neshta | 7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 00:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
Size

265KB
MD5

2e74c916bee35d5b748ddde7e555693e
SHA1

d14604184262d1d42df9e9c9ad41b8b7fbdc0ed8
SHA256

7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd
SHA512

b5c8ca23f1ab8e6fab182d33c1cf6ade51450b0f9000191288462072308843c8c505021ef5f018524d522ed2e376133434415348e74706714b55c9807612b038
SSDEEP

3072:zr8WDrCbzmm71+7Xj4HOb+wlCXv3hVvr8WDrC:Pud7YXj4iRlqJu

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Executes dropped EXE 64 IoCs

pid	Process
2248	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
2904	svchost.com
2900	7DF959~1.EXE
2848	svchost.com
2812	7DF959~1.EXE
2568	svchost.com
2980	7DF959~1.EXE
1028	svchost.com
876	7DF959~1.EXE
936	svchost.com
2840	7DF959~1.EXE
2536	svchost.com
1228	7DF959~1.EXE
2872	svchost.com
376	7DF959~1.EXE
1696	svchost.com
1648	7DF959~1.EXE
2256	svchost.com
1164	7DF959~1.EXE
1812	svchost.com
1808	7DF959~1.EXE
1544	svchost.com
3012	7DF959~1.EXE
2508	svchost.com
1616	7DF959~1.EXE
2516	svchost.com
2464	7DF959~1.EXE
1156	svchost.com
568	7DF959~1.EXE
896	svchost.com
1768	7DF959~1.EXE
1600	svchost.com
2748	7DF959~1.EXE
2824	svchost.com
2576	7DF959~1.EXE
2564	svchost.com
2156	7DF959~1.EXE
2424	svchost.com
564	7DF959~1.EXE
332	svchost.com
1324	7DF959~1.EXE
576	svchost.com
2840	7DF959~1.EXE
1276	svchost.com
1044	7DF959~1.EXE
1308	svchost.com
2336	7DF959~1.EXE
1708	svchost.com
2844	7DF959~1.EXE
2820	svchost.com
2396	7DF959~1.EXE
1644	svchost.com
1656	7DF959~1.EXE
2188	svchost.com
2104	7DF959~1.EXE
3032	svchost.com
2236	7DF959~1.EXE
2044	svchost.com
2040	7DF959~1.EXE
1104	svchost.com
1812	7DF959~1.EXE
1140	svchost.com
2864	7DF959~1.EXE
996	svchost.com

Loads dropped DLL 64 IoCs

pid	Process
2220	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
2220	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
2904	svchost.com
2904	svchost.com
2848	svchost.com
2848	svchost.com
2568	svchost.com
2568	svchost.com
1028	svchost.com
1028	svchost.com
936	svchost.com
936	svchost.com
2536	svchost.com
2536	svchost.com
2872	svchost.com
2872	svchost.com
2248	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
2220	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
1696	svchost.com
1696	svchost.com
2256	svchost.com
2256	svchost.com
1812	svchost.com
1812	svchost.com
1544	svchost.com
1544	svchost.com
2508	svchost.com
2508	svchost.com
2516	svchost.com
2516	svchost.com
1156	svchost.com
1156	svchost.com
896	svchost.com
896	svchost.com
1600	svchost.com
2220	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
1600	svchost.com
2824	svchost.com
2824	svchost.com
2564	svchost.com
2564	svchost.com
2424	svchost.com
2424	svchost.com
332	svchost.com
332	svchost.com
576	svchost.com
576	svchost.com
1276	svchost.com
1276	svchost.com
1308	svchost.com
1308	svchost.com
1708	svchost.com
1708	svchost.com
2820	svchost.com
2820	svchost.com
1644	svchost.com
1644	svchost.com
2188	svchost.com
2188	svchost.com
3032	svchost.com
3032	svchost.com
2044	svchost.com
2044	svchost.com
1104	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	7DF959~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7DF959~1.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2248	2220	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe	30
PID 2220 wrote to memory of 2248	2220	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe	30
PID 2220 wrote to memory of 2248	2220	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe	30
PID 2220 wrote to memory of 2248	2220	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe	30
PID 2248 wrote to memory of 2904	2248	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe	31
PID 2248 wrote to memory of 2904	2248	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe	31
PID 2248 wrote to memory of 2904	2248	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe	31
PID 2248 wrote to memory of 2904	2248	7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe	31
PID 2904 wrote to memory of 2900	2904	svchost.com	32
PID 2904 wrote to memory of 2900	2904	svchost.com	32
PID 2904 wrote to memory of 2900	2904	svchost.com	32
PID 2904 wrote to memory of 2900	2904	svchost.com	32
PID 2900 wrote to memory of 2848	2900	7DF959~1.EXE	33
PID 2900 wrote to memory of 2848	2900	7DF959~1.EXE	33
PID 2900 wrote to memory of 2848	2900	7DF959~1.EXE	33
PID 2900 wrote to memory of 2848	2900	7DF959~1.EXE	33
PID 2848 wrote to memory of 2812	2848	svchost.com	34
PID 2848 wrote to memory of 2812	2848	svchost.com	34
PID 2848 wrote to memory of 2812	2848	svchost.com	34
PID 2848 wrote to memory of 2812	2848	svchost.com	34
PID 2812 wrote to memory of 2568	2812	7DF959~1.EXE	35
PID 2812 wrote to memory of 2568	2812	7DF959~1.EXE	35
PID 2812 wrote to memory of 2568	2812	7DF959~1.EXE	35
PID 2812 wrote to memory of 2568	2812	7DF959~1.EXE	35
PID 2568 wrote to memory of 2980	2568	svchost.com	36
PID 2568 wrote to memory of 2980	2568	svchost.com	36
PID 2568 wrote to memory of 2980	2568	svchost.com	36
PID 2568 wrote to memory of 2980	2568	svchost.com	36
PID 2980 wrote to memory of 1028	2980	7DF959~1.EXE	37
PID 2980 wrote to memory of 1028	2980	7DF959~1.EXE	37
PID 2980 wrote to memory of 1028	2980	7DF959~1.EXE	37
PID 2980 wrote to memory of 1028	2980	7DF959~1.EXE	37
PID 1028 wrote to memory of 876	1028	svchost.com	117
PID 1028 wrote to memory of 876	1028	svchost.com	117
PID 1028 wrote to memory of 876	1028	svchost.com	117
PID 1028 wrote to memory of 876	1028	svchost.com	117
PID 876 wrote to memory of 936	876	7DF959~1.EXE	39
PID 876 wrote to memory of 936	876	7DF959~1.EXE	39
PID 876 wrote to memory of 936	876	7DF959~1.EXE	39
PID 876 wrote to memory of 936	876	7DF959~1.EXE	39
PID 936 wrote to memory of 2840	936	svchost.com	72
PID 936 wrote to memory of 2840	936	svchost.com	72
PID 936 wrote to memory of 2840	936	svchost.com	72
PID 936 wrote to memory of 2840	936	svchost.com	72
PID 2840 wrote to memory of 2536	2840	7DF959~1.EXE	41
PID 2840 wrote to memory of 2536	2840	7DF959~1.EXE	41
PID 2840 wrote to memory of 2536	2840	7DF959~1.EXE	41
PID 2840 wrote to memory of 2536	2840	7DF959~1.EXE	41
PID 2536 wrote to memory of 1228	2536	svchost.com	42
PID 2536 wrote to memory of 1228	2536	svchost.com	42
PID 2536 wrote to memory of 1228	2536	svchost.com	42
PID 2536 wrote to memory of 1228	2536	svchost.com	42
PID 1228 wrote to memory of 2872	1228	7DF959~1.EXE	43
PID 1228 wrote to memory of 2872	1228	7DF959~1.EXE	43
PID 1228 wrote to memory of 2872	1228	7DF959~1.EXE	43
PID 1228 wrote to memory of 2872	1228	7DF959~1.EXE	43
PID 2872 wrote to memory of 376	2872	svchost.com	44
PID 2872 wrote to memory of 376	2872	svchost.com	44
PID 2872 wrote to memory of 376	2872	svchost.com	44
PID 2872 wrote to memory of 376	2872	svchost.com	44
PID 376 wrote to memory of 1696	376	7DF959~1.EXE	45
PID 376 wrote to memory of 1696	376	7DF959~1.EXE	45
PID 376 wrote to memory of 1696	376	7DF959~1.EXE	45
PID 376 wrote to memory of 1696	376	7DF959~1.EXE	45

C:\Users\Admin\AppData\Local\Temp\7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
"C:\Users\Admin\AppData\Local\Temp\7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\3582-490\7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2900
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2848
      - C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        18⤵
        Executes dropped EXE
        
        PID:1648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        20⤵
        Executes dropped EXE
        
        PID:1164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        22⤵
        Executes dropped EXE
        
        PID:1808
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        24⤵
        Executes dropped EXE
        
        PID:3012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        26⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        28⤵
        Executes dropped EXE
        
        PID:2464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        30⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        35⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        36⤵
        Executes dropped EXE
        
        PID:2576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        37⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        38⤵
        Executes dropped EXE
        
        PID:2156
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        39⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        40⤵
        Executes dropped EXE
        
        PID:564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        41⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        42⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1324
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        43⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        45⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        46⤵
        Executes dropped EXE
        
        PID:1044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        47⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        48⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2336
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        49⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        50⤵
        Executes dropped EXE
        
        PID:2844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        51⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        53⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        54⤵
        Executes dropped EXE
        
        PID:1656
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        55⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        56⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        57⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        58⤵
        Executes dropped EXE
        
        PID:2236
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        59⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        61⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        62⤵
        Executes dropped EXE
        
        PID:1812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        63⤵
        Executes dropped EXE
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        64⤵
        Executes dropped EXE
        
        PID:2864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        65⤵
        Executes dropped EXE
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        66⤵
        
        PID:920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        67⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        68⤵
        
        PID:3020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        69⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        70⤵
        
        PID:2464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        71⤵
        Drops file in Windows directory
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        72⤵
        
        PID:1756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        73⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        74⤵
        
        PID:2512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        75⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        76⤵
        
        PID:2680
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        77⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        78⤵
        
        PID:2684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        79⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        80⤵
        
        PID:2716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        81⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        83⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        84⤵
        
        PID:2604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        86⤵
        
        PID:2580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        87⤵
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        88⤵
        
        PID:2988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        89⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        90⤵
        
        PID:584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        91⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        92⤵
        
        PID:2452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        93⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        94⤵
        
        PID:2028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        95⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        96⤵
        
        PID:1800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        97⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        98⤵
        
        PID:2320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        100⤵
        
        PID:1732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        101⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        102⤵
        
        PID:2528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        103⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        104⤵
        
        PID:2180
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        105⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        106⤵
        
        PID:2036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        107⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        108⤵
        
        PID:2928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        109⤵
        Drops file in Windows directory
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        110⤵
        
        PID:2952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        111⤵
        
        PID:704
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        112⤵
        
        PID:916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        113⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        114⤵
        
        PID:844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        115⤵
        Drops file in Windows directory
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        116⤵
        
        PID:2448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        117⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        118⤵
        
        PID:2440
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        119⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        120⤵
        
        PID:2312
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        122⤵
        
        PID:2752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        123⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        125⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        126⤵
        
        PID:2668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        127⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        128⤵
        
        PID:2552
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        129⤵
        Drops file in Windows directory
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        131⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        132⤵
        
        PID:320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        134⤵
        
        PID:652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        135⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        136⤵
        Drops file in Windows directory
        
        PID:2852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        137⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        139⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        140⤵
        
        PID:2280
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        141⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        142⤵
        
        PID:2028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        143⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        144⤵
        
        PID:2844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        145⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        146⤵
        
        PID:888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        147⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        148⤵
        
        PID:2224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        149⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        150⤵
        
        PID:2168
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        151⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        153⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        154⤵
        
        PID:2936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        155⤵
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        156⤵
        
        PID:2272
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        157⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        158⤵
        
        PID:1580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        159⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        160⤵
        
        PID:1752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        161⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        162⤵
        
        PID:2196
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        163⤵
        Drops file in Windows directory
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        164⤵
        
        PID:2420
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        167⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        168⤵
        
        PID:1712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        169⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        170⤵
        
        PID:2768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        171⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        172⤵
        
        PID:2748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        173⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        174⤵
        
        PID:2552
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        175⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        176⤵
        
        PID:2728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        177⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        178⤵
        
        PID:2296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        179⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        180⤵
        
        PID:2980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        181⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        182⤵
        Drops file in Windows directory
        
        PID:564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        183⤵
        Drops file in Windows directory
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        184⤵
        
        PID:2292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        185⤵
        Drops file in Windows directory
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        186⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        187⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        188⤵
        
        PID:1448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        189⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        190⤵
        System Location Discovery: System Language Discovery
        
        PID:808
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        191⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        192⤵
        Drops file in Windows directory
        
        PID:2384
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        193⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        194⤵
        
        PID:2532
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        195⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        196⤵
        
        PID:1988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        197⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        198⤵
        
        PID:2940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        199⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        200⤵
        
        PID:2056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        201⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        202⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        203⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        204⤵
        
        PID:2864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        205⤵
        
        PID:704
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        206⤵
        
        PID:2064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        207⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        208⤵
        
        PID:2244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        209⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        210⤵
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        211⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        212⤵
        
        PID:2908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        213⤵
        Drops file in Windows directory
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        214⤵
        
        PID:2752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        215⤵
        Drops file in Windows directory
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        216⤵
        Drops file in Windows directory
        
        PID:2368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        217⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        218⤵
        
        PID:2800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        219⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        220⤵
        
        PID:2720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        221⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        222⤵
        
        PID:2724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        223⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        224⤵
        
        PID:2564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        225⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        226⤵
        
        PID:536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        227⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        228⤵
        
        PID:876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        229⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        230⤵
        Drops file in Windows directory
        
        PID:584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        231⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        232⤵
        
        PID:1044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        233⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        234⤵
        Drops file in Windows directory
        
        PID:1212
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        235⤵
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        236⤵
        
        PID:1728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        237⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        238⤵
        
        PID:2320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        239⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        240⤵
        
        PID:3048
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        241⤵
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        242⤵
        
        PID:2188
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        243⤵
        Drops file in Windows directory
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        244⤵
        
        PID:2236
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        245⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        246⤵
        
        PID:1492
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        247⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        248⤵
        
        PID:1512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        249⤵
        Drops file in Windows directory
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        250⤵
        
        PID:2828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        251⤵
        
        PID:604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        252⤵
        
        PID:844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        253⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        254⤵
        
        PID:3020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        255⤵
        Drops file in Windows directory
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        256⤵
        
        PID:1748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        257⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        258⤵
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        259⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        260⤵
        
        PID:2764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        261⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        262⤵
        Drops file in Windows directory
        
        PID:2556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        263⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        264⤵
        
        PID:2780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        265⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        266⤵
        
        PID:2808
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        267⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        268⤵
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        269⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        270⤵
        
        PID:2600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        271⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        272⤵
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        273⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        274⤵
        Drops file in Windows directory
        
        PID:536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        275⤵
        Drops file in Windows directory
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        276⤵
        
        PID:876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        277⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        278⤵
        
        PID:576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        279⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        280⤵
        
        PID:1044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        281⤵
        Drops file in Windows directory
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        282⤵
        
        PID:1228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        283⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        284⤵
        
        PID:2612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        285⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        286⤵
        Drops file in Windows directory
        
        PID:2860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        287⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        288⤵
        Drops file in Windows directory
        
        PID:1828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        289⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        290⤵
        
        PID:3032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        291⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        292⤵
        
        PID:2256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        293⤵
        Drops file in Windows directory
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        294⤵
        
        PID:1588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        295⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        296⤵
        
        PID:3004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        297⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        298⤵
        
        PID:1088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        299⤵
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        300⤵
        
        PID:1580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        301⤵
        
        PID:308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        302⤵
        Drops file in Windows directory
        
        PID:2448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        303⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        304⤵
        Drops file in Windows directory
        
        PID:1748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        305⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        306⤵
        
        PID:1156
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        307⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        308⤵
        
        PID:2764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        309⤵
        Drops file in Windows directory
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        310⤵
        
        PID:1756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        311⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        312⤵
        
        PID:2900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        313⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        314⤵
        
        PID:2748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        315⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        316⤵
        
        PID:2728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        317⤵
        Drops file in Windows directory
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        318⤵
        
        PID:2672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        319⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        320⤵
        
        PID:592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        321⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        322⤵
        
        PID:2648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        323⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        324⤵
        Drops file in Windows directory
        
        PID:2092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        325⤵
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        326⤵
        
        PID:1308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        327⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        328⤵
        
        PID:1272
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        329⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        330⤵
        
        PID:1864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        331⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        332⤵
        Drops file in Windows directory
        
        PID:1872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        333⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        334⤵
        
        PID:2316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        335⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        336⤵
        
        PID:2184
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        337⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        338⤵
        
        PID:2236
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        339⤵
        Drops file in Windows directory
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        340⤵
        
        PID:2936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        341⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        342⤵
        
        PID:444
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        343⤵
        Drops file in Windows directory
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        344⤵
        
        PID:2272
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        345⤵
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        346⤵
        
        PID:2864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        347⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        348⤵
        
        PID:2208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        349⤵
        
        PID:308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        350⤵
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        351⤵
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        352⤵
        
        PID:1804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        353⤵
        Drops file in Windows directory
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        354⤵
        
        PID:2772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        355⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        356⤵
        
        PID:2680
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        357⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        358⤵
        
        PID:568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        359⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        360⤵
        
        PID:2664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        361⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        362⤵
        
        PID:2508
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        363⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        364⤵
        
        PID:2156
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        365⤵
        
        PID:476
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        366⤵
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        367⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        368⤵
        
        PID:2852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        369⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        370⤵
        
        PID:876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        371⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        372⤵
        
        PID:1940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        373⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        374⤵
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        375⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        376⤵
        
        PID:2844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        377⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        378⤵
        
        PID:2820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        379⤵
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        380⤵
        Drops file in Windows directory
        
        PID:1732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        381⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        382⤵
        
        PID:3060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        383⤵
        Drops file in Windows directory
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        384⤵
        
        PID:2168
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        385⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        386⤵
        
        PID:1128
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        387⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        388⤵
        
        PID:2964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        389⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        390⤵
        
        PID:1540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        391⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        392⤵
        
        PID:1796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        393⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        394⤵
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        395⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        396⤵
        
        PID:892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        397⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        398⤵
        Drops file in Windows directory
        
        PID:1500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        399⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        400⤵
        
        PID:1572
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        401⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        402⤵
        
        PID:1652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        403⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        404⤵
        Drops file in Windows directory
        
        PID:2788
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        405⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        406⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        407⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        408⤵
        
        PID:2984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        409⤵
        Drops file in Windows directory
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        410⤵
        
        PID:2996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        411⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        412⤵
        
        PID:1680
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        413⤵
        System Location Discovery: System Language Discovery
        
        PID:476
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        414⤵
        Drops file in Windows directory
        
        PID:936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        415⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        416⤵
        Drops file in Windows directory
        
        PID:2264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        417⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        418⤵
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        419⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        420⤵
        
        PID:1044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        421⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        422⤵
        Drops file in Windows directory
        
        PID:1980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        423⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        424⤵
        
        PID:1612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        425⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        426⤵
        
        PID:2932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        427⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        428⤵
        
        PID:2316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        429⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        430⤵
        
        PID:3044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        431⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        432⤵
        
        PID:2188
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        433⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        434⤵
        
        PID:2948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        435⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        436⤵
        
        PID:1104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        437⤵
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        438⤵
        
        PID:2116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        439⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        440⤵
        
        PID:2888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        441⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        442⤵
        
        PID:2380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        443⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        444⤵
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        445⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        446⤵
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        447⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        448⤵
        
        PID:2916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        449⤵
        Drops file in Windows directory
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        450⤵
        
        PID:884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        451⤵
        Drops file in Windows directory
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        452⤵
        
        PID:2792
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        453⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        454⤵
        
        PID:2976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        455⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        456⤵
        
        PID:1824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        457⤵
        
        PID:700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        458⤵
        
        PID:2628
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        459⤵
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        460⤵
        
        PID:476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        461⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        462⤵
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        463⤵
        Drops file in Windows directory
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        464⤵
        
        PID:1948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        465⤵
        Drops file in Windows directory
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        466⤵
        
        PID:2028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        467⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        468⤵
        
        PID:840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        469⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        470⤵
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        471⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        472⤵
        
        PID:2860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        473⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        474⤵
        
        PID:1996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        475⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        476⤵
        
        PID:2184
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        477⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        478⤵
        
        PID:2044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        479⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        480⤵
        
        PID:1812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        481⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        482⤵
        
        PID:408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        483⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        484⤵
        
        PID:1616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        485⤵
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        486⤵
        
        PID:2388
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        487⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        488⤵
        
        PID:1932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        489⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        490⤵
        
        PID:2416
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        491⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        492⤵
        
        PID:2832
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        493⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        494⤵
        
        PID:2656
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        495⤵
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        496⤵
        
        PID:2868
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        497⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        498⤵
        
        PID:2900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        499⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        500⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        501⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        502⤵
        
        PID:2544
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        503⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        504⤵
        
        PID:2992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        505⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        506⤵
        
        PID:2424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        507⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        508⤵
        
        PID:2896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        509⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        510⤵
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        511⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        512⤵
        
        PID:2280
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        513⤵
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        514⤵
        
        PID:1688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        515⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        516⤵
        
        PID:2612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        517⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        518⤵
        
        PID:2384
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        519⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        520⤵
        
        PID:2500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        521⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        522⤵
        
        PID:2316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        523⤵
        Drops file in Windows directory
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        524⤵
        
        PID:2940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        525⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        526⤵
        
        PID:2168
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        527⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        528⤵
        
        PID:1808
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        529⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        530⤵
        
        PID:672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        531⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        532⤵
        
        PID:604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        533⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        534⤵
        
        PID:1436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        535⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        536⤵
        
        PID:1932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        537⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        538⤵
        
        PID:2660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        539⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        540⤵
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        541⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        542⤵
        
        PID:1572
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        543⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        544⤵
        
        PID:2772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        545⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        546⤵
        
        PID:2652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        547⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        548⤵
        
        PID:2688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        549⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        550⤵
        Drops file in Windows directory
        
        PID:1824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        551⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        552⤵
        
        PID:2992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        553⤵
        
        PID:700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        554⤵
        
        PID:2392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        555⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        556⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE"
        557⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\7DF959~1.EXE
        558⤵
        
        PID:1948

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
859KB

MD5
754309b7b83050a50768236ee966224f

SHA1
10ed7efc2e594417ddeb00a42deb8fd9f804ed53

SHA256
acd32dd903e5464b0ecd153fb3f71da520d2e59a63d4c355d9c1874c919d04e6

SHA512
e5aaddf62c08c8fcc1ae3f29df220c5c730a2efa96dd18685ee19f5a9d66c4735bb4416c4828033661990604669ed345415ef2dc096ec75e1ab378dd804b1614

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
ad98b20199243808cde0b5f0fd14b98f

SHA1
f95ce4c4c1bb507da8ed379503b7f597ee2016cd

SHA256
214f478e94658fa2bd7f0bc17022831baee707756798addb41d9c5bee050e70b

SHA512
ee1251c62530b3027e2cd5669533c633577ffbcf854e137a551148fc0de3ee6cc34253a0bdefdbd4843929843b0790f1de893aa6fbae1c969f057b9f8486afef

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
248a8df8e662dfca1db4f7160e1a972b

SHA1
dca22df5bca069f90d84d59988abe73a24704304

SHA256
6c7abeebd50487ca33315f5e507c9a5346e6e7a4b732103b35b8006ed58d7bb2

SHA512
0042e806d50c938fb1f08506327c87cd99e4f5f9520636b20695d94a696bb8b3f500f6d9507cb46fdba27c60cc0cb9e3c1e7c35dcfb7fcf4dadac3270e654f75

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
dc6114cf663ccdb1e55d37e6501c54cc

SHA1
8007df78476f6e723ddcb3ad6d515e558dcb97c9

SHA256
d566164c874ef66149b493e3220616cdb9090a8cebb4a1325c48c705aea5c348

SHA512
677464e6dab367f9158655533cade6e1ec4b39c4e64b05395e72e4099ca7f8fa82b8e49846932956da5fef760cc109a348e1c599d986166998e4d2623022a28c

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe

Filesize
381KB

MD5
2352318f01171370a31048e3ef80a4a9

SHA1
aeca009b93c80a3a51eaefa035b09f8a5aa6d252

SHA256
88b241c269c0b657ed4a2b09b0835f15f4dee77d0bb8fec3240bb14d93ba0b62

SHA512
7783abcc2a0e448ea476c53d70b8d04f4c90c3b30b72a1b89310fb6f9f05efcc7e511276cc045c3e3f476e932874c3aef30366872b408fa257561aba2d907b3b

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe

Filesize
178KB

MD5
4654c4e42c6d5d09e6ee212db9d01084

SHA1
bf7eb8747084be00e11025995bd22dc6d439eee9

SHA256
90f0e22fb1bed221ae9829e34737c9b12e09b426ad1cb524b8059c16ea222ecf

SHA512
63182f6bf3c895cb3ab472dcc48007475a98a4262ba7b6ec4711c288e14165165a598dcb044c6f971adf3913473de8462b9b3aed03740c2051175491c1d1d809

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE

Filesize
171KB

MD5
c7f77b92107a9d00bb93cc862e0cabe9

SHA1
ce9e3a6d691ec5b39e3f24e75ca13dd6ac7853d5

SHA256
29ebf815005b550c62fec25ff428d057d85d9a2d57a515895337489ac73447fa

SHA512
58deb70ffa214b0ed2d8c91a17b13a3d04fee734378461b9a07fd2d893fae5466808ccfb627607794a6c2faa637a9a0b490b471434ceeb63f211e5eee45e9991

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
c964bb4c53f77f16256b2816e8a02ff7

SHA1
2ba8d61469efb714ef7fcf593445cd3d6739ee42

SHA256
9c87e32fa34c4046e595ceea563a1a6648c10b1a872361ec475c56518e0177da

SHA512
62ea0320dc5a21dfae702f5f570a263be486efab9b84472770cf98af90f57ad3823f60cb5cb1883bd0cc58512babf48f75824f536e8b4e16fdcbb637493139ea

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2f50aca08ffc461c86e8fb5bbedda142

SHA1
6fc5319d084c6e13f950c24c78a9cadb7793c638

SHA256
d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e

SHA512
785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\7df9595e573db19694671785c063120b2be88409300c34809c89865f61a181cd.exe

Filesize
224KB

MD5
e8a87b82e5a2209b51afa5f91c45ee63

SHA1
1e43df519f9632c2fb5eb2ddea122f906843c5be

SHA256
a6d3b894d8e9c806236f463971f06dc547c14b82f40201847e455ef30a4e6be6

SHA512
5f7476ef8931acfde84d89fe0a3ea1c29507183b7a68ba8f122c035c5ee81187abd462a6824cbe8ea365b5e0b7968d9cd4971f2f4ce286ce1e945e644888d7de

Download Submit
memory/332-316-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/376-127-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/564-304-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/568-232-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/576-327-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/876-72-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/896-245-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/920-415-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/936-87-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/996-416-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1028-73-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1044-336-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1104-400-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1140-408-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1156-233-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1164-171-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1228-100-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1276-335-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1308-343-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1324-317-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1544-201-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1600-266-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1616-208-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1644-368-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1648-148-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1656-367-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1696-149-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1708-352-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1768-244-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1808-181-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1812-399-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1812-182-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2040-391-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2044-392-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2104-376-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2156-296-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2188-375-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2236-383-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2256-170-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2336-344-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2396-359-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2424-305-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2464-223-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2508-209-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2516-224-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2536-101-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2564-297-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2568-59-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2576-289-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2748-267-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2812-44-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2820-360-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2824-287-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2840-86-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2840-328-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2844-351-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2848-45-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2864-407-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2872-128-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2900-30-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2904-31-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2980-58-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3012-200-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3032-384-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads