neshta | c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480

Analysis

max time kernel
33s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2025 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
Size

1.9MB
MD5

92f3d1d15ba772bd14dc2316915b7e00
SHA1

7268cbe49243e8125c9540b9f6d91e5e1a77e8b8
SHA256

c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480
SHA512

4f5ec39e45334290a8c435b6ba6865916efbf50eb5a9c5b84b684540d004119c24c1dde0a1a2a56535975f953a0861bf4b2fccc57307a62dd7c2d4be473ba7b9
SSDEEP

49152:5W+KX91+mP9BzpyLbv98QuyyPhNqxMXkUcLg2HyqbAa:fKX91+mP7zpyLbv98QuyyPhgxMXkUsgV

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 64 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c59-4.dat	family_neshta
behavioral2/files/0x0007000000023c5a-11.dat	family_neshta
behavioral2/memory/4972-18-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3064-28-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3488-30-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5012-41-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4428-53-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3988-42-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1092-54-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1256-58-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3720-66-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1248-77-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4644-89-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3464-78-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x0004000000020348-107.dat	family_neshta
behavioral2/memory/1392-113-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2364-117-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2556-125-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2524-136-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4000-137-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1368-148-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3580-149-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4868-160-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x00010000000214d9-174.dat	family_neshta
behavioral2/files/0x00010000000214d8-177.dat	family_neshta
behavioral2/files/0x00010000000214da-176.dat	family_neshta
behavioral2/files/0x0001000000022f2a-185.dat	family_neshta
behavioral2/files/0x00010000000167af-206.dat	family_neshta
behavioral2/files/0x0001000000016801-205.dat	family_neshta
behavioral2/files/0x0001000000022f6d-201.dat	family_neshta
behavioral2/files/0x000100000001dbd1-220.dat	family_neshta
behavioral2/files/0x0001000000016918-233.dat	family_neshta
behavioral2/files/0x0001000000016915-230.dat	family_neshta
behavioral2/memory/3204-191-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4684-170-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4676-240-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x000b00000001e614-249.dat	family_neshta
behavioral2/memory/2708-262-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x000400000001e6aa-245.dat	family_neshta
behavioral2/memory/2652-263-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4804-273-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2592-276-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5108-283-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3988-291-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4836-293-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/492-299-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4044-301-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4896-307-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2268-309-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4492-315-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5100-317-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1012-323-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1936-330-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2368-331-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2276-338-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3252-339-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4652-341-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3556-347-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4316-354-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2216-355-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4000-357-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4032-363-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5060-370-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3384-371-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	C85F4D~1.EXE

Executes dropped EXE 64 IoCs

pid	Process
1144	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
4972	svchost.com
3064	C85F4D~1.EXE
3488	svchost.com
5012	C85F4D~1.EXE
3988	svchost.com
4428	C85F4D~1.EXE
1092	svchost.com
1256	C85F4D~1.EXE
3720	svchost.com
1248	C85F4D~1.EXE
3464	svchost.com
4644	C85F4D~1.EXE
1392	svchost.com
2364	C85F4D~1.EXE
2556	svchost.com
2524	C85F4D~1.EXE
4000	svchost.com
1368	C85F4D~1.EXE
3580	svchost.com
4868	C85F4D~1.EXE
4684	svchost.com
3204	C85F4D~1.EXE
4676	svchost.com
2708	C85F4D~1.EXE
2652	svchost.com
4804	C85F4D~1.EXE
2592	svchost.com
5108	C85F4D~1.EXE
3988	svchost.com
4836	C85F4D~1.EXE
492	svchost.com
4044	C85F4D~1.EXE
4896	svchost.com
2268	C85F4D~1.EXE
4492	svchost.com
5100	C85F4D~1.EXE
1012	svchost.com
1936	C85F4D~1.EXE
2368	svchost.com
2276	C85F4D~1.EXE
3252	svchost.com
4652	C85F4D~1.EXE
3556	svchost.com
4316	C85F4D~1.EXE
2216	svchost.com
4000	C85F4D~1.EXE
4032	svchost.com
5060	C85F4D~1.EXE
3384	svchost.com
404	C85F4D~1.EXE
2880	svchost.com
4196	C85F4D~1.EXE
2104	svchost.com
824	C85F4D~1.EXE
4352	svchost.com
1172	C85F4D~1.EXE
2992	svchost.com
1404	C85F4D~1.EXE
1656	svchost.com
1304	C85F4D~1.EXE
4772	svchost.com
3244	C85F4D~1.EXE
4980	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	C85F4D~1.EXE
File opened for modification	C:\Windows\svchost.com	C85F4D~1.EXE
File opened for modification	C:\Windows\svchost.com	C85F4D~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	C85F4D~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	C85F4D~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	C85F4D~1.EXE
File opened for modification	C:\Windows\svchost.com	C85F4D~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	C85F4D~1.EXE
File opened for modification	C:\Windows\directx.sys	C85F4D~1.EXE
File opened for modification	C:\Windows\svchost.com	C85F4D~1.EXE
File opened for modification	C:\Windows\svchost.com	C85F4D~1.EXE
File opened for modification	C:\Windows\directx.sys	C85F4D~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	C85F4D~1.EXE
File opened for modification	C:\Windows\directx.sys	C85F4D~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	C85F4D~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	C85F4D~1.EXE
File opened for modification	C:\Windows\directx.sys	C85F4D~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	C85F4D~1.EXE
File opened for modification	C:\Windows\directx.sys	C85F4D~1.EXE
File opened for modification	C:\Windows\directx.sys	C85F4D~1.EXE
File opened for modification	C:\Windows\directx.sys	C85F4D~1.EXE
File opened for modification	C:\Windows\directx.sys	C85F4D~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	C85F4D~1.EXE
File opened for modification	C:\Windows\svchost.com	C85F4D~1.EXE
File opened for modification	C:\Windows\svchost.com	C85F4D~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C85F4D~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C85F4D~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C85F4D~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C85F4D~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C85F4D~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C85F4D~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C85F4D~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C85F4D~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C85F4D~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C85F4D~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C85F4D~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C85F4D~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C85F4D~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C85F4D~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C85F4D~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C85F4D~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C85F4D~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C85F4D~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C85F4D~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C85F4D~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C85F4D~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C85F4D~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C85F4D~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C85F4D~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C85F4D~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C85F4D~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C85F4D~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	C85F4D~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 1144	4636	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe	83
PID 4636 wrote to memory of 1144	4636	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe	83
PID 4636 wrote to memory of 1144	4636	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe	83
PID 1144 wrote to memory of 4972	1144	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe	84
PID 1144 wrote to memory of 4972	1144	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe	84
PID 1144 wrote to memory of 4972	1144	c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe	84
PID 4972 wrote to memory of 3064	4972	svchost.com	85
PID 4972 wrote to memory of 3064	4972	svchost.com	85
PID 4972 wrote to memory of 3064	4972	svchost.com	85
PID 3064 wrote to memory of 3488	3064	C85F4D~1.EXE	86
PID 3064 wrote to memory of 3488	3064	C85F4D~1.EXE	86
PID 3064 wrote to memory of 3488	3064	C85F4D~1.EXE	86
PID 3488 wrote to memory of 5012	3488	svchost.com	87
PID 3488 wrote to memory of 5012	3488	svchost.com	87
PID 3488 wrote to memory of 5012	3488	svchost.com	87
PID 5012 wrote to memory of 3988	5012	C85F4D~1.EXE	112
PID 5012 wrote to memory of 3988	5012	C85F4D~1.EXE	112
PID 5012 wrote to memory of 3988	5012	C85F4D~1.EXE	112
PID 3988 wrote to memory of 4428	3988	svchost.com	89
PID 3988 wrote to memory of 4428	3988	svchost.com	89
PID 3988 wrote to memory of 4428	3988	svchost.com	89
PID 4428 wrote to memory of 1092	4428	C85F4D~1.EXE	90
PID 4428 wrote to memory of 1092	4428	C85F4D~1.EXE	90
PID 4428 wrote to memory of 1092	4428	C85F4D~1.EXE	90
PID 1092 wrote to memory of 1256	1092	svchost.com	91
PID 1092 wrote to memory of 1256	1092	svchost.com	91
PID 1092 wrote to memory of 1256	1092	svchost.com	91
PID 1256 wrote to memory of 3720	1256	C85F4D~1.EXE	92
PID 1256 wrote to memory of 3720	1256	C85F4D~1.EXE	92
PID 1256 wrote to memory of 3720	1256	C85F4D~1.EXE	92
PID 3720 wrote to memory of 1248	3720	svchost.com	93
PID 3720 wrote to memory of 1248	3720	svchost.com	93
PID 3720 wrote to memory of 1248	3720	svchost.com	93
PID 1248 wrote to memory of 3464	1248	C85F4D~1.EXE	202
PID 1248 wrote to memory of 3464	1248	C85F4D~1.EXE	202
PID 1248 wrote to memory of 3464	1248	C85F4D~1.EXE	202
PID 3464 wrote to memory of 4644	3464	svchost.com	203
PID 3464 wrote to memory of 4644	3464	svchost.com	203
PID 3464 wrote to memory of 4644	3464	svchost.com	203
PID 4644 wrote to memory of 1392	4644	C85F4D~1.EXE	210
PID 4644 wrote to memory of 1392	4644	C85F4D~1.EXE	210
PID 4644 wrote to memory of 1392	4644	C85F4D~1.EXE	210
PID 1392 wrote to memory of 2364	1392	svchost.com	97
PID 1392 wrote to memory of 2364	1392	svchost.com	97
PID 1392 wrote to memory of 2364	1392	svchost.com	97
PID 2364 wrote to memory of 2556	2364	C85F4D~1.EXE	98
PID 2364 wrote to memory of 2556	2364	C85F4D~1.EXE	98
PID 2364 wrote to memory of 2556	2364	C85F4D~1.EXE	98
PID 2556 wrote to memory of 2524	2556	svchost.com	99
PID 2556 wrote to memory of 2524	2556	svchost.com	99
PID 2556 wrote to memory of 2524	2556	svchost.com	99
PID 2524 wrote to memory of 4000	2524	C85F4D~1.EXE	129
PID 2524 wrote to memory of 4000	2524	C85F4D~1.EXE	129
PID 2524 wrote to memory of 4000	2524	C85F4D~1.EXE	129
PID 4000 wrote to memory of 1368	4000	svchost.com	218
PID 4000 wrote to memory of 1368	4000	svchost.com	218
PID 4000 wrote to memory of 1368	4000	svchost.com	218
PID 1368 wrote to memory of 3580	1368	C85F4D~1.EXE	102
PID 1368 wrote to memory of 3580	1368	C85F4D~1.EXE	102
PID 1368 wrote to memory of 3580	1368	C85F4D~1.EXE	102
PID 3580 wrote to memory of 4868	3580	svchost.com	103
PID 3580 wrote to memory of 4868	3580	svchost.com	103
PID 3580 wrote to memory of 4868	3580	svchost.com	103
PID 4868 wrote to memory of 4684	4868	C85F4D~1.EXE	260

C:\Users\Admin\AppData\Local\Temp\c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
"C:\Users\Admin\AppData\Local\Temp\c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Users\Admin\AppData\Local\Temp\3582-490\c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4972
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3064
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3488
      - C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        23⤵
        Executes dropped EXE
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3204
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        25⤵
        Executes dropped EXE
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        27⤵
        Executes dropped EXE
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        28⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        29⤵
        Executes dropped EXE
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        31⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        32⤵
        Executes dropped EXE
        
        PID:4836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        33⤵
        Executes dropped EXE
        
        PID:492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        35⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:2268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        37⤵
        Executes dropped EXE
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        38⤵
        Executes dropped EXE
        
        PID:5100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        39⤵
        Executes dropped EXE
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        40⤵
        Executes dropped EXE
        
        PID:1936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        41⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:2276
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        43⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        44⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        45⤵
        Executes dropped EXE
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        46⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:4316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        47⤵
        Executes dropped EXE
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        48⤵
        Executes dropped EXE
        
        PID:4000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        49⤵
        Executes dropped EXE
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        50⤵
        Executes dropped EXE
        
        PID:5060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        51⤵
        Executes dropped EXE
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        53⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        54⤵
        Executes dropped EXE
        
        PID:4196
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        55⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        56⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        57⤵
        Executes dropped EXE
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1172
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        59⤵
        Executes dropped EXE
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        61⤵
        Executes dropped EXE
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        62⤵
        Executes dropped EXE
        
        PID:1304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        64⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        65⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        66⤵
        Modifies registry class
        
        PID:3488
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        67⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        68⤵
        
        PID:3012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        69⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        70⤵
        
        PID:2092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        71⤵
        Drops file in Windows directory
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:3624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        73⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        74⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:2260
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        75⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        76⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        77⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        78⤵
        
        PID:3016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        80⤵
        Checks computer location settings
        
        PID:208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        82⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        84⤵
        Checks computer location settings
        
        PID:2864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        85⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:1884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        87⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        88⤵
        Checks computer location settings
        
        PID:3448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        90⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        91⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        92⤵
        
        PID:1296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        93⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        94⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        96⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:3296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        97⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        98⤵
        Modifies registry class
        
        PID:1568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        100⤵
        
        PID:4696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        101⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        102⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4376
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        103⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        104⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        105⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        106⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        108⤵
        
        PID:4260
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        109⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        110⤵
        Checks computer location settings
        
        PID:2032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        111⤵
        Drops file in Windows directory
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        112⤵
        Checks computer location settings
        
        PID:4004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        113⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        114⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4628
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        115⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:3512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        117⤵
        Drops file in Windows directory
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        118⤵
        Checks computer location settings
        
        PID:2568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        119⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        120⤵
        Modifies registry class
        
        PID:3464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        121⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        122⤵
        Modifies registry class
        
        PID:4872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        123⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        124⤵
        Modifies registry class
        
        PID:1512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        125⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        126⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        127⤵
        Drops file in Windows directory
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        128⤵
        
        PID:1392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        129⤵
        Drops file in Windows directory
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        130⤵
        Checks computer location settings
        
        PID:3556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        131⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        132⤵
        Checks computer location settings
        
        PID:4188
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        133⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        134⤵
        Checks computer location settings
        
        PID:2640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        135⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        137⤵
        Drops file in Windows directory
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        138⤵
        
        PID:4288
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        140⤵
        Modifies registry class
        
        PID:4300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        141⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        142⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        144⤵
        Drops file in Windows directory
        
        PID:2196
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        146⤵
        Modifies registry class
        
        PID:1696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        148⤵
        
        PID:3576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        149⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        150⤵
        
        PID:1684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        151⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        152⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        153⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        154⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:212
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        155⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        156⤵
        Modifies registry class
        
        PID:4164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        157⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        158⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        159⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        160⤵
        Modifies registry class
        
        PID:1820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        162⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        163⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        164⤵
        Checks computer location settings
        
        PID:3404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        166⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        167⤵
        Drops file in Windows directory
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        168⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        169⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        170⤵
        
        PID:2680
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        172⤵
        
        PID:3344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        173⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        174⤵
        Modifies registry class
        
        PID:4640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        175⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        176⤵
        
        PID:3296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        177⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        178⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        179⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        180⤵
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        181⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        182⤵
        
        PID:1988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        183⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        184⤵
        Modifies registry class
        
        PID:3932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        185⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        186⤵
        
        PID:4580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        187⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        188⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        189⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        190⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        191⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        192⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        193⤵
        Drops file in Windows directory
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        194⤵
        
        PID:3876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        195⤵
        Drops file in Windows directory
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        196⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        197⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        198⤵
        Checks computer location settings
        
        PID:4900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        199⤵
        
        PID:492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        200⤵
        
        PID:760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        201⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        202⤵
        
        PID:1500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        203⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        204⤵
        
        PID:1264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        205⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        206⤵
        
        PID:3616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        207⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        208⤵
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        209⤵
        System Location Discovery: System Language Discovery
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        210⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        211⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        212⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3472
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        213⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        214⤵
        
        PID:5088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        215⤵
        Drops file in Windows directory
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        216⤵
        
        PID:2548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        217⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        218⤵
        Checks computer location settings
        Modifies registry class
        
        PID:376
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        219⤵
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        220⤵
        Drops file in Windows directory
        
        PID:2480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        221⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        222⤵
        
        PID:436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        223⤵
        System Location Discovery: System Language Discovery
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        224⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        225⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        226⤵
        System Location Discovery: System Language Discovery
        
        PID:4256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        227⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        228⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:3852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        229⤵
        System Location Discovery: System Language Discovery
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        230⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        231⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        232⤵
        Checks computer location settings
        Modifies registry class
        
        PID:216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        233⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        234⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        235⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        236⤵
        Checks computer location settings
        
        PID:3740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        237⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        238⤵
        
        PID:2192
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        239⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        240⤵
        
        PID:4868
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        241⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        242⤵
        
        PID:4072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        243⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        244⤵
        Checks computer location settings
        
        PID:852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        245⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        246⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        247⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        248⤵
        Modifies registry class
        
        PID:4404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        249⤵
        System Location Discovery: System Language Discovery
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        250⤵
        Modifies registry class
        
        PID:5100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        251⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        252⤵
        Checks computer location settings
        
        PID:3584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        253⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        254⤵
        Modifies registry class
        
        PID:1892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        255⤵
        Drops file in Windows directory
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        256⤵
        Checks computer location settings
        
        PID:3824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        257⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        258⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        259⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        260⤵
        
        PID:3104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        261⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        262⤵
        Drops file in Windows directory
        
        PID:4488
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        263⤵
        Drops file in Windows directory
        
        PID:164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        264⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:2604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        265⤵
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        266⤵
        Checks computer location settings
        
        PID:3052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        267⤵
        Drops file in Windows directory
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        268⤵
        
        PID:4880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        269⤵
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        270⤵
        
        PID:456
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        271⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        272⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        273⤵
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        274⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1248
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        275⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        276⤵
        
        PID:4680
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        277⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        278⤵
        
        PID:3252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        279⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        280⤵
        
        PID:4644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        281⤵
        Drops file in Windows directory
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        282⤵
        Modifies registry class
        
        PID:4064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        283⤵
        System Location Discovery: System Language Discovery
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        284⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2456
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        285⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        286⤵
        Modifies registry class
        
        PID:2164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        287⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        288⤵
        
        PID:992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        289⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        290⤵
        
        PID:3196
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        291⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        292⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3628
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        293⤵
        Drops file in Windows directory
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        294⤵
        
        PID:4628
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        295⤵
        Drops file in Windows directory
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        296⤵
        Checks computer location settings
        Modifies registry class
        
        PID:216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        297⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        298⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4176
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        299⤵
        System Location Discovery: System Language Discovery
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        300⤵
        Modifies registry class
        
        PID:2628
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        301⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        302⤵
        Checks computer location settings
        
        PID:4332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        303⤵
        Drops file in Windows directory
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        304⤵
        Modifies registry class
        
        PID:4392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        305⤵
        Drops file in Windows directory
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        306⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        307⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        308⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        309⤵
        Drops file in Windows directory
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        310⤵
        System Location Discovery: System Language Discovery
        
        PID:1312
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        311⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        312⤵
        
        PID:4444
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        313⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        314⤵
        
        PID:3496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        315⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        316⤵
        
        PID:3068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        317⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        318⤵
        
        PID:4044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        319⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        320⤵
        
        PID:4948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        321⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        322⤵
        
        PID:2664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        323⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        324⤵
        
        PID:1892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        325⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        326⤵
        
        PID:2164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        327⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        328⤵
        
        PID:4448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        329⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        330⤵
        
        PID:4960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        331⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        332⤵
        
        PID:4628
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        333⤵
        
        PID:164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        334⤵
        
        PID:1148
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        335⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        336⤵
        
        PID:4640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        337⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        338⤵
        
        PID:1052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        339⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        340⤵
        
        PID:4364
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        341⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        342⤵
        
        PID:1556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        343⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        344⤵
        
        PID:3320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        345⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        346⤵
        
        PID:3720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        347⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        348⤵
        
        PID:2344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        349⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        350⤵
        
        PID:2836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE"
        351⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\C85F4D~1.EXE
        352⤵
        
        PID:1240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:1172

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE

Filesize
426KB

MD5
0f3d2f34a052e9d146ec36a4c645aae7

SHA1
710873444c9a9036e60d7e0371e37c1f07ba9f96

SHA256
3b3d75ae37e30bc7db34ab6001c880efcd23fc513c4afcd2e3b7b7eb3c62f9f3

SHA512
74fb0412feac2e21344369d66e704a1acd8539280746a7b6948d36ee4a9a6570ea24f9cddcc2fa3d820a028c7f1b037b1289173f3ba99932acc80e709b0ae9de

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe

Filesize
366KB

MD5
927c75ca98552179273baebb2038b44e

SHA1
e85f3a6b2f25c344a76306579a488ee3a757a1cf

SHA256
625a894f316118bcb6b291fcfe0d35b3bf0204285999885eb5b489bf1bd8581f

SHA512
55b0498c69568b3ef45a5ea22dbccb582b45e969678339b66264ab2186416ff373a3cef4c13b4ec06fe18dca575e7d54ba20a0645c3c54816882fd3d51c48bfc

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe

Filesize
325KB

MD5
892cf4fc5398e07bf652c50ef2aa3b88

SHA1
c399e55756b23938057a0ecae597bd9dbe481866

SHA256
e2262c798729169f697e6c30e5211cde604fd8b14769311ff4ea81abba8c2781

SHA512
f16a9e4b1150098c5936ec6107c36d47246dafd5a43e9f4ad9a31ecab69cc789c768691fa23a1440fae7f6e93e8e62566b5c86f7ed6bb4cfe26368149ea8c167

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe

Filesize
505KB

MD5
452c3ce70edba3c6e358fad9fb47eb4c

SHA1
d24ea3b642f385a666159ef4c39714bec2b08636

SHA256
da73b6e071788372702104b9c72b6697e84e7c75e248e964996700b77c6b6f1c

SHA512
fe8a0b9b1386d6931dc7b646d0dd99c3d1b44bd40698b33077e7eeba877b53e5cb39ff2aa0f6919ccab62953a674577bc1b2516d9cadc0c051009b2083a08085

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE

Filesize
146KB

MD5
d9a290f7aec8aff3591c189b3cf8610a

SHA1
7558d29fb32018897c25e0ac1c86084116f1956c

SHA256
41bed95cb1101181a97460e2395efebb0594849e6f48b80a2b7c376ddf5ce0ea

SHA512
b55ab687a75c11ba99c64be42ad8471576aa2df10ce1bb61e902e98827e3a38cd922e365751bd485cac089c2bd8bccf939a578da7238506b77fe02a3eb7994c6

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE

Filesize
198KB

MD5
7429ce42ac211cd3aa986faad186cedd

SHA1
b61a57f0f99cfd702be0fbafcb77e9f911223fac

SHA256
d608c05409ac4bd05d8e0702fcf66dfae5f4f38cbae13406842fa5504f4d616f

SHA512
ee4456877d6d881d9904013aabecb9f2daf6fc0ec7a7c9251e77396b66a7f5a577fe8544e64e2bb7464db429db56a3fe47c183a81d40cc869d01be573ab5e4c1

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE

Filesize
139KB

MD5
1e09e65111ab34cb84f7855d3cddc680

SHA1
f9f852104b46d99cc7f57a6f40d5db2090be04c0

SHA256
8f5c7c8e0258a5caa37637b2fa36f3bd87569a97b5c1ecf40dab50e7255fcf9c

SHA512
003176cb9dd7668b1b40e4d60d86d57c1a9ec4d873382aab781b31c8c89f0e388f3d406963f159412e2828d0be9f6daea146a252d8ee47281dda01123c9e7ace

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe

Filesize
250KB

MD5
5d656c152b22ddd4f875306ca928243a

SHA1
177ff847aa898afa1b786077ae87b5ae0c7687c7

SHA256
4d87b0eb331443b473c90650d31b893d00373ff88dcbcb3747f494407799af69

SHA512
d5e50ee909ea06e69fc0d9999c6d142f9154e6f63462312b4e950cf6e26a7d395dbb50c8e2a8c4f4e1cfb7b2c6ae8ad19e3b7c204c20e7557daa1a0deb454160

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE

Filesize
509KB

MD5
7c73e01bd682dc67ef2fbb679be99866

SHA1
ad3834bd9f95f8bf64eb5be0a610427940407117

SHA256
da333c92fdfd2e8092f5b56686b94f713f8fa27ef8f333e7222259ad1eb08f5d

SHA512
b2f3398e486cde482cb6bea18f4e5312fa2db7382ca25cea17bcba5ab1ff0e891d59328bc567641a9da05caca4d7c61dc102289d46e7135f947ce6155e295711

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE

Filesize
138KB

MD5
5e08d87c074f0f8e3a8e8c76c5bf92ee

SHA1
f52a554a5029fb4749842b2213d4196c95d48561

SHA256
5d548c2cc25d542f2061ed9c8e38bd5ca72bddb37dd17654346cae8a19645714

SHA512
dd98d6fa7d943604914b2e3b27e1f21a95f1fe1feb942dd6956e864da658f4fbd9d1d0cf775e79ceaae6a025aafd4e633763389c37034134bd5245969bec383e

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe

Filesize
3.2MB

MD5
5119e350591269f44f732b470024bb7c

SHA1
4ccd48e4c6ba6e162d1520760ee3063e93e2c014

SHA256
2b3aa9642b291932ba7f9f3d85221402a9d27078f56ef0e9c6bca633616e3873

SHA512
599b4ec673169d42a348d1117737b4ad4d7539574153df5a5c7689130c9ac5ff5cd00f3c8ec39adf32ff2b56be074081efcabb6456272c649703c3ea6cdaded4

Download Submit
C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE

Filesize
495KB

MD5
9597098cfbc45fae685d9480d135ed13

SHA1
84401f03a7942a7e4fcd26e4414b227edd9b0f09

SHA256
45966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c

SHA512
16afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164

Download Submit
C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE

Filesize
485KB

MD5
87f15006aea3b4433e226882a56f188d

SHA1
e3ad6beb8229af62b0824151dbf546c0506d4f65

SHA256
8d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919

SHA512
b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\c85f4d9fcefa90aabdfae96303a975b3a19f360340db04bf0ef4f02dba2d8480N.exe

Filesize
1.9MB

MD5
f8c927327c8f72150cf63a14b104a842

SHA1
ecda5bcb7f67aadb4586d5ac78814b47d069c973

SHA256
11c71279223f42e0d6b52cfa0dfb098b5aaa21ef75b1e4ea4281bc7bdfd527db

SHA512
808bbf95d284318cb08fda3fddcb75f1a96d1d5308d71da6907720fc85e3915931eba69873d57085fe5f862456ce84e0136abf0f25f604dbfdd857f8e7612b41

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
5916a4e828550a7eff46c9046c555193

SHA1
114b6bdcdc56ff4ffdeff14a7321c9857ba4e418

SHA256
80f521ffe76469455794ff4ebc60ebe7239ab9590f7b542468627e22dadcbac4

SHA512
f7d8109f5cd168d6a6933a10fbff15b7aa3aac546970a8b08c5516bbe758b4df5eda861345888c9fc3d9e793f7b898bf355452c558bf69d1646d558e44f36f96

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
0b492fbf3141e191f139b1b36fec3f2f

SHA1
705afb4695a6ad71c3b7d6297b7381f2630f0813

SHA256
22a0d830a621d947d6dc37c2975758ff550709bda2ac6bd5ff0ca5f06f4db42e

SHA512
779a011ddce212d32ed0f671aa0ff2e6e9859e9cce73f3def2e5f6f78680e2a1a2ecc322511adf19c1d96ebc8ce1c91dcacb5977c4fc4aa47f6823297bd3e2df

Download Submit
memory/404-373-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/492-299-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/824-394-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1012-323-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1092-54-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1172-397-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1248-77-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1256-58-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1304-413-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1368-148-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1392-113-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1404-410-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1656-411-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1936-330-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2104-387-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2216-355-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2268-309-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2276-338-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2364-117-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2368-331-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2524-136-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2556-125-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2592-276-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2652-263-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2708-262-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2880-379-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2992-403-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3064-28-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3204-191-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3244-426-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3252-339-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3384-371-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3464-78-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3488-434-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3488-30-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3556-347-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3580-149-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3720-66-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3988-42-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3988-291-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4000-137-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4000-357-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4032-363-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4044-301-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4196-381-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4316-354-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4352-395-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4428-53-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4492-315-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4644-89-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4652-341-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4676-240-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4684-170-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4772-419-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4804-273-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4836-293-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4868-160-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4896-307-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4972-18-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4980-427-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5012-41-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5060-370-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5100-317-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5108-283-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads