0bf5eff0c8c491f69b81d1a36

SHA1
17c7d7ae90e571e99f1b1685872f91c04ee76e85

SHA256
06d363997722b0e3c4787f72ca61cb2a8ad59ea7ba8a9d14eafa8a8a550687a2

SHA512
865aab84cfe40604ffd013d8517a538eb1322b90372d236821c0e39e285a20bdad755ddff8d59d8af47a9b10b6c77947abc9148761e75892c617db8503b0ef6e

Download Submit
C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe

Filesize
494KB

MD5
05bdfd8a3128ab14d96818f43ebe9c0e

SHA1
495cbbd020391e05d11c52aa23bdae7b89532eb7

SHA256
7b945c7e6b8bfbb489f003ecd1d0dcd4803042003de4646d4206114361a0fbbb

SHA512
8d9b9fc407986bd53fe3b56c96b7371cc782b4bac705253bfb0a2b0b1e6883fdb022f1ac87b8bfd7005291991b6a3dfbaceab54f5d494e0af70f0435a0b8b0da

Download Submit
C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE

Filesize
674KB

MD5
97510a7d9bf0811a6ea89fad85a9f3f3

SHA1
2ac0c49b66a92789be65580a38ae9798237711db

SHA256
c48abbc29405559e68cc9f8fc6d218aa317a9d0023839c7846ca509c1f563fea

SHA512
2a93e2a3bd187fdde160f87ef777ccd1d1c398d547b7c869e6b64469b9418ad04d887cdfe94af7407476377bf2d009f576de3935c025b7aefbab26fbcd8f90fb

Download Submit
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

Filesize
158KB

MD5
baf0b64af9fceab44942506f3af21c87

SHA1
e78fb7c2db9c1b1f9949f4fcd4b23596c1372e05

SHA256
581edeca339bb8c5ebc1d0193ad77f5cafa329c5a9adf8f5299b1afabed6623b

SHA512
ee590e4d5ccdd1ab6131e19806ffd0c12731dd12cf7bfb562dd8f5896d84a88eb7901c6196c85a0b7d60aee28f8cfbba62f8438d501eabd1bb01ec0b4f8d8004

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\ca57e99ade26b3160109b802c747f640bf5da1345b031ed5d45e4447e9eb03da.exe

Filesize
1.4MB

MD5
2c6b93d23968cfb7c3c3c9cb3041f5cd

SHA1
723a478c36475483ea4ac0393dff406984037fd2

SHA256
499243d70504fe13b196d75217da8eb00be87da75354d271f1ebf9e0e240a57c

SHA512
8b015b2154794b6b5135d5854dd10d4f2bc3a4230593f0d9a846143bdda06cdd5ca1d8e2d817f61c094a17f5e37187b4e3ca8a418d56aa71960953634a38c637

Download Submit
C:\Windows\directx.sys

Filesize
40B

MD5
31dce455088e7e8fad4b513121de3de0

SHA1
31b0b4be199b728ca764441bde022d2685d750ae

SHA256
1158d85d0a265fa259faacb7464ee20f3b34ec22ffa580520af04d75c23cffa9

SHA512
a4d2ea5c75e9b9d9b2524f19a52426130e83c83ddd85f0e6f2e0a4b3eb9720f38719d95bb06a24c3a0cdce75817e3c846ebcdd4896626276fc2b0ec5b776cc51

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
a8d328cb216e6830b348153bc0b2a8b5

SHA1
fb7ab0c4a99f2cd0625eca59be823b590d28842f

SHA256
9df78bfb64be9dc7ae1c923e313ffc1427894669e4aeceae9ca352151b383254

SHA512
2e31d45def010429485bc0131c8cd8ea4607e8d888b0c8203e94f5e0ae8edfb8cd953b1bc3b21a93c5087ed85b2a5c1d2176df9f31a0d2f2acf1fd467c636389

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
memory/60-333-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/324-375-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/456-261-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/540-88-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/624-316-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/636-284-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1012-100-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1020-415-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1084-389-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1140-335-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1276-76-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1548-56-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1936-351-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1952-308-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1956-373-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2028-277-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2264-52-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2400-302-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2404-343-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2552-271-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2584-139-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2700-309-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2728-135-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3016-44-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3076-287-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3168-317-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3180-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3180-263-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3228-399-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3248-110-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3256-64-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3304-242-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3308-16-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3404-300-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3460-147-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3716-75-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3956-269-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3968-229-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3976-327-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3996-325-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4048-285-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4060-293-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4168-405-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4252-372-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4272-412-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4384-40-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4488-381-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4592-341-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4684-397-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4736-413-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4744-28-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4808-256-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4812-349-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4868-80-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4936-388-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4936-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4952-249-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4956-319-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4960-365-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4984-391-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5004-357-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5016-160-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5060-359-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5064-92-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download