neshta | fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cd

Analysis

max time kernel
70s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2025 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
Size

933KB
MD5

f801005dffc600b995e1b41339a378d0
SHA1

d6684a0dbee4efa740e077ea9047b67436d65062
SHA256

fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cd
SHA512

a2bf657978471cdaf95a28ee50aa4e9a493ed7128086e063f7abfb071f29d2c2b15b1aeaf094b3658d54c222662e14ff079a248002a3c395e80adba9af46ea08
SSDEEP

6144:k9IW4PmT1oh8aquaGHxk12+Mo94949494949494949494949494949494949:84PI1oCdI

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 64 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023b5b-4.dat	family_neshta
behavioral2/files/0x000a000000023b60-11.dat	family_neshta
behavioral2/memory/2372-16-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3224-20-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1696-28-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1228-32-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1240-40-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4912-51-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3408-52-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3996-56-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4068-64-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/100-75-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1708-76-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/60-87-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4896-88-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/852-92-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x000400000002034d-101.dat	family_neshta
behavioral2/memory/4516-105-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x000600000002021c-108.dat	family_neshta
behavioral2/files/0x000100000002022f-111.dat	family_neshta
behavioral2/files/0x0004000000020352-122.dat	family_neshta
behavioral2/files/0x00010000000202b1-121.dat	family_neshta
behavioral2/files/0x0006000000020237-134.dat	family_neshta
behavioral2/files/0x0004000000020313-133.dat	family_neshta
behavioral2/memory/8-118-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4076-135-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3536-146-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4992-147-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2572-151-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x00010000000225e2-167.dat	family_neshta
behavioral2/files/0x0001000000021539-166.dat	family_neshta
behavioral2/files/0x00010000000214e4-179.dat	family_neshta
behavioral2/files/0x00010000000214e3-178.dat	family_neshta
behavioral2/files/0x0001000000022f2f-195.dat	family_neshta
behavioral2/memory/4060-199-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x0001000000022f33-194.dat	family_neshta
behavioral2/files/0x00010000000214e2-177.dat	family_neshta
behavioral2/memory/1940-173-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/440-230-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4920-238-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/516-241-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4288-258-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2312-260-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/956-267-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2960-275-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2888-277-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2140-285-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3948-287-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3728-293-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2132-295-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3068-301-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1992-303-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/880-309-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4764-311-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3556-317-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1568-319-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1812-325-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3280-332-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1204-333-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4608-340-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3160-341-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/8-343-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1300-349-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1236-351-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	FA9309~1.EXE

Executes dropped EXE 64 IoCs

pid	Process
2268	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
2372	svchost.com
3224	FA9309~1.EXE
1696	svchost.com
1228	FA9309~1.EXE
1240	svchost.com
4912	FA9309~1.EXE
3408	svchost.com
3996	FA9309~1.EXE
4068	svchost.com
100	FA9309~1.EXE
1708	svchost.com
60	FA9309~1.EXE
4896	svchost.com
852	FA9309~1.EXE
4516	svchost.com
8	FA9309~1.EXE
4076	svchost.com
3536	FA9309~1.EXE
4992	svchost.com
2572	FA9309~1.EXE
1940	svchost.com
4060	FA9309~1.EXE
440	svchost.com
4920	FA9309~1.EXE
516	svchost.com
4288	FA9309~1.EXE
2312	svchost.com
956	FA9309~1.EXE
2960	svchost.com
2888	FA9309~1.EXE
2140	svchost.com
3948	FA9309~1.EXE
3728	svchost.com
2132	FA9309~1.EXE
3068	svchost.com
1992	FA9309~1.EXE
880	svchost.com
4764	FA9309~1.EXE
3556	svchost.com
1568	FA9309~1.EXE
1812	svchost.com
3280	FA9309~1.EXE
1204	svchost.com
4608	FA9309~1.EXE
3160	svchost.com
8	FA9309~1.EXE
1300	svchost.com
1236	FA9309~1.EXE
2308	svchost.com
4796	FA9309~1.EXE
4892	svchost.com
4932	FA9309~1.EXE
4388	svchost.com
4760	FA9309~1.EXE
4572	svchost.com
624	FA9309~1.EXE
3460	svchost.com
4168	FA9309~1.EXE
2884	svchost.com
3504	FA9309~1.EXE
640	svchost.com
4976	FA9309~1.EXE
3048	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\directx.sys	FA9309~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	FA9309~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FA9309~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	FA9309~1.EXE
File opened for modification	C:\Windows\svchost.com	FA9309~1.EXE
File opened for modification	C:\Windows\svchost.com	FA9309~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	FA9309~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	FA9309~1.EXE
File opened for modification	C:\Windows\svchost.com	FA9309~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	FA9309~1.EXE
File opened for modification	C:\Windows\svchost.com	FA9309~1.EXE
File opened for modification	C:\Windows\svchost.com	FA9309~1.EXE
File opened for modification	C:\Windows\directx.sys	FA9309~1.EXE
File opened for modification	C:\Windows\svchost.com	FA9309~1.EXE
File opened for modification	C:\Windows\svchost.com	FA9309~1.EXE
File opened for modification	C:\Windows\directx.sys	FA9309~1.EXE
File opened for modification	C:\Windows\directx.sys	FA9309~1.EXE
File opened for modification	C:\Windows\svchost.com	FA9309~1.EXE
File opened for modification	C:\Windows\directx.sys	FA9309~1.EXE
File opened for modification	C:\Windows\directx.sys	FA9309~1.EXE
File opened for modification	C:\Windows\svchost.com	FA9309~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	FA9309~1.EXE
File opened for modification	C:\Windows\directx.sys	FA9309~1.EXE
File opened for modification	C:\Windows\svchost.com	FA9309~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	FA9309~1.EXE
File opened for modification	C:\Windows\directx.sys	FA9309~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FA9309~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	FA9309~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	FA9309~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	FA9309~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	FA9309~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FA9309~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FA9309~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FA9309~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FA9309~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FA9309~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FA9309~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FA9309~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FA9309~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FA9309~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FA9309~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FA9309~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FA9309~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FA9309~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FA9309~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FA9309~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FA9309~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FA9309~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FA9309~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FA9309~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FA9309~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FA9309~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FA9309~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FA9309~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FA9309~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FA9309~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FA9309~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FA9309~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FA9309~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FA9309~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FA9309~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FA9309~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FA9309~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FA9309~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FA9309~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FA9309~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FA9309~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	FA9309~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 2268	4164	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe	82
PID 4164 wrote to memory of 2268	4164	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe	82
PID 4164 wrote to memory of 2268	4164	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe	82
PID 2268 wrote to memory of 2372	2268	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe	83
PID 2268 wrote to memory of 2372	2268	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe	83
PID 2268 wrote to memory of 2372	2268	fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe	83
PID 2372 wrote to memory of 3224	2372	svchost.com	84
PID 2372 wrote to memory of 3224	2372	svchost.com	84
PID 2372 wrote to memory of 3224	2372	svchost.com	84
PID 3224 wrote to memory of 1696	3224	FA9309~1.EXE	85
PID 3224 wrote to memory of 1696	3224	FA9309~1.EXE	85
PID 3224 wrote to memory of 1696	3224	FA9309~1.EXE	85
PID 1696 wrote to memory of 1228	1696	svchost.com	86
PID 1696 wrote to memory of 1228	1696	svchost.com	86
PID 1696 wrote to memory of 1228	1696	svchost.com	86
PID 1228 wrote to memory of 1240	1228	FA9309~1.EXE	87
PID 1228 wrote to memory of 1240	1228	FA9309~1.EXE	87
PID 1228 wrote to memory of 1240	1228	FA9309~1.EXE	87
PID 1240 wrote to memory of 4912	1240	svchost.com	88
PID 1240 wrote to memory of 4912	1240	svchost.com	88
PID 1240 wrote to memory of 4912	1240	svchost.com	88
PID 4912 wrote to memory of 3408	4912	FA9309~1.EXE	89
PID 4912 wrote to memory of 3408	4912	FA9309~1.EXE	89
PID 4912 wrote to memory of 3408	4912	FA9309~1.EXE	89
PID 3408 wrote to memory of 3996	3408	svchost.com	90
PID 3408 wrote to memory of 3996	3408	svchost.com	90
PID 3408 wrote to memory of 3996	3408	svchost.com	90
PID 3996 wrote to memory of 4068	3996	FA9309~1.EXE	91
PID 3996 wrote to memory of 4068	3996	FA9309~1.EXE	91
PID 3996 wrote to memory of 4068	3996	FA9309~1.EXE	91
PID 4068 wrote to memory of 100	4068	svchost.com	92
PID 4068 wrote to memory of 100	4068	svchost.com	92
PID 4068 wrote to memory of 100	4068	svchost.com	92
PID 100 wrote to memory of 1708	100	FA9309~1.EXE	93
PID 100 wrote to memory of 1708	100	FA9309~1.EXE	93
PID 100 wrote to memory of 1708	100	FA9309~1.EXE	93
PID 1708 wrote to memory of 60	1708	svchost.com	94
PID 1708 wrote to memory of 60	1708	svchost.com	94
PID 1708 wrote to memory of 60	1708	svchost.com	94
PID 60 wrote to memory of 4896	60	FA9309~1.EXE	95
PID 60 wrote to memory of 4896	60	FA9309~1.EXE	95
PID 60 wrote to memory of 4896	60	FA9309~1.EXE	95
PID 4896 wrote to memory of 852	4896	svchost.com	96
PID 4896 wrote to memory of 852	4896	svchost.com	96
PID 4896 wrote to memory of 852	4896	svchost.com	96
PID 852 wrote to memory of 4516	852	FA9309~1.EXE	97
PID 852 wrote to memory of 4516	852	FA9309~1.EXE	97
PID 852 wrote to memory of 4516	852	FA9309~1.EXE	97
PID 4516 wrote to memory of 8	4516	svchost.com	128
PID 4516 wrote to memory of 8	4516	svchost.com	128
PID 4516 wrote to memory of 8	4516	svchost.com	128
PID 8 wrote to memory of 4076	8	FA9309~1.EXE	99
PID 8 wrote to memory of 4076	8	FA9309~1.EXE	99
PID 8 wrote to memory of 4076	8	FA9309~1.EXE	99
PID 4076 wrote to memory of 3536	4076	svchost.com	100
PID 4076 wrote to memory of 3536	4076	svchost.com	100
PID 4076 wrote to memory of 3536	4076	svchost.com	100
PID 3536 wrote to memory of 4992	3536	FA9309~1.EXE	101
PID 3536 wrote to memory of 4992	3536	FA9309~1.EXE	101
PID 3536 wrote to memory of 4992	3536	FA9309~1.EXE	101
PID 4992 wrote to memory of 2572	4992	svchost.com	102
PID 4992 wrote to memory of 2572	4992	svchost.com	102
PID 4992 wrote to memory of 2572	4992	svchost.com	102
PID 2572 wrote to memory of 1940	2572	FA9309~1.EXE	173

C:\Users\Admin\AppData\Local\Temp\fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
"C:\Users\Admin\AppData\Local\Temp\fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Users\Admin\AppData\Local\Temp\3582-490\fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3224
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1696
      - C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        10⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        22⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        23⤵
        Executes dropped EXE
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        24⤵
        Executes dropped EXE
        
        PID:4060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        25⤵
        Executes dropped EXE
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        26⤵
        Executes dropped EXE
        
        PID:4920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        27⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:516
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4288
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        29⤵
        Executes dropped EXE
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        31⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        32⤵
        Executes dropped EXE
        
        PID:2888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        33⤵
        Executes dropped EXE
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        34⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        35⤵
        Executes dropped EXE
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        36⤵
        Executes dropped EXE
        
        PID:2132
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        37⤵
        Executes dropped EXE
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        39⤵
        Executes dropped EXE
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        40⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        41⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        42⤵
        Executes dropped EXE
        
        PID:1568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        43⤵
        Executes dropped EXE
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        44⤵
        Executes dropped EXE
        
        PID:3280
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        45⤵
        Executes dropped EXE
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        46⤵
        Executes dropped EXE
        
        PID:4608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        47⤵
        Executes dropped EXE
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        48⤵
        Executes dropped EXE
        
        PID:8
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        49⤵
        Executes dropped EXE
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        50⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1236
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        51⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        52⤵
        Executes dropped EXE
        
        PID:4796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        53⤵
        Executes dropped EXE
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        55⤵
        Executes dropped EXE
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        56⤵
        Executes dropped EXE
        
        PID:4760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        57⤵
        Executes dropped EXE
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        58⤵
        Executes dropped EXE
        
        PID:624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        59⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        60⤵
        Executes dropped EXE
        
        PID:4168
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        61⤵
        Executes dropped EXE
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3504
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        66⤵
        Modifies registry class
        
        PID:3760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        67⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        68⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        69⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        70⤵
        Modifies registry class
        
        PID:3676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        71⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        72⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        73⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        74⤵
        
        PID:4088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        75⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        76⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:5088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        77⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        78⤵
        
        PID:2624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        80⤵
        Modifies registry class
        
        PID:3768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        81⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        82⤵
        
        PID:1860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        83⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        84⤵
        
        PID:1692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        86⤵
        
        PID:832
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        87⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        88⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        89⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        90⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:4156
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        91⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        92⤵
        
        PID:5084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        93⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        94⤵
        Drops file in Windows directory
        
        PID:3392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        95⤵
        Drops file in Windows directory
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        96⤵
        
        PID:2332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        97⤵
        Drops file in Windows directory
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        98⤵
        Modifies registry class
        
        PID:1712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        99⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        100⤵
        
        PID:1220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        102⤵
        Checks computer location settings
        
        PID:3216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        103⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        104⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        105⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        106⤵
        Checks computer location settings
        
        PID:4724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        108⤵
        
        PID:2892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        109⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        110⤵
        
        PID:5096
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        111⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        112⤵
        
        PID:2140
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        113⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        114⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1240
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        115⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        116⤵
        
        PID:3456
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        117⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        118⤵
        Checks computer location settings
        
        PID:1368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        119⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:3400
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        121⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        122⤵
        Modifies registry class
        
        PID:3328
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        123⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        124⤵
        
        PID:2516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        125⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        126⤵
        Checks computer location settings
        
        PID:4624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        127⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        128⤵
        Checks computer location settings
        
        PID:2104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        129⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        130⤵
        
        PID:4552
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        131⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        132⤵
        Modifies registry class
        
        PID:4504
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        133⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        134⤵
        
        PID:1468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        136⤵
        
        PID:1156
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        137⤵
        Drops file in Windows directory
        
        PID:656
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        138⤵
        Modifies registry class
        
        PID:5040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        139⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        140⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4140
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        141⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        142⤵
        
        PID:4060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        143⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        144⤵
        
        PID:2672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        145⤵
        Drops file in Windows directory
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        146⤵
        Checks computer location settings
        
        PID:2884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        147⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        148⤵
        Modifies registry class
        
        PID:4868
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        149⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        150⤵
        
        PID:2228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        151⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        152⤵
        
        PID:3020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        153⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        155⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        156⤵
        
        PID:4056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        157⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        158⤵
        
        PID:2132
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        159⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        160⤵
        
        PID:3208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        161⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        162⤵
        
        PID:3932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        163⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        164⤵
        Modifies registry class
        
        PID:4832
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        165⤵
        Drops file in Windows directory
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        167⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        168⤵
        Modifies registry class
        
        PID:4596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        169⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        170⤵
        Modifies registry class
        
        PID:4992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        171⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        172⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        173⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        174⤵
        
        PID:4244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        175⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        176⤵
        
        PID:1376
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        177⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        178⤵
        Checks computer location settings
        
        PID:704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        179⤵
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        180⤵
        Drops file in Windows directory
        
        PID:4468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        181⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        182⤵
        Checks computer location settings
        
        PID:640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        183⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        184⤵
        Modifies registry class
        
        PID:4708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        185⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        186⤵
        Modifies registry class
        
        PID:1228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        187⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        188⤵
        
        PID:3412
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        189⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        190⤵
        Checks computer location settings
        
        PID:2388
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        191⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        192⤵
        
        PID:556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        193⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        194⤵
        Modifies registry class
        
        PID:5088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        195⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        196⤵
        
        PID:2624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        197⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        198⤵
        
        PID:3024
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        199⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        200⤵
        
        PID:4536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        201⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        202⤵
        
        PID:1356
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        203⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        204⤵
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        205⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        206⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        207⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        208⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2508
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        209⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        210⤵
        
        PID:4436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        211⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        212⤵
        Checks computer location settings
        
        PID:3504
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        213⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        214⤵
        
        PID:3084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        215⤵
        Drops file in Windows directory
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        216⤵
        
        PID:2820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        217⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        218⤵
        
        PID:3588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        219⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        220⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2140
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        221⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        222⤵
        
        PID:3728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        223⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        224⤵
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        225⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        226⤵
        Modifies registry class
        
        PID:3328
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        227⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        228⤵
        Checks computer location settings
        
        PID:4528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        229⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        230⤵
        
        PID:4964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        231⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        232⤵
        Checks computer location settings
        
        PID:4076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        233⤵
        Drops file in Windows directory
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        234⤵
        
        PID:1788
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        235⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        236⤵
        
        PID:4296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        237⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        238⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        239⤵
        System Location Discovery: System Language Discovery
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        240⤵
        
        PID:4852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        241⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        242⤵
        Modifies registry class
        
        PID:116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        243⤵
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        244⤵
        System Location Discovery: System Language Discovery
        
        PID:1380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        245⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        246⤵
        Modifies registry class
        
        PID:4740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        247⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        248⤵
        
        PID:1716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        249⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        250⤵
        Checks computer location settings
        
        PID:1600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        251⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        252⤵
        
        PID:4776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        253⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        254⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        255⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        256⤵
        Modifies registry class
        
        PID:4512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        257⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        258⤵
        Modifies registry class
        
        PID:2128
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        259⤵
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        260⤵
        Checks computer location settings
        
        PID:4020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        261⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        262⤵
        
        PID:4832
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        263⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        264⤵
        Modifies registry class
        
        PID:2308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        265⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        266⤵
        Drops file in Windows directory
        
        PID:4596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        267⤵
        Drops file in Windows directory
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        268⤵
        
        PID:1468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        269⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        270⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        271⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        272⤵
        
        PID:2256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        273⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        274⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        275⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        276⤵
        Modifies registry class
        
        PID:3456
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        277⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        278⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4868
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        279⤵
        Drops file in Windows directory
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        280⤵
        Checks computer location settings
        
        PID:2100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        281⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        282⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        283⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        284⤵
        System Location Discovery: System Language Discovery
        
        PID:3736
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        285⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        286⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        287⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        288⤵
        
        PID:4628
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        289⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        290⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        291⤵
        Drops file in Windows directory
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        292⤵
        
        PID:1836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        293⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        294⤵
        
        PID:2204
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        295⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        296⤵
        
        PID:4584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        297⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        298⤵
        
        PID:1656
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        299⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        300⤵
        
        PID:2168
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        301⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        302⤵
        
        PID:2956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        303⤵
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        304⤵
        
        PID:3392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        305⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        306⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3132
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        307⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        308⤵
        Modifies registry class
        
        PID:2612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        309⤵
        System Location Discovery: System Language Discovery
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        310⤵
        System Location Discovery: System Language Discovery
        
        PID:516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        311⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        312⤵
        
        PID:3372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        313⤵
        Drops file in Windows directory
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        314⤵
        System Location Discovery: System Language Discovery
        
        PID:4028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        315⤵
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        316⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        317⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        318⤵
        Checks computer location settings
        
        PID:3944
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        319⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        320⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        321⤵
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        322⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:3156
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        323⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        324⤵
        Modifies registry class
        
        PID:2312
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        325⤵
        Drops file in Windows directory
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        326⤵
        
        PID:3452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        327⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        328⤵
        
        PID:4164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        329⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        330⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        331⤵
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        332⤵
        
        PID:4892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        333⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        334⤵
        Checks computer location settings
        
        PID:1568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        335⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        336⤵
        
        PID:3252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        337⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        338⤵
        
        PID:2144
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        339⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        340⤵
        
        PID:3032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        341⤵
        Drops file in Windows directory
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        342⤵
        
        PID:2156
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        343⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        344⤵
        
        PID:2492
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        345⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        346⤵
        Modifies registry class
        
        PID:2888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        347⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        348⤵
        
        PID:4028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        349⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        350⤵
        
        PID:3260
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        351⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        352⤵
        Checks computer location settings
        Modifies registry class
        
        PID:5044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        353⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        354⤵
        Checks computer location settings
        
        PID:4196
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        355⤵
        Drops file in Windows directory
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        356⤵
        
        PID:3156
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        357⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        358⤵
        
        PID:4632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        359⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        360⤵
        Checks computer location settings
        
        PID:3104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        361⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        362⤵
        
        PID:3024
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        363⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        364⤵
        
        PID:8
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        365⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        366⤵
        System Location Discovery: System Language Discovery
        
        PID:980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        367⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        368⤵
        Checks computer location settings
        
        PID:2644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        369⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        370⤵
        
        PID:528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        371⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        372⤵
        
        PID:704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        373⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        374⤵
        Modifies registry class
        
        PID:396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        375⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        376⤵
        
        PID:4956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        377⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        378⤵
        Modifies registry class
        
        PID:2496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        379⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        380⤵
        
        PID:2492
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        381⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        382⤵
        
        PID:4600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        383⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        384⤵
        Checks computer location settings
        
        PID:1864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        385⤵
        Drops file in Windows directory
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        386⤵
        Modifies registry class
        
        PID:3496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        387⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        388⤵
        
        PID:1240
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        389⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        390⤵
        
        PID:2276
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        391⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        392⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:3156
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        393⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        394⤵
        
        PID:2420
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        395⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        396⤵
        Drops file in Windows directory
        
        PID:2516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        397⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        398⤵
        
        PID:3024
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        399⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        400⤵
        
        PID:4768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        401⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        402⤵
        
        PID:2700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        403⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        404⤵
        
        PID:3512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        405⤵
        Drops file in Windows directory
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        406⤵
        
        PID:4928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        407⤵
        
        PID:704
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        408⤵
        Modifies registry class
        
        PID:4920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        409⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        410⤵
        
        PID:2256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        411⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        412⤵
        Drops file in Windows directory
        
        PID:4108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        413⤵
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        414⤵
        Checks computer location settings
        
        PID:2244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        415⤵
        Drops file in Windows directory
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        416⤵
        
        PID:2888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        417⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        418⤵
        
        PID:2080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        419⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        420⤵
        Drops file in Windows directory
        
        PID:4056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        421⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        422⤵
        Checks computer location settings
        
        PID:632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        423⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        424⤵
        
        PID:2124
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        425⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        426⤵
        
        PID:3932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        427⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        428⤵
        Checks computer location settings
        
        PID:3664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        429⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        430⤵
        Checks computer location settings
        
        PID:1064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        431⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        432⤵
        Checks computer location settings
        
        PID:4164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        433⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        434⤵
        Drops file in Windows directory
        
        PID:4892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        435⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        436⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        437⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        438⤵
        
        PID:2644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        439⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        440⤵
        Checks computer location settings
        
        PID:3240
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        441⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        442⤵
        Drops file in Windows directory
        
        PID:116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        443⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        444⤵
        
        PID:1068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        445⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        446⤵
        Checks computer location settings
        
        PID:2256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        447⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        448⤵
        
        PID:640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        449⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        450⤵
        
        PID:540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        451⤵
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        452⤵
        
        PID:4944
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        453⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        454⤵
        
        PID:1992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        455⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        456⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        457⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        458⤵
        Modifies registry class
        
        PID:1484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        459⤵
        Drops file in Windows directory
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        460⤵
        
        PID:4512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        461⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        462⤵
        
        PID:3932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        463⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        464⤵
        
        PID:4568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        465⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        466⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4504
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        467⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        468⤵
        
        PID:8
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        469⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        470⤵
        
        PID:1356
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        471⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        472⤵
        
        PID:2332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        473⤵
        Drops file in Windows directory
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        474⤵
        
        PID:2508
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        475⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        476⤵
        
        PID:112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        477⤵
        Drops file in Windows directory
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        478⤵
        Checks computer location settings
        
        PID:924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        479⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        480⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        481⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        482⤵
        
        PID:2256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        483⤵
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        484⤵
        
        PID:2376
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        485⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        486⤵
        
        PID:2492
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        487⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        488⤵
        
        PID:4944
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        489⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        490⤵
        
        PID:4056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        491⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        492⤵
        Checks computer location settings
        
        PID:1904
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        493⤵
        Drops file in Windows directory
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        494⤵
        
        PID:812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        495⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        496⤵
        
        PID:4288
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        497⤵
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        498⤵
        Drops file in Windows directory
        
        PID:4524
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        499⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        500⤵
        
        PID:4568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        501⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        502⤵
        
        PID:4820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        503⤵
        Drops file in Windows directory
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        504⤵
        
        PID:4496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        505⤵
        System Location Discovery: System Language Discovery
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        506⤵
        
        PID:3680
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        507⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        508⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        509⤵
        Drops file in Windows directory
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        510⤵
        
        PID:624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        511⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        512⤵
        
        PID:940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        513⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        514⤵
        
        PID:3084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        515⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        516⤵
        Checks computer location settings
        
        PID:4740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        517⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        518⤵
        Drops file in Windows directory
        
        PID:2576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        519⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        520⤵
        
        PID:164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        521⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        522⤵
        Checks computer location settings
        
        PID:2140
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        523⤵
        System Location Discovery: System Language Discovery
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        524⤵
        
        PID:3496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        525⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        526⤵
        
        PID:4948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        527⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        528⤵
        
        PID:4136
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        529⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        530⤵
        
        PID:4628
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        531⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        532⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        533⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        534⤵
        
        PID:4616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        535⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        536⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:4568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        537⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        538⤵
        Modifies registry class
        
        PID:3160
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        539⤵
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        540⤵
        
        PID:4880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        541⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        542⤵
        
        PID:656
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        543⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        544⤵
        
        PID:1720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        545⤵
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        546⤵
        
        PID:2384
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        547⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        548⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        549⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        550⤵
        Modifies registry class
        
        PID:3048
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        551⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        552⤵
        
        PID:4976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        553⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        554⤵
        
        PID:3676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        555⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        556⤵
        
        PID:3408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        557⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        558⤵
        
        PID:1864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        559⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        560⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:4056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        561⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        562⤵
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        563⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        564⤵
        
        PID:812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        565⤵
        Drops file in Windows directory
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        566⤵
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        567⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        568⤵
        
        PID:3068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        569⤵
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        570⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        571⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        572⤵
        
        PID:3232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        573⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        574⤵
        
        PID:3180
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        575⤵
        Drops file in Windows directory
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        576⤵
        Checks computer location settings
        
        PID:2120
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        577⤵
        Drops file in Windows directory
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        578⤵
        
        PID:2964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        579⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        580⤵
        Drops file in Windows directory
        
        PID:624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        581⤵
        Drops file in Windows directory
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        582⤵
        Modifies registry class
        
        PID:4852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        583⤵
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        584⤵
        
        PID:3084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        585⤵
        Drops file in Windows directory
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        586⤵
        Drops file in Windows directory
        
        PID:4740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        587⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        588⤵
        
        PID:3196
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        589⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        590⤵
        
        PID:540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        591⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        592⤵
        System Location Discovery: System Language Discovery
        
        PID:4068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        593⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        594⤵
        
        PID:3168
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        595⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        596⤵
        
        PID:4056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        597⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        598⤵
        Modifies registry class
        
        PID:4780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        599⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        600⤵
        
        PID:4628
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        601⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        602⤵
        
        PID:2320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        603⤵
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        604⤵
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        605⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        606⤵
        Modifies registry class
        
        PID:4608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        607⤵
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        608⤵
        
        PID:1016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        609⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        610⤵
        Modifies registry class
        
        PID:440
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        611⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        612⤵
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        613⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        614⤵
        
        PID:3132
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        615⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        616⤵
        
        PID:936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        617⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        618⤵
        
        PID:924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        619⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        620⤵
        
        PID:4952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        621⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        622⤵
        
        PID:1696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        623⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        624⤵
        
        PID:2492
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        625⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        626⤵
        
        PID:5020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        627⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        628⤵
        
        PID:4068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        629⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        630⤵
        
        PID:436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        631⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        632⤵
        
        PID:3228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        633⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        634⤵
        
        PID:4512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        635⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        636⤵
        
        PID:3592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        637⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        638⤵
        
        PID:3104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        639⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        640⤵
        
        PID:4892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        641⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        642⤵
        
        PID:4820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE"
        643⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\FA9309~1.EXE
        644⤵
        
        PID:836

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:1048

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:1156

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv sj1DsE/pA067UEyV9B7fxw.0.2
1⤵
PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

Filesize
328KB

MD5
39c8a4c2c3984b64b701b85cb724533b

SHA1
c911f4c4070dfe9a35d9adcb7de6e6fb1482ce00

SHA256
888a1dd0033e5d758a4e731e3e55357de866e80d03b1b194375f714e1fd4351d

SHA512
f42ca2962fe60cff1a13dea8b81ff0647b317c785ee4f5159c38487c34d33aecba8478757047d31ab2ee893fbdcb91a21655353456ba6a018fc71b2278db4db2

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe

Filesize
175KB

MD5
576410de51e63c3b5442540c8fdacbee

SHA1
8de673b679e0fee6e460cbf4f21ab728e41e0973

SHA256
3f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe

SHA512
f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE

Filesize
254KB

MD5
4ddc609ae13a777493f3eeda70a81d40

SHA1
8957c390f9b2c136d37190e32bccae3ae671c80a

SHA256
16d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950

SHA512
9d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE

Filesize
386KB

MD5
8c753d6448183dea5269445738486e01

SHA1
ebbbdc0022ca7487cd6294714cd3fbcb70923af9

SHA256
473eb551101caeaf2d18f811342e21de323c8dd19ed21011997716871defe997

SHA512
4f6fddefc42455540448eac0b693a4847e21b68467486376a4186776bfe137337733d3075b7b87ed7dac532478dc9afc63883607ec8205df3f155fee64c7a9be

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE

Filesize
92KB

MD5
176436d406fd1aabebae353963b3ebcf

SHA1
9ffdfdb8cc832a0c6501c4c0e85b23a0f7eff57a

SHA256
2f947e3ca624ce7373080b4a3934e21644fb070a53feeaae442b15b849c2954f

SHA512
a2d1a714e0c1e5463260c64048ba8fd5064cfa06d4a43d02fc04a30748102ff5ba86d20a08e611e200dc778e2b7b3ae808da48132a05a61aa09ac424a182a06a

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe

Filesize
125KB

MD5
cce8964848413b49f18a44da9cb0a79b

SHA1
0b7452100d400acebb1c1887542f322a92cbd7ae

SHA256
fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5

SHA512
bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE

Filesize
278KB

MD5
12c29dd57aa69f45ddd2e47620e0a8d9

SHA1
ba297aa3fe237ca916257bc46370b360a2db2223

SHA256
22a585c183e27b3c732028ff193733c2f9d03700a0e95e65c556b0592c43d880

SHA512
255176cd1a88dfa2af3838769cc20dc7ad9d969344801f07b9ebb372c12cee3f47f2dba3559f391deab10650875cad245d9724acfa23a42b336bfa96559a5488

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe

Filesize
555KB

MD5
ce82862ca68d666d7aa47acc514c3e3d

SHA1
f458c7f43372dbcdac8257b1639e0fe51f592e28

SHA256
c5a99f42100834599e4995d0a178b32b772a6e774a4050a6bb00438af0a6a1f3

SHA512
bca7afd6589c3215c92fdaca552ad3380f53d3db8c4b69329a1fa81528dd952a14bf012321de92ad1d20e5c1888eab3dd512b1ac80a406baccc37ee6ff4a90dc

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE

Filesize
121KB

MD5
cbd96ba6abe7564cb5980502eec0b5f6

SHA1
74e1fe1429cec3e91f55364e5cb8385a64bb0006

SHA256
405b8bd647fa703e233b8b609a18999abe465a8458168f1daf23197bd2ea36aa

SHA512
a551001853f6b93dfbc6cf6a681820af31330a19d5411076ff3dbce90937b3d92173085a15f29ebf56f2ef12a4e86860ac6723ebc89c98ea31ea7a6c7e3d7cdc

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe

Filesize
325KB

MD5
9a8d683f9f884ddd9160a5912ca06995

SHA1
98dc8682a0c44727ee039298665f5d95b057c854

SHA256
5e2e22ead49ce9cc11141dbeebbe5b93a530c966695d8efc2083f00e6be53423

SHA512
6aecf8c5cb5796d6879f8643e20c653f58bad70820896b0019c39623604d5b3c8a4420562ab051c6685edce60aa068d9c2dbb4413a7b16c6d01a9ac10dc22c12

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe

Filesize
366KB

MD5
fbbde1cc9128fff8bdffd792e6ea8cce

SHA1
480368754e21ff97ded1f55f736c1427bb388ca3

SHA256
c26681e4c77fac521ec4ba461e34bbe17bdf566af7c004c96e30b8fc785af73c

SHA512
2ecb93ddb1f58e0f3b845e80c76b706b0adc4ab30220eda837cdf13723a730f725e97f81d2f76ef8e0148703ba8e0d4dd57a03f303d09fee78bed0bd5a0ff274

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe

Filesize
546KB

MD5
1106ff26e23d003793c9d5bef018ecba

SHA1
e0a2ce8fa76f2e95d7d8a29e80f6fa765ce6a9ef

SHA256
059db5529603304417e4b8deb7d9f5be475863a23b6c8db7d99599b814d17e9d

SHA512
2cc7f4495c6d6754c132b808efafca5438cbd2e8d31accd090b579710bdfce0d98a1497f682b8478da255d6a7f1b1efca21ef6d5aa633a55d866f9f84d933102

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE

Filesize
198KB

MD5
7429ce42ac211cd3aa986faad186cedd

SHA1
b61a57f0f99cfd702be0fbafcb77e9f911223fac

SHA256
d608c05409ac4bd05d8e0702fcf66dfae5f4f38cbae13406842fa5504f4d616f

SHA512
ee4456877d6d881d9904013aabecb9f2daf6fc0ec7a7c9251e77396b66a7f5a577fe8544e64e2bb7464db429db56a3fe47c183a81d40cc869d01be573ab5e4c1

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE

Filesize
433KB

MD5
674eddc440664b8b854bc397e67ee338

SHA1
af9d74243ee3ea5f88638172f592ed89bbbd7e0d

SHA256
20bbf92426732ff7269b4f2f89d404d5fee0fa6a20944004d2eeb3cc2d1fa457

SHA512
5aced0e2235f113e323d6b28be74da5e4da4dc881629461df4644a52bccd717dc6d2632c40ed8190b3ad060b8b62c347757a0bbe82680d892114c1f0529146b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe

Filesize
893KB

MD5
df2d0e6961395601760f880e88d0dbc3

SHA1
99f362f5e0ab9a966f60d1a0f2f2a1e8d730470b

SHA256
a6acd9d298d56d30167678cab7eaab376e5b2ede28af6b862c21b26223384750

SHA512
046137676d36adbbbebfdcb4f7c951d411ef1ede3040287ee6533f509fc59cacd3eefd94e2c0f9ae5a3f7c0dbbca019069e1df5ac3f120e981f3d8a12a6e9733

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
1d3f5a90a3fcee9290c3975f2f4416c8

SHA1
345c9744d696596a8302d76c2b13613cd70b796d

SHA256
d5d937a994acce0f0135368a088c2eb66eb1f407cd5991a63714579fbb2145fd

SHA512
caefc7bcf3d7c7bde8437dcbbc311b23d45bf1a0ea1ea98920deea90953264323c788ceb8aae57c0f985b0758b420e71f3562e5124626bfa519a9df05bbf050d

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
1ceb2d78f35b1c1bdabe4744f343929c

SHA1
ce5e13541ac33cb725dc2fcc216754ec2473a371

SHA256
bf822523494079d766a63e5e5a603c7548aefc5fd00a35e42011f18e352395f6

SHA512
545bb8b67f3f7f83585bdbcb94b3bcce6f382ef9523a62533245358bd70643666c07a7b4b1a6bfceb071bf3df49b19e00e3e01bdf172198912950f86691e1e74

Download Submit
memory/8-343-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/8-118-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/60-87-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/100-75-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/440-230-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/516-241-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/624-388-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/640-405-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/852-92-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/880-309-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/956-267-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1204-333-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1228-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1236-351-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1240-40-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1300-349-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1568-319-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1696-28-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1708-76-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1812-325-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1940-173-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1992-303-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2132-295-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2140-285-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2308-357-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2312-260-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2372-16-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2572-151-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2884-397-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2888-277-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2960-275-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3048-413-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3068-301-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3160-341-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3224-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3280-332-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3408-52-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3460-389-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3504-399-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3536-146-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3556-317-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3728-293-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3760-415-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3948-287-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3996-56-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4060-199-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4068-64-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4076-135-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4168-396-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4288-258-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4388-373-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4516-105-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4572-381-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4608-340-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4760-375-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4764-311-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4796-364-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4892-365-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4896-88-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4912-51-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4920-238-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4932-367-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4976-407-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4992-147-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads