neshta | f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 05:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
Size

1.4MB
MD5

da0dabd3074a2f56d1239bf8c1cb5ecc
SHA1

6a872ac401adc8a44326a0ef14cd215ac9eceacc
SHA256

f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c
SHA512

aa158a2196849c7a66b309c81022f2222576c00bea9716357be788d83a0ca1e815dc2c9636a2e0d830e007f14979ed4df6e94e2e5ef67f3229d07e652db3106a
SSDEEP

24576:epaiGhP1x+96UBz1V/7hw5CILSbvCDpmdLq9zyMfNyAGW6xRZzXeyNbgQF:BiI1k9/HYCtMpK2zyM45fzuYbgQF

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Executes dropped EXE 64 IoCs

pid	Process
3012	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
2188	svchost.com
1368	F4A905~1.EXE
2644	svchost.com
2816	F4A905~1.EXE
2660	svchost.com
2836	F4A905~1.EXE
2556	svchost.com
2536	F4A905~1.EXE
2596	svchost.com
2992	F4A905~1.EXE
1472	svchost.com
2752	F4A905~1.EXE
2592	svchost.com
2520	F4A905~1.EXE
636	svchost.com
2756	F4A905~1.EXE
2768	svchost.com
1776	F4A905~1.EXE
348	svchost.com
1084	F4A905~1.EXE
2096	svchost.com
1840	F4A905~1.EXE
836	svchost.com
1532	F4A905~1.EXE
236	svchost.com
2284	F4A905~1.EXE
1528	svchost.com
2484	F4A905~1.EXE
112	svchost.com
2220	F4A905~1.EXE
1580	svchost.com
1792	F4A905~1.EXE
2132	svchost.com
2800	F4A905~1.EXE
2688	svchost.com
2860	F4A905~1.EXE
2828	svchost.com
2560	F4A905~1.EXE
2588	svchost.com
2564	F4A905~1.EXE
2988	svchost.com
1540	F4A905~1.EXE
1832	svchost.com
1244	F4A905~1.EXE
1788	svchost.com
2752	F4A905~1.EXE
1700	svchost.com
1284	F4A905~1.EXE
108	svchost.com
1664	F4A905~1.EXE
1740	svchost.com
2404	F4A905~1.EXE
2572	svchost.com
2416	F4A905~1.EXE
2120	svchost.com
2960	F4A905~1.EXE
1636	svchost.com
684	F4A905~1.EXE
1356	svchost.com
1088	F4A905~1.EXE
1968	svchost.com
912	F4A905~1.EXE
2340	svchost.com

Loads dropped DLL 64 IoCs

pid	Process
1708	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
1708	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
2188	svchost.com
2188	svchost.com
2644	svchost.com
2644	svchost.com
2660	svchost.com
2660	svchost.com
2556	svchost.com
2556	svchost.com
2596	svchost.com
2596	svchost.com
1472	svchost.com
1472	svchost.com
2592	svchost.com
2592	svchost.com
636	svchost.com
636	svchost.com
2768	svchost.com
2768	svchost.com
1708	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
3012	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
348	svchost.com
348	svchost.com
1708	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
2096	svchost.com
2096	svchost.com
836	svchost.com
836	svchost.com
1708	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
1708	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
236	svchost.com
236	svchost.com
1528	svchost.com
1528	svchost.com
112	svchost.com
112	svchost.com
3012	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
1580	svchost.com
1580	svchost.com
2132	svchost.com
2132	svchost.com
2688	svchost.com
2688	svchost.com
2828	svchost.com
2828	svchost.com
2588	svchost.com
2588	svchost.com
2988	svchost.com
2988	svchost.com
1832	svchost.com
1832	svchost.com
1788	svchost.com
1788	svchost.com
1700	svchost.com
1700	svchost.com
108	svchost.com
108	svchost.com
1740	svchost.com
1740	svchost.com
2572	svchost.com
2572	svchost.com
2120	svchost.com
2120	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	F4A905~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	F4A905~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	F4A905~1.EXE
File opened for modification	C:\Windows\svchost.com	F4A905~1.EXE
File opened for modification	C:\Windows\directx.sys	F4A905~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	F4A905~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	F4A905~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	F4A905~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	F4A905~1.EXE
File opened for modification	C:\Windows\svchost.com	F4A905~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	F4A905~1.EXE
File opened for modification	C:\Windows\directx.sys	F4A905~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	F4A905~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	F4A905~1.EXE
File opened for modification	C:\Windows\svchost.com	F4A905~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	F4A905~1.EXE
File opened for modification	C:\Windows\svchost.com	F4A905~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	F4A905~1.EXE
File opened for modification	C:\Windows\directx.sys	F4A905~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	F4A905~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	F4A905~1.EXE
File opened for modification	C:\Windows\svchost.com	F4A905~1.EXE
File opened for modification	C:\Windows\svchost.com	F4A905~1.EXE
File opened for modification	C:\Windows\directx.sys	F4A905~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	F4A905~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	F4A905~1.EXE
File opened for modification	C:\Windows\directx.sys	F4A905~1.EXE
File opened for modification	C:\Windows\directx.sys	F4A905~1.EXE
File opened for modification	C:\Windows\directx.sys	F4A905~1.EXE
File opened for modification	C:\Windows\svchost.com	F4A905~1.EXE
File opened for modification	C:\Windows\directx.sys	F4A905~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F4A905~1.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 3012	1708	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe	31
PID 1708 wrote to memory of 3012	1708	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe	31
PID 1708 wrote to memory of 3012	1708	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe	31
PID 1708 wrote to memory of 3012	1708	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe	31
PID 3012 wrote to memory of 2188	3012	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe	32
PID 3012 wrote to memory of 2188	3012	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe	32
PID 3012 wrote to memory of 2188	3012	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe	32
PID 3012 wrote to memory of 2188	3012	f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe	32
PID 2188 wrote to memory of 1368	2188	svchost.com	33
PID 2188 wrote to memory of 1368	2188	svchost.com	33
PID 2188 wrote to memory of 1368	2188	svchost.com	33
PID 2188 wrote to memory of 1368	2188	svchost.com	33
PID 1368 wrote to memory of 2644	1368	F4A905~1.EXE	34
PID 1368 wrote to memory of 2644	1368	F4A905~1.EXE	34
PID 1368 wrote to memory of 2644	1368	F4A905~1.EXE	34
PID 1368 wrote to memory of 2644	1368	F4A905~1.EXE	34
PID 2644 wrote to memory of 2816	2644	svchost.com	35
PID 2644 wrote to memory of 2816	2644	svchost.com	35
PID 2644 wrote to memory of 2816	2644	svchost.com	35
PID 2644 wrote to memory of 2816	2644	svchost.com	35
PID 2816 wrote to memory of 2660	2816	F4A905~1.EXE	36
PID 2816 wrote to memory of 2660	2816	F4A905~1.EXE	36
PID 2816 wrote to memory of 2660	2816	F4A905~1.EXE	36
PID 2816 wrote to memory of 2660	2816	F4A905~1.EXE	36
PID 2660 wrote to memory of 2836	2660	svchost.com	37
PID 2660 wrote to memory of 2836	2660	svchost.com	37
PID 2660 wrote to memory of 2836	2660	svchost.com	37
PID 2660 wrote to memory of 2836	2660	svchost.com	37
PID 2836 wrote to memory of 2556	2836	F4A905~1.EXE	38
PID 2836 wrote to memory of 2556	2836	F4A905~1.EXE	38
PID 2836 wrote to memory of 2556	2836	F4A905~1.EXE	38
PID 2836 wrote to memory of 2556	2836	F4A905~1.EXE	38
PID 2556 wrote to memory of 2536	2556	svchost.com	39
PID 2556 wrote to memory of 2536	2556	svchost.com	39
PID 2556 wrote to memory of 2536	2556	svchost.com	39
PID 2556 wrote to memory of 2536	2556	svchost.com	39
PID 2536 wrote to memory of 2596	2536	F4A905~1.EXE	40
PID 2536 wrote to memory of 2596	2536	F4A905~1.EXE	40
PID 2536 wrote to memory of 2596	2536	F4A905~1.EXE	40
PID 2536 wrote to memory of 2596	2536	F4A905~1.EXE	40
PID 2596 wrote to memory of 2992	2596	svchost.com	41
PID 2596 wrote to memory of 2992	2596	svchost.com	41
PID 2596 wrote to memory of 2992	2596	svchost.com	41
PID 2596 wrote to memory of 2992	2596	svchost.com	41
PID 2992 wrote to memory of 1472	2992	F4A905~1.EXE	42
PID 2992 wrote to memory of 1472	2992	F4A905~1.EXE	42
PID 2992 wrote to memory of 1472	2992	F4A905~1.EXE	42
PID 2992 wrote to memory of 1472	2992	F4A905~1.EXE	42
PID 1472 wrote to memory of 2752	1472	svchost.com	77
PID 1472 wrote to memory of 2752	1472	svchost.com	77
PID 1472 wrote to memory of 2752	1472	svchost.com	77
PID 1472 wrote to memory of 2752	1472	svchost.com	77
PID 2752 wrote to memory of 2592	2752	F4A905~1.EXE	44
PID 2752 wrote to memory of 2592	2752	F4A905~1.EXE	44
PID 2752 wrote to memory of 2592	2752	F4A905~1.EXE	44
PID 2752 wrote to memory of 2592	2752	F4A905~1.EXE	44
PID 2592 wrote to memory of 2520	2592	svchost.com	45
PID 2592 wrote to memory of 2520	2592	svchost.com	45
PID 2592 wrote to memory of 2520	2592	svchost.com	45
PID 2592 wrote to memory of 2520	2592	svchost.com	45
PID 2520 wrote to memory of 636	2520	F4A905~1.EXE	46
PID 2520 wrote to memory of 636	2520	F4A905~1.EXE	46
PID 2520 wrote to memory of 636	2520	F4A905~1.EXE	46
PID 2520 wrote to memory of 636	2520	F4A905~1.EXE	46

C:\Users\Admin\AppData\Local\Temp\f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
"C:\Users\Admin\AppData\Local\Temp\f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\3582-490\f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:2188
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1368
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2644
      - C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        18⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        20⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        24⤵
        Executes dropped EXE
        
        PID:1840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        26⤵
        Executes dropped EXE
        
        PID:1532
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:236
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        28⤵
        Executes dropped EXE
        
        PID:2284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        30⤵
        Executes dropped EXE
        
        PID:2484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        32⤵
        Executes dropped EXE
        
        PID:2220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        35⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        37⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        39⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        40⤵
        Executes dropped EXE
        
        PID:2560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        41⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        42⤵
        Executes dropped EXE
        
        PID:2564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        43⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        44⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        45⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        46⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        47⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        48⤵
        Executes dropped EXE
        
        PID:2752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        49⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        50⤵
        Executes dropped EXE
        
        PID:1284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        51⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:108
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        52⤵
        Executes dropped EXE
        
        PID:1664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        53⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        54⤵
        Executes dropped EXE
        
        PID:2404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        55⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        56⤵
        Executes dropped EXE
        
        PID:2416
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        57⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        59⤵
        Executes dropped EXE
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        60⤵
        Executes dropped EXE
        
        PID:684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        61⤵
        Executes dropped EXE
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        62⤵
        Executes dropped EXE
        
        PID:1088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        63⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        64⤵
        Executes dropped EXE
        
        PID:912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        68⤵
        
        PID:2232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        69⤵
        Drops file in Windows directory
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        70⤵
        Drops file in Windows directory
        
        PID:2264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        71⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        72⤵
        
        PID:536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        73⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        74⤵
        
        PID:556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        75⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        76⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        77⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        78⤵
        
        PID:2712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        79⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        80⤵
        
        PID:2252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        81⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        82⤵
        
        PID:2692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        83⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        85⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        87⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        88⤵
        
        PID:2844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        90⤵
        
        PID:660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        91⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        92⤵
        
        PID:1984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        93⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        94⤵
        
        PID:588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        95⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        96⤵
        
        PID:2752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        97⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        98⤵
        
        PID:1272
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        99⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        100⤵
        
        PID:2756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        101⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        102⤵
        
        PID:2620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        103⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        104⤵
        
        PID:1128
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        105⤵
        Drops file in Windows directory
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        106⤵
        
        PID:3004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        107⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        108⤵
        
        PID:372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        109⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        110⤵
        
        PID:1980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        111⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        113⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        115⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        116⤵
        
        PID:2312
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        118⤵
        
        PID:988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        119⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        120⤵
        
        PID:888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        121⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        122⤵
        
        PID:1256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        123⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        124⤵
        
        PID:3048
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        125⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        126⤵
        
        PID:3056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        127⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        128⤵
        
        PID:2820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        129⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        130⤵
        
        PID:2152
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        131⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        132⤵
        
        PID:2704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        134⤵
        
        PID:2648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        135⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        136⤵
        
        PID:2508
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        137⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        138⤵
        Drops file in Windows directory
        
        PID:2988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        140⤵
        
        PID:1644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        141⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        143⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        144⤵
        Drops file in Windows directory
        
        PID:1908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        145⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        146⤵
        
        PID:2868
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        148⤵
        
        PID:2180
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        149⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        151⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        152⤵
        
        PID:1776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        153⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        154⤵
        
        PID:276
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        155⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        156⤵
        
        PID:992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        157⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        159⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        160⤵
        Drops file in Windows directory
        
        PID:316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        161⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        162⤵
        
        PID:2284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        163⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        164⤵
        
        PID:2296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        165⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        166⤵
        
        PID:1044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        167⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        168⤵
        Drops file in Windows directory
        
        PID:2248
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        169⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        170⤵
        
        PID:3064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        173⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        174⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        175⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        176⤵
        
        PID:2644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        177⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        178⤵
        Drops file in Windows directory
        
        PID:1268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        179⤵
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        180⤵
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        181⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        182⤵
        
        PID:1316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        183⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        184⤵
        Drops file in Windows directory
        
        PID:1832
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        185⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        186⤵
        
        PID:776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        187⤵
        Drops file in Windows directory
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        188⤵
        
        PID:1996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        189⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        190⤵
        Drops file in Windows directory
        
        PID:1272
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        191⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        192⤵
        
        PID:2728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        193⤵
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        195⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        196⤵
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        197⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        198⤵
        
        PID:1776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        199⤵
        Drops file in Windows directory
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        200⤵
        
        PID:1088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        201⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        202⤵
        
        PID:396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        203⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        204⤵
        
        PID:1748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        205⤵
        Drops file in Windows directory
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        206⤵
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        207⤵
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        208⤵
        
        PID:2424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        209⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        210⤵
        System Location Discovery: System Language Discovery
        
        PID:988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        211⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        212⤵
        
        PID:1044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        213⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        214⤵
        
        PID:1696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        215⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        216⤵
        
        PID:2968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        217⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        218⤵
        
        PID:2664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        219⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        220⤵
        
        PID:2820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        221⤵
        Drops file in Windows directory
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        222⤵
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        223⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        224⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        225⤵
        System Location Discovery: System Language Discovery
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        226⤵
        Drops file in Windows directory
        
        PID:2872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        227⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        228⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        229⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        230⤵
        
        PID:2988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        231⤵
        Drops file in Windows directory
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        232⤵
        
        PID:2364
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        233⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        234⤵
        
        PID:776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        235⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        236⤵
        
        PID:1976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        237⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        238⤵
        
        PID:2868
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        239⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        240⤵
        
        PID:2412
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        241⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        242⤵
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        243⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        244⤵
        Drops file in Windows directory
        
        PID:2736
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        245⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        246⤵
        
        PID:684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        247⤵
        Drops file in Windows directory
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        248⤵
        
        PID:948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        249⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        250⤵
        
        PID:2184
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        251⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        252⤵
        
        PID:2340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        253⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        254⤵
        
        PID:2308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        255⤵
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        256⤵
        Drops file in Windows directory
        
        PID:876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        257⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        258⤵
        
        PID:2460
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        259⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        260⤵
        
        PID:556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        261⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        262⤵
        
        PID:1588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        263⤵
        Drops file in Windows directory
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        264⤵
        Drops file in Windows directory
        
        PID:2408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        265⤵
        Drops file in Windows directory
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        266⤵
        
        PID:2808
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        267⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        268⤵
        
        PID:2376
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        269⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        270⤵
        
        PID:2644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        271⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        272⤵
        
        PID:2536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        273⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        274⤵
        
        PID:1600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        275⤵
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        276⤵
        
        PID:2992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        277⤵
        Drops file in Windows directory
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        278⤵
        
        PID:1484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        279⤵
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        280⤵
        
        PID:1704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        281⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        282⤵
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        283⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        284⤵
        
        PID:1664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        285⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        286⤵
        
        PID:2768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        287⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        288⤵
        
        PID:1624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        289⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        290⤵
        
        PID:2064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        291⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        292⤵
        
        PID:2000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        293⤵
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        294⤵
        
        PID:992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        295⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        296⤵
        
        PID:1396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        297⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        298⤵
        
        PID:2288
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        299⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        300⤵
        
        PID:1732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        301⤵
        Drops file in Windows directory
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        302⤵
        
        PID:572
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        303⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        304⤵
        
        PID:2344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        305⤵
        Drops file in Windows directory
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        306⤵
        System Location Discovery: System Language Discovery
        
        PID:112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        307⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        308⤵
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        309⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        310⤵
        
        PID:1712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        311⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        312⤵
        
        PID:2796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        313⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        314⤵
        Drops file in Windows directory
        
        PID:2800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        315⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        316⤵
        
        PID:2812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        317⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        318⤵
        
        PID:2652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        319⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        320⤵
        
        PID:2848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        321⤵
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        322⤵
        
        PID:2988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        323⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        324⤵
        
        PID:1244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        325⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        326⤵
        
        PID:2752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        327⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        328⤵
        
        PID:1428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        329⤵
        Drops file in Windows directory
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        330⤵
        
        PID:1272
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        331⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        332⤵
        
        PID:2656
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        333⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        334⤵
        Drops file in Windows directory
        
        PID:2756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        335⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        336⤵
        
        PID:1596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        337⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        338⤵
        
        PID:684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        339⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        340⤵
        
        PID:2720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        341⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        342⤵
        
        PID:1520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        343⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        344⤵
        
        PID:2096
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        345⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        346⤵
        
        PID:2480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        347⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        348⤵
        
        PID:2312
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        349⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        350⤵
        
        PID:1684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        351⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        352⤵
        
        PID:1576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        353⤵
        Drops file in Windows directory
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        354⤵
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        355⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        356⤵
        
        PID:2472
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        357⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        358⤵
        Drops file in Windows directory
        
        PID:2688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        359⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        360⤵
        Drops file in Windows directory
        
        PID:2568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        361⤵
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        362⤵
        
        PID:1584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        363⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        364⤵
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        365⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        366⤵
        Drops file in Windows directory
        
        PID:2844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        367⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        368⤵
        
        PID:2980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        369⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        370⤵
        
        PID:1808
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        371⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        372⤵
        
        PID:1672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        373⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        374⤵
        
        PID:1996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        375⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        376⤵
        
        PID:2708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        377⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        378⤵
        
        PID:2428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        379⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        380⤵
        Drops file in Windows directory
        
        PID:2928
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        381⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        382⤵
        
        PID:672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        383⤵
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        384⤵
        
        PID:1656
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        385⤵
        Drops file in Windows directory
        
        PID:276
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        386⤵
        
        PID:2292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        387⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        388⤵
        
        PID:1536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        389⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        390⤵
        
        PID:1980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        391⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        392⤵
        Drops file in Windows directory
        
        PID:2236
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        393⤵
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        394⤵
        
        PID:2424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        395⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        396⤵
        
        PID:2308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        397⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        398⤵
        
        PID:2296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        399⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        400⤵
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        401⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        402⤵
        
        PID:1696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        403⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        404⤵
        
        PID:2244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        405⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        406⤵
        Drops file in Windows directory
        
        PID:3060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        407⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        408⤵
        Drops file in Windows directory
        
        PID:1580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        409⤵
        Drops file in Windows directory
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        410⤵
        
        PID:2680
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        411⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        412⤵
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        413⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        414⤵
        Drops file in Windows directory
        
        PID:3036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        415⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        416⤵
        
        PID:1660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        417⤵
        Drops file in Windows directory
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        418⤵
        
        PID:2600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        419⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        420⤵
        
        PID:1988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        421⤵
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        422⤵
        
        PID:1284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        423⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        424⤵
        
        PID:1704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        425⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        426⤵
        
        PID:2740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        427⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        428⤵
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        429⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        430⤵
        
        PID:2320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        431⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        432⤵
        
        PID:1636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        433⤵
        Drops file in Windows directory
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        434⤵
        
        PID:2420
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        435⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        436⤵
        
        PID:1336
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        437⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        438⤵
        
        PID:596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        439⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        440⤵
        
        PID:1532
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        441⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        442⤵
        
        PID:2216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        443⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        444⤵
        Drops file in Windows directory
        
        PID:2484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        445⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        446⤵
        
        PID:876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        447⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        448⤵
        
        PID:888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        449⤵
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        450⤵
        
        PID:1576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        451⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        452⤵
        
        PID:2852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        453⤵
        Drops file in Windows directory
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE
        454⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\F4A905~1.EXE"
        455⤵
        
        PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
859KB

MD5
754309b7b83050a50768236ee966224f

SHA1
10ed7efc2e594417ddeb00a42deb8fd9f804ed53

SHA256
acd32dd903e5464b0ecd153fb3f71da520d2e59a63d4c355d9c1874c919d04e6

SHA512
e5aaddf62c08c8fcc1ae3f29df220c5c730a2efa96dd18685ee19f5a9d66c4735bb4416c4828033661990604669ed345415ef2dc096ec75e1ab378dd804b1614

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
ad98b20199243808cde0b5f0fd14b98f

SHA1
f95ce4c4c1bb507da8ed379503b7f597ee2016cd

SHA256
214f478e94658fa2bd7f0bc17022831baee707756798addb41d9c5bee050e70b

SHA512
ee1251c62530b3027e2cd5669533c633577ffbcf854e137a551148fc0de3ee6cc34253a0bdefdbd4843929843b0790f1de893aa6fbae1c969f057b9f8486afef

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
248a8df8e662dfca1db4f7160e1a972b

SHA1
dca22df5bca069f90d84d59988abe73a24704304

SHA256
6c7abeebd50487ca33315f5e507c9a5346e6e7a4b732103b35b8006ed58d7bb2

SHA512
0042e806d50c938fb1f08506327c87cd99e4f5f9520636b20695d94a696bb8b3f500f6d9507cb46fdba27c60cc0cb9e3c1e7c35dcfb7fcf4dadac3270e654f75

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
dc6114cf663ccdb1e55d37e6501c54cc

SHA1
8007df78476f6e723ddcb3ad6d515e558dcb97c9

SHA256
d566164c874ef66149b493e3220616cdb9090a8cebb4a1325c48c705aea5c348

SHA512
677464e6dab367f9158655533cade6e1ec4b39c4e64b05395e72e4099ca7f8fa82b8e49846932956da5fef760cc109a348e1c599d986166998e4d2623022a28c

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE

Filesize
313KB

MD5
46990c189f267e44f1927f68380102a7

SHA1
01eb9127bcda65186295003420683f3b4385659c

SHA256
323942be693446177d1e1f3686ccf142c31f812501a4b96aba2465c5291280cf

SHA512
3d1b342922f6fbb55aab224c705202d8607108ed459eb3dfecd7deece986f8818961c31930858f9576afeb9f7114cb64ad68d50768a9a61103be44d668d53296

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe

Filesize
381KB

MD5
2352318f01171370a31048e3ef80a4a9

SHA1
aeca009b93c80a3a51eaefa035b09f8a5aa6d252

SHA256
88b241c269c0b657ed4a2b09b0835f15f4dee77d0bb8fec3240bb14d93ba0b62

SHA512
7783abcc2a0e448ea476c53d70b8d04f4c90c3b30b72a1b89310fb6f9f05efcc7e511276cc045c3e3f476e932874c3aef30366872b408fa257561aba2d907b3b

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
cc7668bafeaf4f410ebea75e0b709784

SHA1
349a049b07dc521c5cde8bb9b6cf1da63185a2c7

SHA256
97c04dfc6c6c3dd612f05646be74c04828706739656b94d8d5235a9b9d498841

SHA512
6686888dfd543998037e87b397b88f9285dcc9e84d6380e9da89d9072c968c5013f851b94dac1988b5ddead7e0d68a2a8061f1ae8e9c3edc01c1710a103c3512

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
92ba5cb9e059080b94a4c49fe48bb793

SHA1
516b09666b583802335dbf9ea17e0253848bc5b4

SHA256
ad9a9ad0a341229389a4dcaad9e52f645fd4b69e679122b4e74a15f6c1bb2903

SHA512
711f2b644a0519eea8c604ae330b2cc2d419ad94b92d2f3fc792acc19de9d582a47ce42a84fd691dba4bee9d8d705836bd61b17ccab2707dfa21776d315122f7

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\f4a9055f6eb03dfe4fc0420ccf8e6218dce26069c29fce0fbe63c1ad15e83e1c.exe

Filesize
1.4MB

MD5
2136c7c810ee3819856089a1ab19cea0

SHA1
153e52d42dc1c0faf524d65515b4b3b7bd228fab

SHA256
1778fda3c179515355b6c3814d6b673d60601e75f145654ce122fc203f3a2cb0

SHA512
e644ae3c6bec165e18a9bf521b09f07288be5dec8988b8ce1c666a416941ed61533782275fe9279316d9b84528a4d87d50248bf0a4755adf95b135f5ca233052

Download Submit
memory/108-360-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/112-247-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/236-215-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/348-162-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/636-129-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/684-391-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/836-203-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/912-407-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1084-163-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1088-399-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1244-335-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1284-351-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1356-400-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1368-30-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1472-101-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1528-229-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1532-204-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1540-327-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1580-273-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1636-392-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1664-359-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1700-352-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1740-367-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1776-151-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1788-343-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1792-272-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1800-416-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1832-336-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1840-184-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1968-408-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2096-185-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2120-384-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2132-283-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2188-31-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2220-246-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2284-214-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2340-415-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2404-368-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2416-375-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2484-228-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2520-114-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2536-72-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2556-73-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2560-306-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2564-320-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2572-376-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2588-319-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2592-115-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2596-87-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2644-46-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2660-59-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2688-291-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2752-100-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2752-344-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2756-128-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2768-152-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2800-282-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2816-45-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2828-307-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2836-58-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2860-290-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2960-383-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2988-328-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2992-86-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads