neshta | 7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
Size

301KB
MD5

408826cfe2454311f032f323a3f62e99
SHA1

547d37b16f499c68e9affe4de72b644bf5321cda
SHA256

7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd
SHA512

3056ef3263c0be2b528fb92f5ddef481136d182c71f192da4b88a392d0acad616226ce31e3b2c41bc7de21e79a6dd7b984deedd5b3217d55b65c73f00e52ef58
SSDEEP

3072:zr8WDrCxjoByFgAsaCRSkrmfAPXSPBIFXMN3uCo//9urTWuFsxihGrJW/UmTXItd:PuqchCReAPC0XMRqGWUlxTXb0bYu

Score

10^/10

neshta discovery persistence pyinstaller spyware stealer

Malware Config

Signatures

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Executes dropped EXE 64 IoCs

pid	Process
936	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
2416	svchost.com
2996	7CFCC6~1.EXE
2712	svchost.com
2900	7CFCC6~1.EXE
2836	svchost.com
2604	7CFCC6~1.EXE
3008	svchost.com
2564	7CFCC6~1.EXE
2688	svchost.com
2612	7CFCC6~1.EXE
1700	svchost.com
2468	7CFCC6~1.EXE
1696	svchost.com
1796	7CFCC6~1.EXE
1452	svchost.com
2744	7CFCC6~1.EXE
2200	svchost.com
2052	7CFCC6~1.EXE
708	svchost.com
1868	7CFCC6~1.EXE
2912	svchost.com
2544	7CFCC6~1.EXE
2036	svchost.com
1860	7CFCC6~1.EXE
1844	svchost.com
2308	7CFCC6~1.EXE
588	svchost.com
1736	7CFCC6~1.EXE
2300	svchost.com
3068	7CFCC6~1.EXE
2424	svchost.com
2784	7CFCC6~1.EXE
2772	svchost.com
2824	7CFCC6~1.EXE
2592	svchost.com
2572	7CFCC6~1.EXE
2584	svchost.com
2564	7CFCC6~1.EXE
2984	svchost.com
1936	7CFCC6~1.EXE
1148	svchost.com
1372	7CFCC6~1.EXE
2512	svchost.com
2096	7CFCC6~1.EXE
1660	svchost.com
1036	7CFCC6~1.EXE
2500	svchost.com
864	7CFCC6~1.EXE
1608	svchost.com
1980	7CFCC6~1.EXE
2808	svchost.com
2656	7CFCC6~1.EXE
2396	svchost.com
2856	7CFCC6~1.EXE
2496	svchost.com
1968	7CFCC6~1.EXE
1504	svchost.com
1364	7CFCC6~1.EXE
1600	svchost.com
1864	7CFCC6~1.EXE
1772	svchost.com
2076	7CFCC6~1.EXE
1404	svchost.com

Loads dropped DLL 64 IoCs

pid	Process
3004	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
3004	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
2416	svchost.com
2416	svchost.com
2712	svchost.com
2712	svchost.com
2836	svchost.com
2836	svchost.com
3008	svchost.com
3008	svchost.com
2688	svchost.com
2688	svchost.com
1700	svchost.com
1700	svchost.com
936	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
3004	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
1696	svchost.com
1696	svchost.com
3004	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
1452	svchost.com
1452	svchost.com
3004	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
2200	svchost.com
2200	svchost.com
708	svchost.com
708	svchost.com
3004	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
2912	svchost.com
2912	svchost.com
936	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
2036	svchost.com
2036	svchost.com
3004	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
1844	svchost.com
1844	svchost.com
936	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
588	svchost.com
588	svchost.com
2300	svchost.com
2300	svchost.com
2424	svchost.com
2424	svchost.com
936	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
2772	svchost.com
2772	svchost.com
2592	svchost.com
2592	svchost.com
2584	svchost.com
2584	svchost.com
2984	svchost.com
2984	svchost.com
1148	svchost.com
1148	svchost.com
2512	svchost.com
2512	svchost.com
1660	svchost.com
1660	svchost.com
2500	svchost.com
2500	svchost.com
1608	svchost.com
1608	svchost.com
2808	svchost.com
2808	svchost.com
2396	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE
File opened for modification	C:\Windows\svchost.com	7CFCC6~1.EXE

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x001600000001866f-2.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7CFCC6~1.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 936	3004	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe	31
PID 3004 wrote to memory of 936	3004	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe	31
PID 3004 wrote to memory of 936	3004	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe	31
PID 3004 wrote to memory of 936	3004	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe	31
PID 936 wrote to memory of 2416	936	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe	32
PID 936 wrote to memory of 2416	936	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe	32
PID 936 wrote to memory of 2416	936	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe	32
PID 936 wrote to memory of 2416	936	7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe	32
PID 2416 wrote to memory of 2996	2416	svchost.com	33
PID 2416 wrote to memory of 2996	2416	svchost.com	33
PID 2416 wrote to memory of 2996	2416	svchost.com	33
PID 2416 wrote to memory of 2996	2416	svchost.com	33
PID 2996 wrote to memory of 2712	2996	7CFCC6~1.EXE	34
PID 2996 wrote to memory of 2712	2996	7CFCC6~1.EXE	34
PID 2996 wrote to memory of 2712	2996	7CFCC6~1.EXE	34
PID 2996 wrote to memory of 2712	2996	7CFCC6~1.EXE	34
PID 2712 wrote to memory of 2900	2712	svchost.com	35
PID 2712 wrote to memory of 2900	2712	svchost.com	35
PID 2712 wrote to memory of 2900	2712	svchost.com	35
PID 2712 wrote to memory of 2900	2712	svchost.com	35
PID 2900 wrote to memory of 2836	2900	7CFCC6~1.EXE	36
PID 2900 wrote to memory of 2836	2900	7CFCC6~1.EXE	36
PID 2900 wrote to memory of 2836	2900	7CFCC6~1.EXE	36
PID 2900 wrote to memory of 2836	2900	7CFCC6~1.EXE	36
PID 2836 wrote to memory of 2604	2836	svchost.com	37
PID 2836 wrote to memory of 2604	2836	svchost.com	37
PID 2836 wrote to memory of 2604	2836	svchost.com	37
PID 2836 wrote to memory of 2604	2836	svchost.com	37
PID 2604 wrote to memory of 3008	2604	7CFCC6~1.EXE	38
PID 2604 wrote to memory of 3008	2604	7CFCC6~1.EXE	38
PID 2604 wrote to memory of 3008	2604	7CFCC6~1.EXE	38
PID 2604 wrote to memory of 3008	2604	7CFCC6~1.EXE	38
PID 3008 wrote to memory of 2564	3008	svchost.com	69
PID 3008 wrote to memory of 2564	3008	svchost.com	69
PID 3008 wrote to memory of 2564	3008	svchost.com	69
PID 3008 wrote to memory of 2564	3008	svchost.com	69
PID 2564 wrote to memory of 2688	2564	7CFCC6~1.EXE	40
PID 2564 wrote to memory of 2688	2564	7CFCC6~1.EXE	40
PID 2564 wrote to memory of 2688	2564	7CFCC6~1.EXE	40
PID 2564 wrote to memory of 2688	2564	7CFCC6~1.EXE	40
PID 2688 wrote to memory of 2612	2688	svchost.com	41
PID 2688 wrote to memory of 2612	2688	svchost.com	41
PID 2688 wrote to memory of 2612	2688	svchost.com	41
PID 2688 wrote to memory of 2612	2688	svchost.com	41
PID 2612 wrote to memory of 1700	2612	7CFCC6~1.EXE	42
PID 2612 wrote to memory of 1700	2612	7CFCC6~1.EXE	42
PID 2612 wrote to memory of 1700	2612	7CFCC6~1.EXE	42
PID 2612 wrote to memory of 1700	2612	7CFCC6~1.EXE	42
PID 1700 wrote to memory of 2468	1700	svchost.com	43
PID 1700 wrote to memory of 2468	1700	svchost.com	43
PID 1700 wrote to memory of 2468	1700	svchost.com	43
PID 1700 wrote to memory of 2468	1700	svchost.com	43
PID 2468 wrote to memory of 1696	2468	7CFCC6~1.EXE	44
PID 2468 wrote to memory of 1696	2468	7CFCC6~1.EXE	44
PID 2468 wrote to memory of 1696	2468	7CFCC6~1.EXE	44
PID 2468 wrote to memory of 1696	2468	7CFCC6~1.EXE	44
PID 1696 wrote to memory of 1796	1696	svchost.com	45
PID 1696 wrote to memory of 1796	1696	svchost.com	45
PID 1696 wrote to memory of 1796	1696	svchost.com	45
PID 1696 wrote to memory of 1796	1696	svchost.com	45
PID 1796 wrote to memory of 1452	1796	7CFCC6~1.EXE	46
PID 1796 wrote to memory of 1452	1796	7CFCC6~1.EXE	46
PID 1796 wrote to memory of 1452	1796	7CFCC6~1.EXE	46
PID 1796 wrote to memory of 1452	1796	7CFCC6~1.EXE	46

C:\Users\Admin\AppData\Local\Temp\7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
"C:\Users\Admin\AppData\Local\Temp\7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Local\Temp\3582-490\7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2996
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2712
      - C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        18⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        20⤵
        Executes dropped EXE
        
        PID:2052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        22⤵
        Executes dropped EXE
        
        PID:1868
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        24⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2544
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        26⤵
        Executes dropped EXE
        
        PID:1860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        28⤵
        Executes dropped EXE
        
        PID:2308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        30⤵
        Executes dropped EXE
        
        PID:1736
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        32⤵
        Executes dropped EXE
        
        PID:3068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        34⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2784
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        35⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        37⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        38⤵
        Executes dropped EXE
        
        PID:2572
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        39⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        40⤵
        Executes dropped EXE
        
        PID:2564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        41⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        42⤵
        Executes dropped EXE
        
        PID:1936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        43⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        44⤵
        Executes dropped EXE
        
        PID:1372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        45⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        46⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2096
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        47⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        48⤵
        Executes dropped EXE
        
        PID:1036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        49⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        50⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        51⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        52⤵
        Executes dropped EXE
        
        PID:1980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        53⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        54⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2656
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        55⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        56⤵
        Executes dropped EXE
        
        PID:2856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        57⤵
        Executes dropped EXE
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        58⤵
        Executes dropped EXE
        
        PID:1968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        60⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1364
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        61⤵
        Executes dropped EXE
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        62⤵
        Executes dropped EXE
        
        PID:1864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        63⤵
        Executes dropped EXE
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        65⤵
        Executes dropped EXE
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        66⤵
        
        PID:1812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        67⤵
        Drops file in Windows directory
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        68⤵
        
        PID:2460
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        69⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        70⤵
        
        PID:1860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        71⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        72⤵
        
        PID:1692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        73⤵
        Drops file in Windows directory
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        74⤵
        
        PID:2220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        76⤵
        
        PID:2284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        77⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        78⤵
        
        PID:2804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        79⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        80⤵
        
        PID:2676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        81⤵
        Drops file in Windows directory
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        82⤵
        
        PID:2900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        83⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        84⤵
        
        PID:2680
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        85⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        86⤵
        Drops file in Windows directory
        
        PID:2584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        87⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        88⤵
        
        PID:2984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        89⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        90⤵
        
        PID:1792
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        91⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        92⤵
        
        PID:1012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        93⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        94⤵
        
        PID:1952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        95⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        96⤵
        
        PID:1296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        97⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        98⤵
        
        PID:1408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        99⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        100⤵
        
        PID:2012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        101⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        102⤵
        
        PID:680
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        103⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        104⤵
        
        PID:892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        105⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        106⤵
        
        PID:1944
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        107⤵
        Drops file in Windows directory
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        110⤵
        
        PID:788
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        112⤵
        
        PID:2072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        113⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        114⤵
        
        PID:1928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        115⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        116⤵
        
        PID:896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        117⤵
        Drops file in Windows directory
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        118⤵
        
        PID:1584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        119⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        120⤵
        
        PID:2120
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        121⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        122⤵
        
        PID:1512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        123⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        124⤵
        
        PID:2300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        125⤵
        Drops file in Windows directory
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        126⤵
        
        PID:2892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        127⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        128⤵
        
        PID:2756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        129⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        130⤵
        
        PID:2740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        131⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        133⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        134⤵
        
        PID:3052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        135⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        136⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        138⤵
        
        PID:2096
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        139⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        140⤵
        
        PID:1660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        141⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        142⤵
        
        PID:2500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        143⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        144⤵
        
        PID:1608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        145⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        146⤵
        Drops file in Windows directory
        
        PID:2032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        147⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        149⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        150⤵
        
        PID:1492
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        151⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        152⤵
        
        PID:1944
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        153⤵
        Drops file in Windows directory
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        154⤵
        
        PID:1920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        155⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        156⤵
        
        PID:2076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        157⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        158⤵
        
        PID:1916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        159⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        160⤵
        Drops file in Windows directory
        
        PID:2460
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        162⤵
        
        PID:1960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        163⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        164⤵
        
        PID:2308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        165⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        166⤵
        
        PID:2220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        167⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        168⤵
        
        PID:2524
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        169⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        171⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        173⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        174⤵
        
        PID:2820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        175⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        176⤵
        
        PID:3008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        177⤵
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        178⤵
        
        PID:1948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        179⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        180⤵
        
        PID:1284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        181⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        182⤵
        
        PID:1700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        183⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        184⤵
        
        PID:2408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        185⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        186⤵
        
        PID:2040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        187⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        188⤵
        
        PID:1144
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        189⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        190⤵
        
        PID:2988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        191⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        192⤵
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        193⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        194⤵
        
        PID:2796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        195⤵
        Drops file in Windows directory
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        196⤵
        Drops file in Windows directory
        
        PID:408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        197⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        198⤵
        Drops file in Windows directory
        
        PID:996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        199⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        200⤵
        Drops file in Windows directory
        
        PID:1772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        201⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        202⤵
        
        PID:108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        203⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        204⤵
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        205⤵
        Drops file in Windows directory
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        206⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        207⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        208⤵
        
        PID:2880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        209⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        210⤵
        
        PID:1736
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        211⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        212⤵
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        213⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        214⤵
        Drops file in Windows directory
        
        PID:2716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        215⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        216⤵
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        217⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        218⤵
        
        PID:2840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        219⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        220⤵
        
        PID:2832
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        221⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        222⤵
        
        PID:2968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        223⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        224⤵
        
        PID:2360
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        225⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        226⤵
        
        PID:1284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        227⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        228⤵
        
        PID:2492
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        229⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        230⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        231⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        232⤵
        
        PID:1708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        233⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        234⤵
        
        PID:864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        235⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        236⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        237⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        238⤵
        
        PID:584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        239⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        240⤵
        
        PID:2796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        241⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        242⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        243⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        244⤵
        
        PID:996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        245⤵
        Drops file in Windows directory
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        246⤵
        
        PID:708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        247⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        248⤵
        
        PID:2544
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        249⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        250⤵
        
        PID:2312
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        251⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        252⤵
        
        PID:2180
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        253⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        254⤵
        System Location Discovery: System Language Discovery
        
        PID:1860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        255⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        256⤵
        
        PID:1584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        257⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        258⤵
        
        PID:3068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        259⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        260⤵
        
        PID:2780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        261⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        262⤵
        
        PID:2784
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        263⤵
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        264⤵
        
        PID:2704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        265⤵
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        266⤵
        
        PID:2732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        267⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        268⤵
        Drops file in Windows directory
        
        PID:2348
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        269⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        270⤵
        
        PID:872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        271⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        272⤵
        
        PID:2472
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        273⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        274⤵
        Drops file in Windows directory
        
        PID:2540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        275⤵
        Drops file in Windows directory
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        276⤵
        
        PID:2040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        277⤵
        Drops file in Windows directory
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        278⤵
        
        PID:2860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        279⤵
        System Location Discovery: System Language Discovery
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        280⤵
        
        PID:1796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        281⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        282⤵
        
        PID:1408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        283⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        284⤵
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        285⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        286⤵
        Drops file in Windows directory
        
        PID:1976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        287⤵
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        288⤵
        Drops file in Windows directory
        
        PID:2948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        289⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        290⤵
        
        PID:1648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        291⤵
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        292⤵
        System Location Discovery: System Language Discovery
        
        PID:708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        293⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        294⤵
        
        PID:1812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        295⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        296⤵
        
        PID:2936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        297⤵
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        298⤵
        Drops file in Windows directory
        
        PID:2880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        299⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        300⤵
        
        PID:2440
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        301⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        302⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        303⤵
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        304⤵
        
        PID:2716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        305⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        306⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        307⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        308⤵
        Drops file in Windows directory
        
        PID:2772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        309⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        310⤵
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        311⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        312⤵
        
        PID:2968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        313⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        314⤵
        Drops file in Windows directory
        
        PID:2104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        315⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        316⤵
        Drops file in Windows directory
        
        PID:3012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        317⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        318⤵
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        319⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        320⤵
        Drops file in Windows directory
        
        PID:1556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        321⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        322⤵
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        323⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        324⤵
        
        PID:1632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        325⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        326⤵
        
        PID:2092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        327⤵
        Drops file in Windows directory
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        328⤵
        
        PID:2012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        329⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        330⤵
        
        PID:2052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        331⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        332⤵
        
        PID:1720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        333⤵
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        334⤵
        Drops file in Windows directory
        
        PID:2292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        335⤵
        Drops file in Windows directory
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        336⤵
        
        PID:1920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        337⤵
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        338⤵
        
        PID:2072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        339⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        340⤵
        
        PID:1748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        341⤵
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        342⤵
        
        PID:2324
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        343⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        344⤵
        
        PID:572
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        345⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        346⤵
        
        PID:844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        347⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        348⤵
        
        PID:2996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        349⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        350⤵
        
        PID:2660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        351⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        352⤵
        
        PID:2828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        353⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        354⤵
        
        PID:2872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        355⤵
        Drops file in Windows directory
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        356⤵
        
        PID:1344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        357⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        358⤵
        
        PID:2680
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        359⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        360⤵
        Drops file in Windows directory
        
        PID:2104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        361⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        362⤵
        
        PID:596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        363⤵
        System Location Discovery: System Language Discovery
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        364⤵
        
        PID:1700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        365⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        366⤵
        
        PID:672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        367⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        368⤵
        
        PID:1012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        369⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        370⤵
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        371⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        372⤵
        
        PID:868
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        373⤵
        Drops file in Windows directory
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        374⤵
        
        PID:2012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        375⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        376⤵
        
        PID:2856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        377⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        378⤵
        System Location Discovery: System Language Discovery
        
        PID:544
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        379⤵
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        380⤵
        
        PID:1596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        381⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        382⤵
        
        PID:1920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        383⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        384⤵
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        385⤵
        Drops file in Windows directory
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        386⤵
        
        PID:2276
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        387⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        388⤵
        
        PID:2324
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        389⤵
        System Location Discovery: System Language Discovery
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        390⤵
        
        PID:572
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        391⤵
        Drops file in Windows directory
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        392⤵
        
        PID:2036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        393⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        394⤵
        
        PID:2996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        395⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        396⤵
        
        PID:2300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        397⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        398⤵
        
        PID:2160
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        399⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        400⤵
        
        PID:2872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        401⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        402⤵
        
        PID:2740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        403⤵
        Drops file in Windows directory
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        404⤵
        
        PID:2348
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        405⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        406⤵
        
        PID:2980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        407⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        408⤵
        
        PID:1248
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        409⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        410⤵
        
        PID:2984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        411⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        412⤵
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        413⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        414⤵
        Drops file in Windows directory
        
        PID:1764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        415⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        416⤵
        
        PID:1980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        417⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        418⤵
        
        PID:2024
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        419⤵
        System Location Discovery: System Language Discovery
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        420⤵
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        421⤵
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        422⤵
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        423⤵
        Drops file in Windows directory
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        424⤵
        
        PID:1052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        425⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        426⤵
        
        PID:1532
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        427⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        428⤵
        
        PID:1648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        429⤵
        System Location Discovery: System Language Discovery
        
        PID:276
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        430⤵
        
        PID:2152
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        431⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        432⤵
        
        PID:1928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        433⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        434⤵
        
        PID:1616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        435⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        436⤵
        
        PID:1860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        437⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        438⤵
        
        PID:2876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE"
        439⤵
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE
        440⤵
        
        PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
859KB

MD5
754309b7b83050a50768236ee966224f

SHA1
10ed7efc2e594417ddeb00a42deb8fd9f804ed53

SHA256
acd32dd903e5464b0ecd153fb3f71da520d2e59a63d4c355d9c1874c919d04e6

SHA512
e5aaddf62c08c8fcc1ae3f29df220c5c730a2efa96dd18685ee19f5a9d66c4735bb4416c4828033661990604669ed345415ef2dc096ec75e1ab378dd804b1614

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
ad98b20199243808cde0b5f0fd14b98f

SHA1
f95ce4c4c1bb507da8ed379503b7f597ee2016cd

SHA256
214f478e94658fa2bd7f0bc17022831baee707756798addb41d9c5bee050e70b

SHA512
ee1251c62530b3027e2cd5669533c633577ffbcf854e137a551148fc0de3ee6cc34253a0bdefdbd4843929843b0790f1de893aa6fbae1c969f057b9f8486afef

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
248a8df8e662dfca1db4f7160e1a972b

SHA1
dca22df5bca069f90d84d59988abe73a24704304

SHA256
6c7abeebd50487ca33315f5e507c9a5346e6e7a4b732103b35b8006ed58d7bb2

SHA512
0042e806d50c938fb1f08506327c87cd99e4f5f9520636b20695d94a696bb8b3f500f6d9507cb46fdba27c60cc0cb9e3c1e7c35dcfb7fcf4dadac3270e654f75

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
dc6114cf663ccdb1e55d37e6501c54cc

SHA1
8007df78476f6e723ddcb3ad6d515e558dcb97c9

SHA256
d566164c874ef66149b493e3220616cdb9090a8cebb4a1325c48c705aea5c348

SHA512
677464e6dab367f9158655533cade6e1ec4b39c4e64b05395e72e4099ca7f8fa82b8e49846932956da5fef760cc109a348e1c599d986166998e4d2623022a28c

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE

Filesize
313KB

MD5
46990c189f267e44f1927f68380102a7

SHA1
01eb9127bcda65186295003420683f3b4385659c

SHA256
323942be693446177d1e1f3686ccf142c31f812501a4b96aba2465c5291280cf

SHA512
3d1b342922f6fbb55aab224c705202d8607108ed459eb3dfecd7deece986f8818961c31930858f9576afeb9f7114cb64ad68d50768a9a61103be44d668d53296

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe

Filesize
373KB

MD5
19feeebcfb818724752cc00ce9d2bd1b

SHA1
56d62cba9ffc38997c7cb637f0f365d899ba8f27

SHA256
abcd71656c9b90220c118e6fb8e334d78e5f2ea0f02ddf64bd3f9d8f503539f0

SHA512
cb23aca213be3da84ca0a5e254f750c60fa9b16a10e8b94f659aecbd837afad945671c525d55d476ac1c9be9df0628c6b9b78c85fe61e06185d6e5b81de85898

Download Submit
C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE

Filesize
100KB

MD5
1eb833dedf61e4c0d4d36fe1f4c4f9e6

SHA1
e530e69694513cf6ef33c7b3f5d11b2e4d8d21c9

SHA256
b88c6d6e0a64d510512dbddc966fd8d90cf72501a14a726d1e69a817b1546fac

SHA512
8ab8ab0530c07ec53049829428de83651f2fa422c59c494075a74ed59ded02281bb10968622e1f7f97a3e0cab447eb8451e70e3830dfdbfb8d07a6409c849450

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE

Filesize
2.4MB

MD5
a4976519439254ea7f40d9c8aaf3b42e

SHA1
f42b2f977c2498a9705bfc337d90fd79495d79fc

SHA256
b0395474d847b8729864e79346792aba77996fb847fc8a146d609fd2a8500cfb

SHA512
2385470d6fd19a170c89eff3a2462ff0960724e6716bd7e432cee56cd811c306775cbfa7b118de5d41779f59663469320a0b8c07267be807280d3a050ea735ad

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE

Filesize
571KB

MD5
21a653f5da8c7b13d9a41277a03613d6

SHA1
b30699a9745f64328ff6cb0541244d5dff6c6e9a

SHA256
2b35f2e39759607412dfe4f5d934d0caf69eb96a39c3601ffc86e74bc726b1d6

SHA512
b38cbaae8eb5a2c944f144461424be3f57a42403ff83e2ade7522302e6d0c6cb1896ce2a1b8b40fd1d7c48128ad64a1fe689f7feae8e48643b80b23fffde8ee8

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE

Filesize
503KB

MD5
fdf02b51e6dd28873c21c55e22d276a0

SHA1
435ee11bd78ab2946ba1da65fa0e478135d87ce3

SHA256
7232825710bfe15014cbc196ccbbfe69c1a649fb00abcf16104dfd071dfc510f

SHA512
cdf5e8d55f07c3c9410f698604e3fb8f5cd9462319a936a5be29aa7e439e6dcdfbcd2174eb268d23927996074b0f574d4a4b52c47ad6259743c0741ee9683a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\7CFCC6~1.EXE

Filesize
220KB

MD5
693536ef62bb12cc5ce762dea06324cf

SHA1
75cd9be4b08aebe8220727ca1a41283120712289

SHA256
aaa258d91bcfd666dbc367a0198c7b12e176a6a91cb5f91c56d99e2d78e80d23

SHA512
c718c3d823b7eef6d7daec053709383fdd6d9cb6902eda1fb1916f6af3a9c4d0eb1bfdd26560ed89fcf3a638f3ada7e0b4c0fbcb378aff75690d1d0007545bb7

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
e8d561e162ed1fb7fecd9dc375f93968

SHA1
c4e4ae68333265bf038de64856b4089726a046b7

SHA256
4c821f06812ef3ef15b95da08a7e5b3b5220cbdeff08f8fe385dd9235db79ed1

SHA512
0bb18784785ee95abe05d2c2ca970b6c1152e2b414e7d50e237df9008bbe3e1defdcd076933ef3e7f8e1e2e2ed6bf1bb3f43770fcde814a0524d36276707047b

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\7cfcc6ec76d44fce62a7d39ecda4fdd591880e4c87b742ce9bb93176e6619dcd.exe

Filesize
260KB

MD5
527d3369afe964e85e82b9c7095e1274

SHA1
194faba89123aa0125178c970903f74f34b3529a

SHA256
df4523a0ecfb63fb8b8b6da8aff955bcaa87f1a16a2d70ee3fc8dbd22f6e3fca

SHA512
444c1d377a6092098799f914cdc316719aa5cba638ad64bf18db17a8ac8535bac92944865f6acaa87e41f5b8ab34d81f549753f7eb45f863f5a3c36cbb858fc3

Download Submit
memory/588-260-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/708-196-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/864-349-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1036-342-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1148-326-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1364-390-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1372-325-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1404-414-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1452-164-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1504-389-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1600-398-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1608-358-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1660-341-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1696-139-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1700-109-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1736-261-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1772-405-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1796-138-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1812-413-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1844-252-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1860-233-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1864-397-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1868-195-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1936-318-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1968-381-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1980-357-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2036-234-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2052-181-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2076-406-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2096-333-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2200-180-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2300-268-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2308-253-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2396-374-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2416-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2424-285-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2468-108-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2496-382-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2500-350-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2512-334-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2544-214-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2564-72-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2564-309-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2572-301-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2584-310-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2592-302-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2604-58-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2612-86-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2656-365-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2688-87-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2712-45-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2744-163-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2772-294-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2784-284-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2808-366-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2824-293-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2836-59-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2856-373-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2900-44-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2912-215-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2984-317-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2996-31-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3008-73-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3068-269-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads